Nov 19, 2025: Programmatic access tokens: Removing the single-role restriction for service users

For service users (users with TYPE=SERVICE or TYPE=LEGACY_SERVICE), You can now generate a programmatic access token that is not restricted to a single role.

To bypass this restriction, create or alter an authentication policy that sets the REQUIRE_ROLE_RESTRICTION_FOR_SERVICE_USERS property to FALSE in the PAT_POLICY clause. For example:

CREATE AUTHENTICATION POLICY my_authentication_policy
  PAT_POLICY = (
    REQUIRE_ROLE_RESTRICTION_FOR_SERVICE_USERS = FALSE
  );
Copy
ALTER AUTHENTICATION POLICY my_authentication_policy
  SET PAT_POLICY = (
    REQUIRE_ROLE_RESTRICTION_FOR_SERVICE_USERS = FALSE
  );
Copy

Then, apply that authentication policy to a service user.

Note

The restriction is lifted only when you use the ALTER USER … ADD PROGRAMMATIC ACCESS TOKEN (PAT) command to generate the programmatic access token.

Currently, the restriction is not lifted if you are using Snowsight to generate the programmatic access token, but support will be added in the future.

For information, see Removing the role restriction for service users.

Language: English