ALTER USER¶
Modifies the properties and object/session parameters for an existing user in the system:
Administrators can use this command to alter properties and parameter defaults for any users for which the administrators have the appropriate privileges.
Individual users can use this command to alter specific properties and any session parameter defaults for themselves. For more details, see Usage Notes (in this topic).
Can also be used to abort all queries (and other SQL statements) submitted by the user.
- See also:
CREATE USER , DROP USER, SHOW PARAMETERS, SHOW USERS , DESCRIBE USER
Syntax¶
ALTER USER [ IF EXISTS ] [ <name> ] RENAME TO <new_name>
ALTER USER [ IF EXISTS ] [ <name> ] RESET PASSWORD
ALTER USER [ IF EXISTS ] [ <name> ] ABORT ALL QUERIES
ALTER USER [ IF EXISTS ] [ <name> ] ADD DELEGATED AUTHORIZATION OF ROLE <role_name> TO SECURITY INTEGRATION <integration_name>
ALTER USER [ IF EXISTS ] [ <name> ] REMOVE DELEGATED { AUTHORIZATION OF ROLE <role_name> | AUTHORIZATIONS } FROM SECURITY INTEGRATION <integration_name>
ALTER USER [ IF EXISTS ] [ <name> ] SET { AUTHENTICATION | PASSWORD | SESSION } POLICY <policy_name>
ALTER USER [ IF EXISTS ] [ <name> ] UNSET { AUTHENTICATION | PASSWORD | SESSION } POLICY
ALTER USER [ IF EXISTS ] [ <name> ] SET TAG <tag_name> = '<tag_value>' [ , <tag_name> = '<tag_value>' ... ]
ALTER USER [ IF EXISTS ] [ <name> ] UNSET TAG <tag_name> [ , <tag_name> ... ]
ALTER USER [ IF EXISTS ] [ <name> ] SET { [ objectProperties ] [ objectParams ] [ sessionParams ] }
ALTER USER [ IF EXISTS ] [ <name> ] UNSET { <object_property_name> | <object_param_name> | <session_param_name> } [ , ... ]
Where:
objectProperties ::= PASSWORD = '<string>' LOGIN_NAME = <string> DISPLAY_NAME = <string> FIRST_NAME = <string> MIDDLE_NAME = <string> LAST_NAME = <string> EMAIL = <string> MUST_CHANGE_PASSWORD = TRUE | FALSE DISABLED = TRUE | FALSE DAYS_TO_EXPIRY = <integer> MINS_TO_UNLOCK = <integer> DEFAULT_WAREHOUSE = <string> DEFAULT_NAMESPACE = <string> DEFAULT_ROLE = <string> DEFAULT_SECONDARY_ROLES = ( 'ALL' ) MINS_TO_BYPASS_MFA = <integer> DISABLE_MFA = TRUE | FALSE RSA_PUBLIC_KEY = <string> RSA_PUBLIC_KEY_FP = <string> RSA_PUBLIC_KEY_2 = <string> RSA_PUBLIC_KEY_2_FP = <string> TYPE = PERSON | SERVICE | LEGACY_SERVICE | NULL COMMENT = '<string>'objectParams ::= ENABLE_PERSONAL_DATABASE = { TRUE | FALSE } ENABLE_UNREDACTED_QUERY_SYNTAX_ERROR = TRUE | FALSE NETWORK_POLICY = <string>sessionParams ::= ABORT_DETACHED_QUERY = TRUE | FALSE AUTOCOMMIT = TRUE | FALSE BINARY_INPUT_FORMAT = <string> BINARY_OUTPUT_FORMAT = <string> DATE_INPUT_FORMAT = <string> DATE_OUTPUT_FORMAT = <string> ERROR_ON_NONDETERMINISTIC_MERGE = TRUE | FALSE ERROR_ON_NONDETERMINISTIC_UPDATE = TRUE | FALSE JSON_INDENT = <num> LOCK_TIMEOUT = <num> QUERY_TAG = <string> ROWS_PER_RESULTSET = <num> S3_STAGE_VPCE_DNS_NAME = <string> SEARCH_PATH = <string> SIMULATED_DATA_SHARING_CONSUMER = <string> STATEMENT_TIMEOUT_IN_SECONDS = <num> STRICT_JSON_OUTPUT = TRUE | FALSE TIMESTAMP_DAY_IS_ALWAYS_24H = TRUE | FALSE TIMESTAMP_INPUT_FORMAT = <string> TIMESTAMP_LTZ_OUTPUT_FORMAT = <string> TIMESTAMP_NTZ_OUTPUT_FORMAT = <string> TIMESTAMP_OUTPUT_FORMAT = <string> TIMESTAMP_TYPE_MAPPING = <string> TIMESTAMP_TZ_OUTPUT_FORMAT = <string> TIMEZONE = <string> TIME_INPUT_FORMAT = <string> TIME_OUTPUT_FORMAT = <string> TRANSACTION_DEFAULT_ISOLATION_LEVEL = <string> TWO_DIGIT_CENTURY_START = <num> UNSUPPORTED_DDL_ACTION = <string> USE_CACHED_RESULT = TRUE | FALSE WEEK_OF_YEAR_POLICY = <num> WEEK_START = <num>
Note
For readability, the complete list of session parameters that can be set for a user is not included here. For a complete list of all session parameters, with their descriptions, as well as account and object parameters, see Parameters.
