Organization accounts¶
An organization account is a special type of account that organization administrators use to perform tasks that affect the entire organization. For example, administrators use the organization account to do the following:
View organization-level data collected from all accounts in the organization, including the query history from each account.
Enable Snowflake Marketplace terms for the entire organization.
Manage the lifecycle of accounts in an organization, including creating and deleting accounts.
Enable replication for an account.
Before this preview, administrators needed to perform these organization-level tasks using an account that had the ORGADMIN role enabled. These ORGADMIN-enabled accounts are different from the organization account. Unlike the classic approach where an organization might have multiple ORGADMIN-enabled accounts, there is only one organization account.
During the preview of organization accounts, organization administrators can still use an ORGADMIN-enabled account to manage the lifecycle of accounts (for example, creating and deleting accounts). After organization accounts become generally available, there will be a transition period, after which administrators will use the organization account for all organization-level tasks.
Note
Though, in most cases, there are not any limitations on what actions can be performed in an organization account, it is intended to be used primarily for organization-level tasks, and not for analytics or other workloads.
About administrator roles and assignable privileges¶
Organization administrators use the GLOBALORGADMIN role in the organization account to perform all organization-level tasks, including administration of the organization account itself. The GLOBALORGADMIN role has all of the privileges of the ORGADMIN role along with the privileges that are associated with the ACCOUNTADMIN role in a regular account.
The GLOBALORGADMIN role can assign privileges to other roles to let other users perform organization-level tasks. In the organization account, the GLOBALORGADMIN role can assign the following privileges:
APPLY TAG
MANAGE ACCOUNTS
MANAGE LISTING AUTO FULFILLMENT
MANAGE ORGANIZATION CONTACTS
MANAGE ORGANIZATION TERMS
PURCHASE DATA EXCHANGE LISTING
These privileges are set on the account level. For example, to assign the MANAGE ACCOUNTS privilege to the role custom_role
, execute the
following:
USE ROLE GLOBALORGADMIN;
GRANT MANAGE ACCOUNTS ON ACCOUNT TO custom_role;
For more information about these privileges, see Access control privileges.
Create the organization account¶
Note
Creating the organization account results in the ORGANIZATION_USAGE schema being populated with data, which incurs additional costs for your organization.
To create the organization account:
Choose an existing account from which you will create the organization account. This existing account must have the ORGADMIN role enabled.
Sign in to the account you are using to create the organization account.
Switch to the ORGADMIN role. For example:
USE ROLE ORGADMIN;
Execute the CREATE ORGANIZATION ACCOUNT command. For example:
CREATE ORGANIZATION ACCOUNT myorgaccount ADMIN_NAME = admin ADMIN_PASSWORD = 'TestPassword1' EMAIL = 'myemail@myorg.org' MUST_CHANGE_PASSWORD = true EDITION = enterprise;
Note
Snowflake does not support custom account locators for organization accounts. For alternatives, contact your Snowflake representative.
Delete the organization account¶
If you need to delete the organization account, contact Snowflake Support.
Move the organization account to a different region¶
You can move an organization account between regions as long as those regions are in either the PUBLIC region group or a VPS region group.
Snowflake uses replication groups to move objects from the organization account in the source region to the organization account in the new region. As a result, only objects that can be replicated are moved with the organization account. For a list of objects that can be moved with the organization account, see Replicated objects.
Moving the organization account to a different region is a two-step process:
Call the SYSTEM$INITIATE_MOVE_ORGANIZATION_ACCOUNT function from the organization account to start the process of moving it. Snowflake begins replicating objects to the new region.
The function accepts a temporary account name, the new region, and a list of objects to move as its arguments. For example:
CALL SYSTEM$INITIATE_MOVE_ORGANIZATION_ACCOUNT( 'MY_TEMP_NAME', 'aws_us_west_2', 'ALL');
When you have verified that the data in the organization account has been successfully replicated in the new region, call the SYSTEM$COMMIT_MOVE_ORGANIZATION_ACCOUNT function to finalize the move, specifying a grace period after which the original organization account is deleted.
For example, the following call finalizes the move, and specifies that the original organization account in the source region will be deleted after 14 days.
CALL SYSTEM$COMMIT_MOVE_ORGANIZATION_ACCOUNT(14);
At any point, you can view the status of an attempt to move an organization account by calling the SYSTEM$SHOW_MOVE_ORGANIZATION_ACCOUNT_STATUS function.
Note
When an organization account is moved, the views in the ORGANIZATION_USAGE schema must be repopulated with data, a process that can take up to one week.
Views in the ORGANIZATION_USAGE schema¶
Like regular accounts, the organization account has an ORGANIZATION_USAGE schema in the shared SNOWFLAKE database that contains usage data.
