配置访问控制

This topic describes how to configure access control security for securable objects in your account.

账户管理

指定其他用户作为账户管理员

默认情况下,每个账户都有一个被指定为账户管理员的用户(即被授予系统定义的 ACCOUNTADMIN 角色的用户)。我们建议至少指定一名其他用户作为账户管理员。这有助于确保您的账户始终拥有至少一名可以执行账户级任务的用户,特别是在您的账户管理员之一无法登录的情况下。

对于这些其他账户管理员,您可以选择创建新用户或指定现有用户,但请确保指定以下内容:

  • Grant the ACCOUNTADMIN role to the user(s), but do not set this role as their default. Instead, designate a lower-level administrative role (for example, SYSADMIN) or custom role as their default. This helps prevent account administrators from inadvertently using the ACCOUNTADMIN role to create objects.
  • 确保为每个用户指定电子邮件地址(多重身份验证所需)。

For example, grant the ACCOUNTADMIN and SYSADMIN roles to an existing user named user2 and specify SYSADMIN as the default role:

GRANT ROLE ACCOUNTADMIN, SYSADMIN TO USER user2;

ALTER USER user2 SET EMAIL='user2@domain.com', DEFAULT_ROLE=SYSADMIN;

为每个账户管理员启用 MFA

To ensure the highest level of security for your Snowflake account, we strongly recommend that any user who can modify or view sensitive data be required to use multi-factor authentication (MFA) for login.

此建议特别适用于具有 ACCOUNTADMIN 角色的用户,但也可以扩展到包括具有 SECURITYADMIN 和 SYSADMIN 角色的用户。

For more details, see Access control best practices and Multi-factor authentication (MFA).

创建自定义角色

To follow the general principle of “least privilege”, we recommend creating custom roles that align with the business functions in your organization to permit SQL actions on a narrow set of securable objects.

You can create custom roles using Snowsight or SQL.

工作流程如下:

  1. 创建自定义角色。
  2. 向角色授予一组权限。
  3. 将角色授予一个或多个需要授予该角色的权限的用户,以执行满足其业务需求的 SQL 操作。
  4. Grant the role to another role to create or add to a role hierarchy. While not required, this step is highly recommended. For more information, see 创建角色层次结构.

This section provides instructions for creating a role named r1 and granting the following privileges to the role. The privileges allow a user who activates the role in a session to query a single table, d1.s1.t1:

PrivilegeObjectNotes
USAGE

Warehouse w1

Database d1

Schema s1

要查询对象(例如表或视图),角色必须对仓库具有 USAGE 权限。仓库提供执行查询的计算资源。

要对架构中的任何对象进行操作,角色必须对容器数据库和架构具有 USAGE 权限。

SELECTTable t1

创建角色后,可以向其授予额外的权限,以允许拥有该角色的用户对同一对象或其他对象执行额外的 SQL 操作。

创建角色

只有用户管理员(即拥有 USERADMIN 系统角色或更高角色的用户)或对账户拥有 CREATE ROLE 权限的其他角色才能创建角色。

SQL:
  1. Create the r1 role using a CREATE ROLE statement: 
    CREATE ROLE r1
COMMENT = 'This role has all privileges on schema_1';
Snowsight:

  1. Sign in to Snowsight.

  2. 切换到具有在账户中创建角色的权限的角色。

  3. In the navigation menu, select Governance & security » Users & roles, and then select Roles.

  4. Select + Role.

    A New Role dialog appears.

  5. For Name, enter the name of the role. For example, r1.

  6. For Grant to role, optionally choose to grant the new role to an existing role and inherit the privileges of the existing role.

  7. 可选择添加注释。

  8. Select Create Role.

向角色授予权限

You can use the SECURITYADMIN role to grant privileges on objects to roles. For more information, see GRANT <privileges> … TO ROLE.

