User & security DDL¶
Snowflake provides a full set of SQL commands for managing users and security. These commands can only be executed by users who are granted roles that have the OWNERSHIP privilege on the managed object. This is usually restricted to the ACCOUNTADMIN and SECURITYADMIN roles.
However, individual users are able to perform the following tasks for themselves:
Change their password (only through the web interface).
View their user information (via DESCRIBE USER).
Change their default role, virtual warehouse, or namespace (via ALTER USER).
Change their session parameters (via ALTER SESSION).
User management¶
Each user with access to Snowflake is represented by a user object. A user object stores all of the information about the user, including their login name, password, and defaults (role, virtual warehouse, and namespace). Use the following DDL commands to manage users in the system:
Role management¶
Snowflake uses roles to control access to objects in the system:
Roles are granted access privileges for objects in the system (databases, tables, etc.).
Roles are granted to users to enable them to create, modify, and use the objects for which the roles have privileges.
Roles can be granted to other roles to support defining hierarchical access privileges.
Use the following DDL commands to manage roles in the system:
Use the following DDL commands to manage database roles in the system:
Use the following command to activate a primary role or secondary roles within a user session:
Object tagging management¶
Snowflake supports the following DDL to create and manage tags:
ALTER <object> (to set a tag on a Snowflake object)
Note that Snowflake does not support the describe operation for the tag object.
Access control management¶
Use the following commands to manage access control for objects by granting (and revoking) object privileges to roles and granting roles to users and other roles:
Network policy management¶
A network policy supports restricting access to your account based on user IP address. Use the following commands to create, alter, or drop network policies:
Secret management¶
Snowflake supports the following DDL commands and operations to manage secrets:
Password policy management¶
Snowflake provides the following DDL commands to manage password policy objects:
Session policy management¶
Snowflake provides the following DDL commands to manage session policy objects:
Third-party integrations¶
An integration is a Snowflake object that provides an interface between Snowflake and third-party services. Use the following commands to create, alter, or drop integrations: