snowflake-enterprise-rbac

# Snowflake Enterprise RBAC ## Overview Configure enterprise-grade access control using Snowflake's system-defined roles, custom role hierarchies, SSO via SAML/OIDC, and SCIM for automated user provisioning. ## Snowflake System Roles | Role | Purpose | Use For | |------|---------|---------| | ACCOUNTADMIN | Top-level admin | Billing, resource monitors, replication | | SECURITYADMIN | Security management | Users, roles, grants, network policies | | SYSADMIN | Object management | Databases, warehouses, schemas, tables | | USERADMIN | User management | Create users and roles | | PUBLIC | Default for all users | Minimal access, applied automatically | **Best Practice:** Never use ACCOUNTADMIN as a default role. Create custom roles and grant them to SYSADMIN. ## Instructions ### Step 1: Design Custom Role Hierarchy ```sql -- Functional roles (what people do) CREATE ROLE DATA_ENGINEER; CREATE ROLE DATA_ANALYST; CREATE ROLE DATA_SCIENTIST; CREATE ROLE BI_VIEWER; CREATE ROLE APP_SERVICE; -- Service accounts -- Access roles (what they can access) CREATE ROLE RAW_DATA_READER; CREATE ROLE CURATED_DATA_READER; CREATE ROLE CURATED_DATA_WRITER; CREATE ROLE GOLD_DATA_READER; -- Role hierarchy (bottom-up) -- BI_VIEWER → GOLD_DATA_READER -- DATA_ANALYST → CURATED_DATA_READER + GOLD_DATA_READER -- DATA_SCIENTIST → DATA_ANALYST + RAW_DATA_READER -- DATA_ENGINEER → all access roles -- All custom roles → SYSADMIN GRANT ROLE GOLD_DATA_READER TO ROLE BI_VIEWER; GRANT RO...