SQL:
  1. Grant to the r1 role the privileges defined in the table earlier in this section. 
    GRANT USAGE ON WAREHOUSE w1 TO ROLE r1;

GRANT USAGE ON DATABASE d1 TO ROLE r1;

GRANT USAGE ON SCHEMA d1.s1 TO ROLE r1;

GRANT SELECT ON TABLE d1.s1.t1 TO ROLE r1;
Snowsight:
  1. Sign in to Snowsight.
  2. In the navigation menu, select Catalog » Database Explorer.
  3. For a specific database and schema, select a database object to which you want to grant privileges. For example, a database named d1.
  4. In the Object Details, locate the Privileges section.
  5. Select + Privilege.
  6. Select the role or user to which you want to grant privileges. For example, r1 or u1.

Tip

您可以按用户名、电子邮件地址或名字/姓氏搜索用户。

  1. Select the privilege you want to grant to the role or user. For example, USAGE.
  2. If you want the role to be able to grant the privilege to other roles or users, select the checkbox for Grant option.
  3. Select Grant Privileges.

For this example, repeat the steps to grant USAGE on the schema s1, SELECT on the table t1.

To grant USAGE on the warehouse w1, complete the following steps:

  1. Sign in to Snowsight.
  2. In the navigation menu, select Compute » Warehouses.
  3. Locate and select the warehouse to which you want to grant privileges. For example, w1.
  4. In the Privileges section, select + Privilege.
  5. Select the role or user to which you want to grant privileges. For example, r1 or u1.
  6. For Privileges, select the privilege to grant. For example, USAGE.
  7. If you want the role to be able to grant the privilege to other roles or users, select the checkbox for Grant option.
  8. Select Grant Privileges.

将角色授予用户

You can use the SECURITYADMIN role to grant roles to users. For additional options, see GRANT ROLE.

SQL:

  1. Assign the r1 role to user smith using a GRANT ROLE statement:

    GRANT ROLE r1
TO USER smith;

  2. Optionally set the new custom role as the default role for the user. The next time the user logs into Snowflake, the default role is automatically active in the session.

只有对用户拥有 OWNERSHIP 权限的角色或更高级别的角色才能执行此命令。

The following command sets the default role for user smith:

ALTER USER smith
SET DEFAULT_ROLE = r1;
Snowsight:
  1. Sign in to Snowsight.
  2. 切换到有权向账户中的角色授予权限的角色。
  3. In the navigation menu, select Governance & security » Users & roles, and then select Roles.
  4. Select Table and locate and select the role that you created.
  5. In the section 0 users have been granted R1, select Grant to User.
  6. For User to receive grant, select a user to grant the role to. For example, smith.
  7. Select Grant.

授予角色全局权限

You can also grant a global privilege to a role. See Access control privileges for the list of global privileges available to grant to a role.

SQL:

Use the GRANT PRIVILEGE command. See Privilege management for details.

Snowsight:
  1. Sign in to Snowsight.
  2. 切换到有权向账户中的角色授予权限的角色。
  3. In the navigation menu, select Governance & security » Users & roles, and then select Roles.
  4. Select Table and locate and select the role that you created.
  5. In the role details page, select More options » Manage global privileges.
  6. For Global privilege to grant, select the privilege that you want to grant to the role.
  7. If you want the role to be able to grant the privilege to other roles, select the checkbox for Grant option.
  8. Select Update Privileges.

创建自定义只读角色

Suppose you need a role that is limited to querying all tables in a specific schema (for example, d1.s1). Users who execute commands using this role cannot update the table data, create additional database objects, or drop tables. The role is limited to querying table data.

