ALTER AUTHENTICATION POLICY¶
Modifies the properties of an authentication policy.
- See also:
CREATE AUTHENTICATION POLICY, DESCRIBE AUTHENTICATION POLICY, DROP AUTHENTICATION POLICY, SHOW AUTHENTICATION POLICIES
Syntax¶
ALTER AUTHENTICATION POLICY <name> RENAME TO <new_name>
ALTER AUTHENTICATION POLICY [ IF EXISTS ] <name> SET
[ AUTHENTICATION_METHODS = ( '<string_literal>' [ , '<string_literal>' , ... ] ) ]
[ MFA_AUTHENTICATION_METHODS = ( '<string_literal>' [ , '<string_literal>' , ... ] ) ]
[ MFA_ENROLLMENT = { REQUIRED | OPTIONAL } ]
[ CLIENT_TYPES = ( '<string_literal>' [ , '<string_literal>' , ... ] ) ]
[ SECURITY_INTEGRATIONS = ( '<string_literal>' [ , '<string_literal>' , ... ] ) ]
[ COMMENT = '<string_literal>' ]
ALTER AUTHENTICATION POLICY [ IF EXISTS ] <name> UNSET
[ CLIENT_TYPES ]
[ AUTHENTICATION_METHODS ]
[ SECURITY_INTEGRATIONS ]
[ MFA_AUTHENTICATION_METHODS ]
[ MFA_ENROLLMENT ]
[ COMMENT ]
Parameters¶
name
Specifies the identifier for the authentication policy to alter. If the identifier contains spaces or special characters, you must enclose the string in double quotation marks. Identifiers enclosed in double quotation marks are case-sensitive. The identifier must meet the identifier requirements.
RENAME TO ...
Specifies a new name for an existing authentication policy.
SET ...
Specifies one or more properties to set for the authentication policy, separated by blank spaces, commas, or new lines.
AUTHENTICATION_METHODS = ( 'string_literal' [ , 'string_literal' , ... ] )
Changes the authentication methods that are allowed during login. This parameter accepts one or more of the following values:
Caution
Restricting by authentication method can have unintended consequences, such as blocking driver connections or third-party integrations.
ALL
Allow all authentication methods.
SAML
Allows SAML2 security integrations. If
SAML
is present, an SSO login option appears. IfSAML
is not present, an SSO login option does not appear.PASSWORD
Allows users to authenticate using username and password.
OAUTH
Allows External OAuth.
KEYPAIR
Allows Key pair authentication.
Default:
ALL
.MFA_AUTHENTICATION_METHODS = ( 'string_literal' [ , 'string_literal' , ... ] )
A list of authentication methods that enforce multi-factor authentication (MFA) during login. Authentication methods not listed in this parameter do not prompt for multi-factor authentication.
The following authentication methods support MFA:
SAML
PASSWORD
This parameter accepts one or more of the following values:
SAML
Prompts users for MFA, if they are enrolled in MFA, when authenticating with SAML2 security integrations.
PASSWORD
Prompts users for MFA, if they are enrolled in MFA, when authenticating with a username and password.
Default:
('PASSWORD', 'SAML')
.MFA_ENROLLMENT = { REQUIRED | OPTIONAL }
Changes whether a user must enroll in multi-factor authentication.
REQUIRED
Enforces users to enroll in MFA. If this value is used, then the
CLIENT_TYPES
parameter must includeSNOWFLAKE_UI
, because Snowsight is the only place users can enroll in multi-factor authentication (MFA).OPTIONAL
Users can choose whether to enroll in MFA.
Default:
OPTIONAL
.CLIENT_TYPES = ( 'string_literal' [ , 'string_literal' , ... ] )
Changes which clients can authenticate with Snowflake.
The
CLIENT_TYPES
property of an authentication policy is a best effort method to block user logins based on specific clients. It should not be used as the sole control to establish a security boundary.This property accepts one or more of the following values:
ALL
Allow all clients to authenticate.
SNOWFLAKE_UI
Snowsight or Classic Console, the Snowflake web interfaces.
Caution
If
SNOWFLAKE_UI
is not included in theCLIENT_TYPES list
, MFA enrollment does not work.DRIVERS
Drivers allow access to Snowflake from applications written in supported languages. For example, the Go, JDBC, .NET drivers, and Snowpipe Streaming.
Caution
If
DRIVERS
is not included in theCLIENT_TYPES
list, automated ingestion may stop working.SNOWSQL
A command-line client for connecting to Snowflake.
If a client tries to connect, and the client is not one of the valid
CLIENT_TYPES
, then the login attempt fails. IfCLIENT_TYPES
is unset, any client can connect.Default:
ALL
.SECURITY_INTEGRATIONS = ( 'string_literal' [ , 'string_literal' , ... ] )
Changes the security integrations that the authentication policy is associated with. This parameter has no effect when
SAML
orOAUTH
are not in theAUTHENTICATION_METHODS
list.All values in the
SECURITY_INTEGRATIONS
list must be compatible with the values in theAUTHENTICATION_METHODS
list. For example, ifSECURITY_INTEGRATIONS
contains a SAML security integration, andAUTHENTICATION_METHODS
containsOAUTH
, then you cannot create the authentication policy.ALL
Allow all security integrations.
Default:
ALL
.COMMENT = 'string_literal'
Changes the comment for the authentication policy.
UNSET ...
Specifies the properties to unset for the authentication policy, which resets them to their defaults.
Access control requirements¶
A role used to execute this SQL command must have the following privileges at a minimum:
Privilege |
Object |
Notes |
---|---|---|
OWNERSHIP |
Authentication policy |
Only the SECURITYADMIN role, or a higher role, has this privilege by default. The privilege can be granted to additional roles as needed. |
The USAGE privilege on the parent database and schema are required to perform operations on any object in a schema.
For instructions on creating a custom role with a specified set of privileges, see Creating custom roles.
For general information about roles and privilege grants for performing SQL actions on securable objects, see Overview of Access Control.
Usage notes¶
If you want to update an existing authentication policy and need to see the definition of the policy, run the DESCRIBE AUTHENTICATION POLICY command or GET_DDL function.
Examples¶
Alter the list of allowed clients on an authentication policy:
ALTER AUTHENTICATION POLICY restrict_client_types_policy SET CLIENT_TYPES = ('SNOWFLAKE_UI', 'SNOWSQL');