Organization accounts

The organization account is a special type of account that organization administrators use to perform tasks that affect the entire organization. For example, administrators use the organization account to do the following:

  • View organization-level data collected from all accounts in the organization, including the query history from each account.

  • Enable Snowflake Marketplace terms for the entire organization.

  • Manage the lifecycle of accounts in an organization, including creating and deleting accounts.

  • Enable replication for an account.

  • Manage Organization users and user groups for all accounts, or a subset of accounts, in an organization.

There is only one organization account for an organization.

Features available for an ORGADMIN-enabled account

This section describes features that become available when you enable the ORGADMIN role in an account.

See the following sections for more information about each feature:

Premium views

The ORGANIZATION_USAGE schema in the organization account contains views that are not available in the ORGANIZATION_USAGE schema of a regular account. These additional views are called premium views, which are available when you create an organization account. These premium views provide organization-level data that is not otherwise available in a single view. For example, you can query the TAG_REFERENCES premium view to learn how tags are used throughout the organization, not just in a specific account.

For more information, including costs associated with premium views, see Premium views in the organization account.

Organization users and user groups

Organizations with more than one account sometimes need someone to manage a user or role in multiple accounts. If you don’t want to create a separate user or role in each account, then you can create an organization user and organization user group in an organization account.

For more information, see Organization users.

About administrator roles and assignable privileges

Organization administrators use the GLOBALORGADMIN role in the organization account to perform all organization-level tasks, including administration of the organization account itself.

Note

Before the introduction of the organization account, organization administrators used the ORGADMIN role in an ORGADMIN-enabled account to perform organization-level tasks. Using the ORGADMIN role in an ORGADMIN-enabled account is being phased out. Use the GLOBALORGADMIN role in the organization account to perform organization-level tasks.

Snowflake will send a notification email to customers at least three months prior to phasing out the ORGADMIN role.

The GLOBALORGADMIN role can assign privileges to other roles to let other users perform organization-level tasks. In the organization account, the GLOBALORGADMIN role can assign the following privileges:

  • APPLY TAG

  • MANAGE ACCOUNTS

  • MANAGE LISTING AUTO FULFILLMENT

  • MANAGE ORGANIZATION CONTACTS

  • MANAGE ORGANIZATION TERMS

  • PURCHASE DATA EXCHANGE LISTING

These privileges are set on the account level. For example, to assign the MANAGE ACCOUNTS privilege to the role custom_role, execute the following:

USE ROLE GLOBALORGADMIN;

GRANT MANAGE ACCOUNTS ON ACCOUNT TO custom_role;
Copy

For more information about these privileges, see Access control privileges.

Create the organization account

Note

Creating the organization account results in the ORGANIZATION_USAGE schema being populated with data, which incurs additional costs for your organization.

To create the organization account:

  1. Choose an existing account from which you will create the organization account. This existing account must have the ORGADMIN role enabled.

  2. Sign in to the account you are using to create the organization account.

  3. Switch to the ORGADMIN role. For example:

    USE ROLE ORGADMIN;
    
    Copy
  4. Execute the CREATE ORGANIZATION ACCOUNT command. For example:

    CREATE ORGANIZATION ACCOUNT myorgaccount
        ADMIN_NAME = admin
        ADMIN_PASSWORD = 'TestPassword1'
        EMAIL = 'myemail@myorg.org'
        MUST_CHANGE_PASSWORD = true
        EDITION = enterprise;
    
    Copy

Note

Snowflake does not support custom account locators for organization accounts. For alternatives, contact your Snowflake representative.

Delete the organization account

If you want to drop the organization account in your multi-account organization, then contact Snowflake Support.

Note

New functionality in Snowflake that includes organization-level administrative tasks will require an organization account. If you are concerned about the costs associated with premium views, contact Snowflake Support to request that they be disabled instead of deleting the account.

Move the organization account to a different region

You can move an organization account between regions as long as those regions are in either the PUBLIC region group or a VPS region group.

Snowflake uses replication groups to move objects from the organization account in the source region to the organization account in the new region. As a result, only objects that can be replicated are moved with the organization account and there are replication costs associated with the move. For a list of objects that can be moved with the organization account, see Replicated objects.

Moving the organization account to a different region is a two-step process:

  1. Call the SYSTEM$INITIATE_MOVE_ORGANIZATION_ACCOUNT function from the organization account to start the process of moving it. Snowflake begins replicating objects to the new region.

    The function accepts a temporary account name, the new region, and a list of objects to move as its arguments. For example:

    CALL SYSTEM$INITIATE_MOVE_ORGANIZATION_ACCOUNT(
      'MY_TEMP_NAME',
      'aws_us_west_2',
      'ALL');
    
    Copy
  2. When you have verified that the data in the organization account has been successfully replicated in the new region, call the SYSTEM$COMMIT_MOVE_ORGANIZATION_ACCOUNT function to finalize the move, specifying a grace period after which the original organization account is deleted.

    For example, the following call finalizes the move, and specifies that the original organization account in the source region will be deleted after 14 days.

    CALL SYSTEM$COMMIT_MOVE_ORGANIZATION_ACCOUNT(14);
    
    Copy

At any point, you can view the status of an attempt to move an organization account by calling the SYSTEM$SHOW_MOVE_ORGANIZATION_ACCOUNT_STATUS function.

Note

When an organization account is moved, the views in the ORGANIZATION_USAGE schema must be repopulated with data, a process that can take up to one week.

Limitations

Currently, the organization account cannot be replicated.

Language: English