To create a read-only role, complete the basic steps described in 创建自定义角色. In the 向角色授予权限 section, grant the read-only role (named read_only in these instructions) the following object privileges:

权限对象备注
USAGE仓库要查询对象(例如表或视图),角色必须对仓库具有 USAGE 权限。仓库提供执行查询的计算资源。
SELECT要对架构中的任何对象进行操作,角色必须对容器数据库和架构具有 USAGE 权限。

The GRANT <privilege> statements are as follows:

GRANT USAGE
  ON DATABASE d1
  TO ROLE read_only;

GRANT USAGE
  ON SCHEMA d1.s1
  TO ROLE read_only;

GRANT SELECT
  ON ALL TABLES IN SCHEMA d1.s1
  TO ROLE read_only;

GRANT USAGE
  ON WAREHOUSE w1
  TO ROLE read_only;

Note

The GRANT SELECT ON ALL TABLES IN SCHEMA <schema> statement grants the SELECT privilege on all existing tables only. To grant the SELECT privilege on all future tables to the role, execute the following statement:

GRANT SELECT ON FUTURE TABLES IN SCHEMA d1.s1 TO ROLE read_only;

创建角色层次结构

创建自定义角色时,请考虑创建最终分配给高级管理员角色的角色层次结构。一般来说, SYSADMIN 角色与层次结构中所有其他角色分配的角色一样工作良好,但需要注意的是,任何具有足够权限的角色都可以提供此功能。SYSADMIN 角色是系统定义的角色,有权在账户中创建仓库、数据库和数据库对象,并将这些权限授予其他角色。在默认系统层次结构中,顶层 ACCOUNTADMIN 角色管理系统管理员角色。

Create a role hierarchy by granting a role to a second role. You can then grant that second role to a third role. The privileges associated with a role are inherited by any roles above that role in the hierarchy (that is, the parent role).

下图显示了角色层次结构示例以及授予每个角色的权限:

Role hierarchy and privileges granted to each role

将一个角色授予另一个角色

Assign the role to a higher-level role in a role hierarchy. In this example, we are assigning the r1 role created in 创建自定义角色 to the SYSADMIN role. The SYSADMIN role inherits any object privileges granted to the r1 role:

SQL:
GRANT ROLE r1
   TO ROLE sysadmin;
Snowsight:
  1. Sign in to Snowsight.
  2. In the navigation menu, select Governance & security » Users & roles, and then select Roles.
  3. Select Table and locate the role that you want to grant to another role. For example, r1.
  4. In the section 0 roles have been granted R1, select Grant to Role.
  5. For Role to receive grant, select SYSADMIN.
  6. Select Grant.

Note

In a more complex example, you could assign the custom role to another child role of SYSADMIN (or another administrator role, such as a custom role with sufficient privileges to create databases). The SYSADMIN role would inherit the combined privileges assigned to the custom role and its parent role. If the role above custom in the hierarchy owned any objects, then the role hierarchy would ensure that members of the SYSADMIN role also owned those objects (indirectly) and could manage them as expected.

Explore role hierarchies in Snowsight

Snowsight includes a roles graph that displays the hierarchy of roles in your account. The graph is organized in descending order of hierarchy, with paths representing inheritance from parent to child roles. In accounts with lots of roles, the graph can take some time to load.

Note

数据库角色不显示在角色图表中。

要打开角色图表,请执行以下操作:

  1. Sign in to Snowsight.
  2. In the navigation menu, select Governance & security » Users & roles.

查看角色图表时,可以选择一个单独的角色或用户,该角色或用户就会成为角色图表的焦点。要进行探索,您可以放大或缩小图表,并在图表中间显示重点角色或用户。

Image showing the roles graph focused on the ORGADMIN role, with the ACCOUNTADMIN role appearing above it in the hierarchy, as well as a system role SNOWFLAKE$GDS_RL used for global data sharing.

选择一个角色可查看该角色的详细信息,如创建时间、所有者角色、授予该角色的角色数、已授予该角色的角色数、向其授予该角色的用户数,以及管理该角色授予的功能。

When viewing the details for a role, you can select the More options to center the graph on the selected role or open the role detail page.

向用户授予权限

A user with MANAGE GRANTS privileges on objects can grant privileges directly to users. For more information, see GRANT <privileges> … TO USER.

For example, to grant the USAGE privilege on a Streamlit application streamlitApp1 to user1, execute the following commands:

GRANT USAGE ON WAREHOUSE w1 TO USER user1;

GRANT USAGE ON DATABASE d1 TO USER user1;

GRANT USAGE ON SCHEMA d1.s1 TO USER user1;

GRANT USAGE ON STREAMLIT `streamlitApp1` TO USER user1;

Note

直接分配给用户的权限仅在用户启用了所有次要角色时才有效。

For more specific information about granting privileges to users, see Usage notes for GRANT <privileges> … TO USER.