Parameters¶
name
Specifies the identifier for the user to alter. If the identifier contains spaces or special characters, the entire string must be enclosed in double quotes. Identifiers enclosed in double quotes are also case-sensitive.
If the identifier is omitted, the statement modifies the active (i.e. logged in) user. The restrictions described in Usage Notes (in this topic) apply.
RENAME TO new_name
Specifies the new identifier for the user; must be unique for your account.
For more details, see Identifier requirements.
RESET PASSWORD
Generates a URL, which you can share with the user, that opens a web page from which the user can enter a new password. The generated URL is valid for a single use and expires after 4 hours.
Note that specifying this parameter does not invalidate the user’s current password. The user can continue to use their current password until they reset it through the URL.
If you wish to invalidate their current password, use
SET PASSWORD = 'string'
instead, which changes their password to a new value.ABORT ALL QUERIES
Aborts all the queries and other SQL statements currently running or scheduled by the user, regardless of the warehouse on which the queries are running/scheduled.
Note that the user can still log into Snowflake and initiate new queries.
If you want to abort all running/scheduled queries and prevent the user from logging into Snowflake or initiating new queries, specify
SET DISABLED = TRUE
instead.ADD DELEGATED AUTHORIZATION OF ROLE role_name TO SECURITY INTEGRATION integration_name;
Adds user consent to initiate a session using a specified role for a particular integration.
For more details, see Adding Delegated Authorizations for OAuth User Consent.
REMOVE DELEGATED AUTHORIZATION OF ROLE role_name FROM SECURITY INTEGRATION integration_name
, .REMOVE DELEGATED AUTHORIZATIONS FROM SECURITY INTEGRATION integration_name
Revokes consent for the user:
The first syntax revokes consent for a specified security integration for a specified role. This has the effect of revoking any OAuth access token associated with the integration and specific role.
The second syntax revokes all consent from a specified security integration. This has the effect of revoking any OAuth access token associated with the integration.
For more details, see:
{ AUTHENTICATION | PASSWORD | SESSION } POLICY policy_name
Specifies one of the following policies for the user:
TAG tag_name = 'tag_value' [ , tag_name = 'tag_value' , ... ]
Specifies the tag name and the tag string value.
The tag value is always a string, and the maximum number of characters for the tag value is 256.
For information about specifying tags in a statement, see Tag quotas for objects and columns.
Object properties (objectProperties
)¶
SET property_name = property_value [ ... ]
, .UNSET property_name [ , ... ]
Specifies one (or more) object properties to set or unset for the use. Unsetting an object property resets it back to the default.
For more details about the object properties you can set (e.g. PASSWORD, LOGIN_NAME, DEFAULT_ROLE), see CREATE USER.
Note
The EXT_AUTHN_DUO
and EXT_AUTHN_UID
object properties cannot be modified.
To enable or disable multi-factor authentication, modify the user’s DISABLE_MFA
property. When
an account administrator executes the ALTER USER command to set DISABLE_MFA
to TRUE
, the value for the
EXT_AUTHN_DUO
property is automatically set to FALSE
.
Refer to Usage Notes (in this topic) for more general details about setting and unsetting properties.
Object parameters (objectParams
)¶
SET ...