Most views in the ORGANIZATION_USAGE schema correspond to a view in the ACCOUNT_USAGE schema. For example, the ALERT_HISTORY view in both schemas contains data about alerts. The view in the ORGANIZATION_USAGE schema consolidates data from the corresponding account-level view of each account, allowing you to query usage data for all accounts from one view.
The ORGANIZATION_USAGE schema in an organization account contains more views than the ORGANIZATION_USAGE schema in a regular account, which allows you to gain additional insights into aggregated account usage across accounts. For example, the organization account allows you to use a single view to track access history across the organization, something you cannot do in a regular account. These additional views are considered premium views, and incur additional costs.
Note
It can take two weeks from the time an organization account was created until the ORGANIZATION_USAGE schema is fully populated with historical data from accounts.
Grant access to the Organization Usage views¶
By default, only users who have been granted the GLOBALORGADMIN role can access the views in the ORGANIZATION_USAGE schema of an organization account. To grant access to other users, the organization administrator can grant the appropriate application role to an account role or user. In an organization account, privileges to views are granted using application roles, not database roles.
Users who have been granted the ORG_USAGE_ADMIN application role can access all views in the ORGANIZATION_USAGE schema of the organization
account. The following example lets user joe
access all views in the schema:
USE ROLE GLOBALORGADMIN;
GRANT APPLICATION ROLE ORG_USAGE_ADMIN TO ROLE custom_role;
GRANT ROLE custom_role TO USER joe;
The organization administrator can also grant access on a more granular level. For example, the ORGANIZATION_OBJECT_VIEWER application role grants access to the DATABASES view, but does not grant access to the TASK_HISTORY view. For a list of the application role required to access a specific view, see ORGANIZATION_USAGE Views.
Costs associated with the ORGANIZATION_USAGE schema¶
The premium views in the ORGANIZATION_USAGE schema of the organization account (that is, views that don’t exist in regular accounts) incur the following costs:
Compute costs associated with the serverless tasks that populate the views.
Storage costs associated with storing the data in the views.
Note
If you want to avoid these costs by removing data from the ORGANIZATION_USAGE schema, contact Snowflake Support.
You can use the following queries to return the historical costs associated with the ORGANIZATION_USAGE schema in the organization account.
- Compute costs
If you have access to the USAGE_IN_CURRENCY_DAILY view in the ORGANIZATION_USAGE schema, you can execute the following query to determine the cost of populating the views. You must execute the query in the organization account.
SELECT * FROM snowflake.organization_usage.usage_in_currency_daily WHERE usage_type = 'organization usage';
- Storage costs
If you have access to the TABLE_STORAGE_METRICS view in the ACCOUNT_USAGE schema, you can execute the following query to determine the approximate amount of storage in TBs. You must execute the query in the organization account.
SELECT SUM(active_bytes + time_travel_bytes + failsafe_bytes + retained_for_clone_bytes) / pow(1000, 4) AS org_usage_approx_storage_tb FROM snowflake.account_usage.table_storage_metrics WHERE 1=1 AND table_schema = 'ORGANIZATION_USAGE_LOCAL';
Effect on views in the ACCOUNT_USAGE schema¶
Snowflake uses the hidden schema snowflake.organization_usage_local
to store internal objects used in conjunction with the
ORGANIZATION_USAGE schema (for example, tables, procedures, and tasks). These objects might be visible in the ACCOUNT_USAGE views in the
organization account. Because these objects are internal, they might change without notice in the future.
Differences between account-level and organization-level views¶
The only differences between a new view in the ORGANIZATION_USAGE schema and the corresponding view in the ACCOUNT_USAGE schema are the following:
The addition of a few columns.
The latency of the view.
Whether older data is removed from the view.
New columns¶
The majority of the columns in ORGANIZATION_USAGE views are identical to the columns in the corresponding ACCOUNT_USAGE views. The following columns have been added to the organization-level views:
Column |
Data type |
Description |
Views |
---|---|---|---|
ORGANIZATION_NAME |
VARCHAR |
Name of the organization. |
All |
ACCOUNT_NAME |
VARCHAR |
User-defined identifier for an account. |
All |
ACCOUNT_LOCATOR |
VARCHAR |
System-defined identifier for an account. |
All |
PROVIDER_BASE_ACCESSED_OBJECTS |
ARRAY |
Specifies base data objects in the provider’s account that were accessed by a consumer query. |
ACCESS_HISTORY |
PROVIDER_POLICIES_REFERENCED |
ARRAY |
If a consumer query accessed base objects that are protected by a policy (for example, a masking policy) in the provider’s account, the column lists the policy. |
ACCESS_HISTORY |
For more information about the PROVIDER_BASE_ACCESSED_OBJECTS and PROVIDER_POLICIES_REFERENCED columns, see Organizational listing governance.