禁用 UBAC

We understand that this new access control model might affect your governance practices. If you need to disable UBAC in your account after Bundle 2025_02 becomes enabled by default, use the ALTER ACCOUNT command to set the account parameter DISABLE_USER_PRIVILEGE_GRANTS = TRUE. For example:

ALTER ACCOUNT SET DISABLE_USER_PRIVILEGE_GRANTS = TRUE;

For more information about using the ALTER ACCOUNT command to set account parameters, see ALTER ACCOUNT. For more information about the DISABLE_USER_PRIVILEGE_GRANTS parameter, see DISABLE_USER_PRIVILEGE_GRANTS.

为对象分配未来的授权

To simplify grant management, future grants allow defining an initial set of privileges to grant on new (that is, future) objects of a certain type in a database or a schema. As new objects are created in the database or schema, the defined privileges are automatically granted to a specified role.

Future grants only define the initial set of privileges granted on new objects of a specified type. After an individual object is created, administrators can explicitly grant additional privileges or revoke privileges on the object. This allows fine-grained access control over all objects in the schema or database.

使用未来授权时的注意事项

  • When future grants are defined on the same object type for a database and a schema in the same database, the schema-level grants take precedence over the database level grants, and the database level grants are ignored. This behavior applies to privileges on future objects granted to one role or different roles.

例如,以下语句在数据库和架构级别对同一类型的对象授予不同的权限。

Grant the SELECT privilege on all future tables in database d1 to role r1:

GRANT SELECT ON FUTURE TABLES IN DATABASE d1 TO ROLE r1;

Grant the INSERT and DELETE privileges on all future tables in schema d1.s1 to role r2.

GRANT INSERT,DELETE ON FUTURE TABLES IN SCHEMA d1.s1 TO ROLE r2;

The future grants assigned to the r1 role on object types in schema d1.s1 are ignored completely. When new tables are created in schema d1.s1, only the future privileges defined on tables for the r2 role are granted.

To manage future grants in Snowsight, run SQL statements in a worksheet.

定义对数据库或架构对象的未来授权

Grant privileges on future objects of a specified type using the GRANT <privileges> … TO ROLE command with the ON FUTURE keywords.

撤销对数据库或架构对象的未来授权

Revoke grants on future objects using the REVOKE <privileges> … FROM ROLE command with the ON FUTURE keywords.

对象克隆和未来授权

  • When a database or schema is cloned, future grants are copied to its clone. This behavior maintains consistency with regular object grants. For example, when you clone a source object such as a database, grants of privileges on the database are not copied to its clones. Privilege grants on all child objects, such as tables created in the database, are copied to the clones.
  • When an object in a schema is cloned, any future grants defined for this object type in the schema are applied to the cloned object unless the COPY GRANTS option is specified in the CREATE <object> statement for the clone operation. In that case, the new object retains the access permissions of the original object and does not inherit any future grants for objects of that type.

创建托管访问架构

托管访问架构通过锁定对象的权限管理来提高安全性。

在常规(即非托管)架构中,对象所有者(即具有对象 OWNERSHIP 权限的角色)可以向其他角色授予对其对象的访问权限,并可以选择进一步授予这些角色管理对象授权的能力。

With managed access schemas, object owners lose the ability to make grant decisions. Only the schema owner (that is, the role with the OWNERSHIP privilege on the schema) or a role with the MANAGE GRANTS privilege can grant privileges on objects in the schema, including future grants, centralizing privilege management.

You can create a managed access schema in Snowsight using a SQL command. For example, run the CREATE SCHEMA command with the WITH MANAGED ACCESS keywords.

CREATE SCHEMA myschema WITH MANAGED ACCESS;

You can change a managed access schema to a regular one in Snowsight using a SQL command. For example, run the ALTER SCHEMA command with the DISABLE MANAGED ACCESS keywords.

