SQL<\/span><\/div>\n\n\n\nA role in its turn, can be given to a user, or to another role. When you give a role to another role, you can effectively create a hierarchy of roles. E.g. ROLE_1 can see edit everything in a certain account, ROLE_2 is at a lower level in the hierarchy and can only see and edit certain databases, etc.<\/p>\n\n\n\n
Now, why would you care about this? Why is this important?<\/p>\n\n\n\n
Because, this gives you the opportunity to have granular control over who sees what! If you want really granular control, you could even create a role that only has access to a certain table, and create a row access policy (similar to Power BI Row-Level Security) that allows the role to only see certain records in that table.<\/p>\n\n\n\n
Another key advantage is that because of the DAC model, users are by default in control of the objects they have created, which helps with self service BI.<\/p>\n\n\n\n
One last advantage that I\u2019ll mention is that privilege inheritance in Snowflake’s role hierarchy is a powerful feature that simplifies access management and reduces administrative overhead. Put simply, when you create a role at a lower level (ROLE_LOWER) that has access to certain databases and you assign this role to a role higher in the hierarchy (ROLE_HIGHER), the ROLE_HIGHER inherits all privileges from ROLE_LOWER and you do not need to assign all the privileges all over again to ROLE_HIGHER. The privileges will simply be inherited by virtue of assigning ROLE_LOWER to ROLE_HIGHER which saves a lot of work. I will give an example of this in the next post.<\/p>\n\n\n\n
Organization<\/p>\n\n\n\n
\u2502<\/p>\n\n\n\n
Account<\/p>\n\n\n\n
\u2502<\/p>\n\n\n\n
\u251c\u2500\u2500 Users<\/p>\n\n\n\n
\u251c\u2500\u2500 Roles<\/p>\n\n\n\n
\u251c\u2500\u2500 Warehouses<\/p>\n\n\n\n
\u251c\u2500\u2500 Resource Monitors<\/p>\n\n\n\n
\u251c\u2500\u2500 Shares<\/p>\n\n\n\n
\u251c\u2500\u2500 Account Parameters<\/p>\n\n\n\n
\u251c\u2500\u2500 Network Policies<\/p>\n\n\n\n
\u251c\u2500\u2500 Account Usage<\/p>\n\n\n\n
\u251c\u2500\u2500 Storage Integrations<\/p>\n\n\n\n
\u251c\u2500\u2500 Notification Integrations<\/p>\n\n\n\n
\u251c\u2500\u2500 Security Integrations<\/p>\n\n\n\n
\u2502<\/p>\n\n\n\n
\u2514\u2500\u2500 Databases<\/p>\n\n\n\n
\u2502<\/p>\n\n\n\n
\u2514\u2500\u2500 Schemas<\/p>\n\n\n\n
\u2502<\/p>\n\n\n\n
\u251c\u2500\u2500 Tables<\/p>\n\n\n\n
\u251c\u2500\u2500 Views<\/p>\n\n\n\n
\u251c\u2500\u2500 Materialized Views<\/p>\n\n\n\n
\u251c\u2500\u2500 External Tables<\/p>\n\n\n\n
\u251c\u2500\u2500 Sequences<\/p>\n\n\n\n
\u251c\u2500\u2500 File Formats<\/p>\n\n\n\n
\u251c\u2500\u2500 Stages<\/p>\n\n\n\n
\u2502 \u251c\u2500\u2500 Internal Stages<\/p>\n\n\n\n
\u2502 \u2514\u2500\u2500 External Stages<\/p>\n\n\n\n
\u251c\u2500\u2500 Pipes<\/p>\n\n\n\n
\u251c\u2500\u2500 Streams<\/p>\n\n\n\n
\u251c\u2500\u2500 Tasks<\/p>\n\n\n\n
\u251c\u2500\u2500 Procedures<\/p>\n\n\n\n
\u251c\u2500\u2500 Functions<\/p>\n\n\n\n
\u2502 \u251c\u2500\u2500 User-Defined Functions (UDFs)<\/p>\n\n\n\n
\u2502 \u2514\u2500\u2500 External Functions<\/p>\n\n\n\n
\u2514\u2500\u2500 Masking Policies<\/p>\n","protected":false},"excerpt":{"rendered":"
In Snowflake objects are hierarchically ordered. This means that at the top you will find the organization, then the account all the way down until you\u2019re at the level of tables. A graphical representation of this hierarchy is provided at the end of the post. This hierarchy is important when discussing the security of Snowflake.…<\/p>\n
Read More<\/a><\/p>\n","protected":false},"author":1,"featured_media":0,"comment_status":"open","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"footnotes":""},"categories":[1],"tags":[15,40],"class_list":["post-607","post","type-post","status-publish","format-standard","hentry","category-blog","tag-cybersecurity","tag-snowflake"],"_links":{"self":[{"href":"https:\/\/datadandies.nl\/index.php\/wp-json\/wp\/v2\/posts\/607","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/datadandies.nl\/index.php\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/datadandies.nl\/index.php\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/datadandies.nl\/index.php\/wp-json\/wp\/v2\/users\/1"}],"replies":[{"embeddable":true,"href":"https:\/\/datadandies.nl\/index.php\/wp-json\/wp\/v2\/comments?post=607"}],"version-history":[{"count":3,"href":"https:\/\/datadandies.nl\/index.php\/wp-json\/wp\/v2\/posts\/607\/revisions"}],"predecessor-version":[{"id":610,"href":"https:\/\/datadandies.nl\/index.php\/wp-json\/wp\/v2\/posts\/607\/revisions\/610"}],"wp:attachment":[{"href":"https:\/\/datadandies.nl\/index.php\/wp-json\/wp\/v2\/media?parent=607"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/datadandies.nl\/index.php\/wp-json\/wp\/v2\/categories?post=607"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/datadandies.nl\/index.php\/wp-json\/wp\/v2\/tags?post=607"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}