Latency¶
It might take up to 24 hours for a view in the ORGANIZATION_USAGE schema to be updated. This might differ from the latency of the corresponding view in the ACCOUNT_USAGE schema.
Older data¶
Unlike account-level views, the organization-level views continue to add new data without replacing older data. For example, the ACCOUNT_USAGE.ALERT_HISTORY view never contains data older than 365 days whereas the ORGANIZATION_USAGE.ALERT_HISTORY continues to add data without removing older data, so it can contain data that is older than 365 days.
ORGANIZATION_USAGE Views¶
The ORGANIZATION_USAGE schema in the organization account contains the following views.
Granting the required application role to a user provides them access to the view. For more information about granting these application roles, see Grant access to the Organization Usage views.
View |
Description |
Required application role |
---|---|---|
Displays the access history for queries in the organization. |
ORGANIZATION_GOVERNANCE_VIEWER |
|
Displays the accounts in an organization. |
ORGANIZATION_ACCOUNTS_VIEWER |
|
Displays the history of alert usage. |
ORGANIZATION_USAGE_VIEWER |
|
Displays the history of automatic clustering. |
ORGANIZATION_USAGE_VIEWER |
|
Displays a row for each class in an organization. |
ORGANIZATION_USAGE_VIEWER |
|
Displays a row for each instance of a class defined in an organization. |
ORGANIZATION_USAGE_VIEWER |
|
Displays a row for each column in the tables defined in an organization. |
ORGANIZATION_OBJECT_VIEWER |
|
Displays the status of completed graph runs, such as runs that executed successfully, failed, or were cancelled. |
ORGANIZATION_OBJECT_VIEWER |
|
Displays contract information for an organization. |
ORGANIZATION_BILLING_VIEWER |
|
Displays load activity for both COPY INTO <table> statements and continuous data loading using Snowpipe. |
ORGANIZATION_USAGE_VIEWER |
|
Displays the average daily storage usage, in bytes, for databases in the . |
ORGANIZATION_USAGE_VIEWER |
|
Displays a row for each database defined in an organization. |
ORGANIZATION_OBJECT_VIEWER |
|
Displays the daily total of data transferred from Snowflake tables into a different cloud storage provider’s network and/or geographical region. |
ORGANIZATION_USAGE_VIEWER |
|
Displays the history of data transferred from Snowflake tables into a different cloud storage provider’s network and/or geographical region. |
ORGANIZATION_USAGE_VIEWER |
|
Displays a row for each file format defined in an organization. |
ORGANIZATION_OBJECT_VIEWER |
|
Displays a row for each user-defined function (UDF) defined in an organization. |
ORGANIZATION_OBJECT_VIEWER |
|
Displays access control privileges that have been granted to a role. |
ORGANIZATION_SECURITY_VIEWER |
|
Displays the roles that have been granted to a user. |
ORGANIZATION_SECURITY_VIEWER |
|
Displays estimates that help determine the costs associated with Cross-Cloud Auto-Fulfillment. |
ORGANIZATION_BILLING_VIEWER |
|
Displays the history of data loaded into tables using the COPY INTO <table> command. |
ORGANIZATION_USAGE_VIEWER |
|
Displays the history of transactions that wait on locks. |
ORGANIZATION_USAGE_VIEWER |
|
Displays login attempts by Snowflake users. |
ORGANIZATION_SECURITY_VIEWER |
|
Displays the history of your earnings from paid listings in the Snowflake Marketplace. |
ORGANIZATION_BILLING_VIEWER |
|
Displays daily history of your usage of paid listings from the Snowflake Marketplace. |
ORGANIZATION_USAGE_VIEWER |
|
MARKETPLACE_PURCHASE_EVENTS view |
ORGANIZATION_BILLING_VIEWER |
|
Displays the masking policies in an organization. |
ORGANIZATION_GOVERNANCE_VIEWER |
|
Displays the refresh history of materialized views. |
ORGANIZATION_USAGE_VIEWER |
|
Displays the credit usage for an organization on a given day. |
ORGANIZATION_USAGE_VIEWER |
|
Displays the history of daily consumer usage for each listing in the Snowflake Marketplace, including charges accumulated for the usage. |
ORGANIZATION_USAGE_VIEWER |
|
Displays one row for each object dependency. |
ORGANIZATION_OBJECT_VIEWER |
|
Displays the user-defined password policies in an organization. |
ORGANIZATION_SECURITY_VIEWER |
|
Displays the history of data loaded into Snowflake tables using Snowpipe. |
ORGANIZATION_USAGE_VIEWER |
|
Displays a row for each pipe defined in an organization. |
ORGANIZATION_OBJECT_VIEWER |
|
Displays policy objects and their references in an organization. |
