Snowflake's approach to access control relies on two models: DAC, and RBAC.
1. Discretionary Access Control (DAC): refers to the fact that each object has an owner, who can in turn grant access to that object. 2. Role-based Access Control (RBAC): refers to the fact that access privileges are assigned to roles, which are in turn assigned to users.
Key concepts to understanding snowflake access control.
Securable objects: these are snowflake account level secure objects and schema objects such as warehouse, database, file formats, tables, views, etc.
Role: refers to privileges that can be granted such: creating a privilege, selecting a privilege, etc. Roles can be granted to other roles to create a hierarchy of the roles.
Privilege: it defines the level of access to an object, we can add particular privileges to an object.
User: a user identity recognized by snowflake can be associated with a person or a program.
Roles Assigned to Users in Snowflake
In snowflake we can find two types of roles: system-defined roles and custom roles.
1. System-defined roles: we can find here different aspects and management of the accounts.
Accountadmin: the account administrator can manage all the aspects of the account. This is the top level role in the system, and should be granted to a limited number of users in your account.
Sysadmin: the system administrator can create and manage databases and warehouses.
Securityadmin: the security administrator can create and manage security aspects of the account such as: creating network policies, etc.
Useradmin: the user administrator can only create and manage the users and their roles.
Public: the public role is automatically available to every user in the account.
2. Custom roles
Any role different than the system-defined roles is a custom role and can be created by the system administrator (sysadmin).
By default, the newly-created role, will not be assigned to a user, and will not be granted to any other role.
A custom role is a lower level role, and all the permissions for the lower level roles is inherited by the one above it. Accountadmin being at the top of the hierarchy, is actually inheriting everything below it.
A custom role located higher in the hierarchy will inherit everything from the custom roles located below it.
Custom roles are usually created for the owners of the objects in the system, and exactly like in the hierarchy of the administrators, custom roles have their own hierarchy, and the top-most custom role will be assigned in the system to the sysadmin.
The role hierarchy in the system, allows all system administrators to properly manage all the objects in the account such as: database objects, warehouse objects, etc.
The management of the users and roles, is strictly restricted to the security administrator (securityadmin) or account administrator (accountadmin) roles.
Role Hierarchy and Privilege Inheritance
Under the accountadmin, there are two different accounts with the role of securityadmin and sysadmin.
Under securityadmin we have the useradmin role and public role.
Under sysadmin we can create custom roles that can be assigned to sysadmin and from the sysadmin to the accountadmin.
|
Author : Dany Ovy |
Views : 81 |
|
|
|
|
This Blog Has Been PowerShared™ Successfully! |
|
|
Check out AEN News's Profile, and Blogs! |
|