Organization accounts¶
The organization account is a special type of account that organization administrators use to perform tasks that affect the entire organization. For example, administrators use the organization account to do the following:
View organization-level data collected from all accounts in the organization, including the query history from each account.
Enable Snowflake Marketplace terms for the entire organization.
Manage the lifecycle of accounts in an organization, including creating and deleting accounts.
Enable replication for an account.
Manage Organization users and user groups for all accounts, or a subset of accounts, in an organization.
There is only one organization account for an organization.
Features available for an ORGADMIN-enabled account¶
This section describes features that become available when you enable the ORGADMIN role in an account.
See the following sections for more information about each feature:
Organization users and user groups¶
Organizations with more than one account sometimes need someone to manage a user or role in multiple accounts. If you don’t want to create a separate user or role in each account, then you can create an organization user and organization user group in an organization account.
For more information, see Organization users.
About administrator roles and assignable privileges¶
Organization administrators use the GLOBALORGADMIN role in the organization account to perform all organization-level tasks, including administration of the organization account itself.
Note
Before the introduction of the organization account, organization administrators used the ORGADMIN role in an ORGADMIN-enabled account to perform organization-level tasks. Using the ORGADMIN role in an ORGADMIN-enabled account is being phased out. Use the GLOBALORGADMIN role in the organization account to perform organization-level tasks.
Snowflake will send a notification email to customers at least three months prior to phasing out the ORGADMIN role.
The GLOBALORGADMIN role can assign privileges to other roles to let other users perform organization-level tasks. In the organization account, the GLOBALORGADMIN role can assign the following privileges:
APPLY TAG
MANAGE ACCOUNTS
MANAGE LISTING AUTO FULFILLMENT
MANAGE ORGANIZATION CONTACTS
MANAGE ORGANIZATION TERMS
PURCHASE DATA EXCHANGE LISTING
These privileges are set on the account level. For example, to assign the MANAGE ACCOUNTS privilege to the role custom_role, execute the
following:
USE ROLE GLOBALORGADMIN;
GRANT MANAGE ACCOUNTS ON ACCOUNT TO custom_role;
For more information about these privileges, see Access control privileges.
Create the organization account¶
Note
Creating the organization account results in the ORGANIZATION_USAGE schema being populated with data, which incurs additional costs for your organization.
To create the organization account:
Choose an existing account from which you will create the organization account. This existing account must have the ORGADMIN role enabled.
Sign in to the account you are using to create the organization account.
Switch to the ORGADMIN role. For example:
USE ROLE ORGADMIN;
Execute the CREATE ORGANIZATION ACCOUNT command. For example:
CREATE ORGANIZATION ACCOUNT myorgaccount ADMIN_NAME = admin ADMIN_PASSWORD = 'TestPassword1' EMAIL = 'myemail@myorg.org' MUST_CHANGE_PASSWORD = true EDITION = enterprise;
Note
Snowflake does not support custom account locators for organization accounts. For alternatives, contact your Snowflake representative.
Delete the organization account¶
If you want to drop the organization account in your multi-account organization, then contact Snowflake Support.
Note
New functionality in Snowflake that includes organization-level administrative tasks will require an organization account. If you are concerned about the costs associated with premium views, contact Snowflake Support to request that they be disabled instead of deleting the account.
Move the organization account to a different region¶
You can move an organization account between regions as long as those regions are in either the PUBLIC region group or a VPS region group.
Snowflake uses replication groups to move objects from the organization account in the source region to the organization account in the new region. As a result, only objects that can be replicated are moved with the organization account and there are replication costs associated with the move. For a list of objects that can be moved with the organization account, see Replicated objects.
Moving the organization account to a different region is a two-step process:
Call the SYSTEM$INITIATE_MOVE_ORGANIZATION_ACCOUNT function from the organization account to start the process of moving it. Snowflake begins replicating objects to the new region.
The function accepts a temporary account name, the new region, and a list of objects to move as its arguments. For example:
CALL SYSTEM$INITIATE_MOVE_ORGANIZATION_ACCOUNT( 'MY_TEMP_NAME', 'aws_us_west_2', 'ALL');
When you have verified that the data in the organization account has been successfully replicated in the new region, call the SYSTEM$COMMIT_MOVE_ORGANIZATION_ACCOUNT function to finalize the move, specifying a grace period after which the original organization account is deleted.
For example, the following call finalizes the move, and specifies that the original organization account in the source region will be deleted after 14 days.
CALL SYSTEM$COMMIT_MOVE_ORGANIZATION_ACCOUNT(14);
At any point, you can view the status of an attempt to move an organization account by calling the SYSTEM$SHOW_MOVE_ORGANIZATION_ACCOUNT_STATUS function.
Note
When an organization account is moved, the views in the ORGANIZATION_USAGE schema must be repopulated with data, a process that can take up to one week.
Limitations¶
Currently, the organization account cannot be replicated.