ORGANIZATION_GOVERNANCE_VIEWER |
|
Displays a row for each stored procedure defined in an organization. |
ORGANIZATION_OBJECT_VIEWER |
|
Displays queries that are eligible for the query acceleration service. |
ORGANIZATION_GOVERNANCE_VIEWER |
|
Displays the history of queries accelerated by the query acceleration service. |
|
|
Displays the various dimensions (time range, session, user, warehouse, etc.) of the Snowflake query history. |
ORGANIZATION_GOVERNANCE_VIEWER |
|
Displays the effective rates used for calculating usage in the organization currency based on credits used for all Snowflake accounts in your organization. |
ORGANIZATION_BILLING_VIEWER |
|
Displays a row for each referential integrity constraint defined in an organization. |
ORGANIZATION_OBJECT_VIEWER |
|
Displays the daily remaining balance and on demand consumption daily for an organization. |
ORGANIZATION_BILLING_VIEWER |
|
Displays the refresh history for a specified replication or failover group. |
ORGANIZATION_USAGE_VIEWER |
|
Displays the replication history for a specified replication or failover group. |
ORGANIZATION_USAGE_VIEWER |
|
Displays the replication history for a specified database. |
ORGANIZATION_USAGE_VIEWER |
|
Displays the resource monitors that have been created in the reader accounts managed by an account. |
ORGANIZATION_OBJECT_VIEWER |
|
Displays a list of all access control roles defined in an organization. |
ORGANIZATION_SECURITY_VIEWER |
|
Displays a row for each row access policy defined in an organization. |
ORGANIZATION_GOVERNANCE_VIEWER |
|
Displays a row for each schema in the account except the ACCOUNT_USAGE, READER_ACCOUNT_USAGE, and INFORMATION_SCHEMA schemas. |
ORGANIZATION_OBJECT_VIEWER |
|
Displays the history of using the search optimization service. |
ORGANIZATION_USAGE_VIEWER |
|
Displays a row for each sequence defined in an organization. |
ORGANIZATION_OBJECT_VIEWER |
|
Displays the session policies in an organization. |
ORGANIZATION_SECURITY_VIEWER |
|
Displays information about sessions, including information on the authentication method to Snowflake and the Snowflake login event. |
ORGANIZATION_SECURITY_VIEWER |
|
Displays the amount of time spent loading data into Snowflake tables using Snowpipe Streaming. |
ORGANIZATION_USAGE_VIEWER |
|
Displays the average daily data storage usage, in bytes, for all the Snowflake internal stages in the organization. |
ORGANIZATION_USAGE_VIEWER |
|
Displays a row for each stage defined in an organization. |
ORGANIZATION_OBJECT_VIEWER |
|
Displays the average daily storage usage, in bytes, for all accounts in the organization. |
ORGANIZATION_USAGE_VIEWER |
|
Displays a row for each referential integrity constraint defined for the tables in an organization. |
ORGANIZATION_OBJECT_VIEWER |
|
Displays table-level storage utilization information, which is used to calculate the storage billing for each table in an organization, including tables that have been dropped, but are still incurring storage costs. |
ORGANIZATION_USAGE_VIEWER |
|
Displays a row for each table and view in an organization. |
ORGANIZATION_OBJECT_VIEWER |
|
Displays the associations between objects and tags. |
ORGANIZATION_GOVERNANCE_VIEWER |
|
Displays the tags in an organization. |
ORGANIZATION_OBJECT_VIEWER |
|
Displays the history of task usage. |
ORGANIZATION_USAGE_VIEWER |
|
Displays the history of task versions. The returned rows indicate the tasks that comprised a task graph and their properties at a given time. |
ORGANIZATION_OBJECT_VIEWER |
|
Displays the daily credit usage and usage in currency for an organization. |
ORGANIZATION_BILLING_VIEWER |
|
Displays a list of all users in an organization. |
ORGANIZATION_SECURITY_VIEWER |
|
Displays a row for each view in an organization, not including the views in the ACCOUNT_USAGE, READER_ACCOUNT_USAGE, and INFORMATION_SCHEMA schemas. |
ORGANIZATION_OBJECT_VIEWER |
|
Displays the events that have been triggered for the single-cluster and multi-cluster warehouses in an organization. |
ORGANIZATION_USAGE_VIEWER |
|
Displays the workload on your warehouse. |
ORGANIZATION_USAGE_VIEWER |
|
Displays the hourly credit usage for one or more warehouses across all the accounts in your organization. |
ORGANIZATION_USAGE_VIEWER |
[1] For differences between the ACCESS_HISTORY view in the organization account and the ACCESS_HISTORY view in the ACCOUNT_USAGE schema, see Organizational listing governance.