ALTER SCHEMA myschema DISABLE MANAGED ACCESS;

下表指示哪些角色可以管理常规或托管访问架构中的对象权限:

RoleCan grant object privileges in a regular schemaCan grant object privileges in a managed access schema
SYSADMINNoNo
SECURITYADMIN or higherYesYes
Database ownerNoNo
Schema owner

No

Yes

Object owner

Yes

No

Any role with the MANAGE GRANTS privilegeYesYes

使用 Snowsight 管理对象权限

You can use Snowsight to manage grants of database object privileges to roles. To manage these grants, use a role with either the OWNERSHIP privilege on the object or with the global MANAGE GRANTS privilege.

When you use Snowsight to manage grants, it is equivalent to running a GRANT PRIVILEGE or REVOKE PRIVILEGE command in SQL. For example, you can use Snowsight to grant the USAGE privilege on a view to the ACCOUNTADMIN role.

授予对象权限

要向角色授予数据库对象权限,请执行以下操作:

  1. Sign in to Snowsight.
  2. In the navigation menu, select Catalog » Database Explorer.
  3. 针对特定数据库和架构,选择要向其授予权限的数据库对象。
  4. In the Object Details, locate the Privileges section.
  5. Select + Privilege.
  6. 选择要向其授予权限的角色。
  7. 选择要授予角色的权限。
  8. If you want the role to be able to grant the privilege to other roles, select Grant option.
  9. 对要授予角色的每个对象权限重复上述步骤。
  10. Select Grant Privileges.

撤销对象的权限

要撤销角色的数据库对象权限,请执行以下操作:

  1. Sign in to Snowsight.
  2. In the navigation menu, select Catalog » Database Explorer.
  3. 对于特定数据库和架构,请选择要撤销其权限的数据库对象。
  4. In the Object Details, locate the Privileges section.
  5. For a specific role listed, select the Edit Role pencil icon that appears when you hover over the row.
  6. In the dialog that appears, select the x to revoke a privilege from a specific role.
  7. Select Update Privileges.

确定授予角色的权限

To show the privileges granted on a specific role, you can run the SHOW GRANTS command or do the following in Snowsight:

  1. Sign in to Snowsight.
  2. In the navigation menu, select Governance & security » Users & roles » Roles.
  3. Select Table and locate the role for which you want to view granted privileges.
  4. 选择要查看所授予权限的角色,以查看详细信息。
  5. Review the Privileges section for the role.

Enabling non-account administrators to monitor usage and billing history

Snowflake 提供有关数据存储/传输和仓库使用/负载的广泛账户使用情况和账单信息:

Snowsight:

In the navigation menu, select Admin » Cost management.

SQL:

查询以下任意一项:

默认情况下,只有账户管理员才能访问/查看此信息。

Note

Currently, Snowsight only displays usage and billing information to account administrators. It is not possible to grant other roles the ability to view this information.

要使非账户管理员的用户能够访问/查看此信息,请向系统定义或自定义角色授予以下权限。向角色授予权限允许所有被授予该角色的用户访问此历史/使用情况信息:

PrivilegeObjectDescription
MONITOR USAGEAccount (that is, global privilege)

允许被授予该角色的用户在 Web 界面中查看使用情况和账单信息,并查询 Information Schema 中相应的表函数。

In addition, with this privilege, the SHOW DATABASES and SHOW WAREHOUSES commands return the lists of all databases and warehouses in the account, respectively, regardless of other privilege grants.

IMPORTED PRIVILEGESsnowflake database

允许被授予该角色的用户查询所有 ACCOUNT USAGE 视图,包括包含使用情况和账单信息的视图。

For more information, see Enabling other roles to use schemas in the SNOWFLAKE database.

For example, to grant these permissions to the custom role:

GRANT MONITOR USAGE ON ACCOUNT TO ROLE custom;

GRANT IMPORTED PRIVILEGES ON DATABASE snowflake TO ROLE custom;