Specifies one (or more) parameters to set for the user (separated by blank spaces, commas, or new lines):
ENABLE_UNREDACTED_QUERY_SYNTAX_ERROR = { TRUE | FALSE }
Controls how queries that fail due to syntax or parsing errors show up in a query history. If FALSE, the contents of a failed query is redacted from the views, pages, and functions that provide a query history.
This parameter controls behavior for the user viewing the query history, not the user who executed the query.
Only users with a role that is granted or inherits the AUDIT privilege can set the ENABLE_UNREDACTED_QUERY_SYNTAX_ERROR parameter.
NETWORK_POLICY = string
Specifies the network policy that is active for the user.
Also, see Usage Notes (in this topic) for more general details about setting and unsetting parameters.
UNSET ...
Specifies the properties to unset for the user, which resets them to the defaults.
NETWORK_POLICY
SESSION POLICY
TAG tag_name [ , tag_name ... ]
Session parameters (sessionParams
)¶
SET session_param_name = param_value [ ... ]
, .UNSET session_param_name [ , ... ]
Specifies one (or more) session parameters to set or unset for the user. Unsetting a session parameter resets it back to the default.
For more details about the session parameters you can set (ABORT_DETACHED_SESSION, AUTOCOMMIT, etc.), see Parameters.
Also, see Usage Notes (in this topic) for more general details about setting and unsetting parameters.
Usage notes¶
Only the role with the OWNERSHIP privilege on the user, or a higher role, can execute this command to modify most user properties.
Tip
When changing a user’s password using
SET PASSWORD = 'string'
, we recommend also specifyingMUST_CHANGE_PASSWORD = TRUE
to force the user to log into the web interface and change their password before they can log into Snowflake through any other interface (e.g. SnowSQL or another client application).Alternatively, use
RESET PASSWORD
to generate a URL to a web page that the user can access to change their password.Individual users can execute the ALTER USER command on themselves (i.e. by specifying their user name/identifier in the command) and change the following:
DEFAULT_WAREHOUSE
DEFAULT_NAMESPACE
DEFAULT_ROLE
Any of their session parameter defaults
Note that users can not use this command to change their password. For security reasons, Snowflake only allows users to change their passwords from within the web interface.
However, an administrator with the appropriate privileges can use this command with
SET PASSWORD = 'string'
to change the password for a user.Tip
When changing a user’s password, we recommend also specifying
MUST_CHANGE_PASSWORD = TRUE
to force the user to log into the web interface and change their password before they can log into Snowflake through any other interface (e.g. SnowSQL or another client application).Alternatively, use
RESET PASSWORD
to generate a URL to a web page that the user can access to change their password.An ALTER USER statement does not verify that default objects (
DEFAULT_WAREHOUSE
,DEFAULT_NAMESPACE
, andDEFAULT_ROLE
) exist. Note thatDEFAULT_SECONDARY_ROLES
does not accept an object name as the value, but an ALTER USER statement does verify that a supported value is specified.You can set and unset multiple object properties and object/session parameters with a single ALTER statement:
When setting multiple properties/parameters, separate them with blank spaces, commas, or new lines.
When unsetting multiple properties/parameters, they must be separated by a comma. Also, when unsetting a property/parameter, specify only the name; specifying a value for the property/parameter will return an error.
If you specify
SET DISABLED = TRUE
for a user:All queries and other SQL statements currently running or scheduled by the user are aborted and the user cannot initiate additional queries.
The user is locked out of Snowflake and cannot log in again.
If you only want to abort all running and scheduled queries/statements for a user, use
ABORT ALL QUERIES
instead.Regarding metadata:
Attention
Customers should ensure that no personal data (other than for a User object), sensitive data, export-controlled data, or other regulated data is entered as metadata when using the Snowflake service. For more information, see Metadata fields in Snowflake.
Examples¶
Rename user1
to user2
:
ALTER USER user1 RENAME TO user2;
Set the password for a user named user1
to H8MZRqa8gEe/kvHzvJ+Giq94DuCYoQXmfbb$Xnt
and require the user to change their password
by logging into the Snowflake web interface:
ALTER USER user1 SET PASSWORD = 'H8MZRqa8gEe/kvHzvJ+Giq94DuCYoQXmfbb$Xnt' MUST_CHANGE_PASSWORD = TRUE;
Remove an existing comment from a user:
ALTER USER user1 UNSET COMMENT;