ALTER AUTHENTICATION POLICY¶

Modifies the properties of an authentication policy.

See also:: CREATE AUTHENTICATION POLICY, DESCRIBE AUTHENTICATION POLICY, DROP AUTHENTICATION POLICY, SHOW AUTHENTICATION POLICIES

Syntax¶

ALTER AUTHENTICATION POLICY <name> RENAME TO <new_name>

ALTER AUTHENTICATION POLICY [ IF EXISTS ] <name> SET
  [ CLIENT_TYPES = ( '<string_literal>' [ , '<string_literal>' , ...  ] ) ]
  [ AUTHENTICATION_METHODS = ( '<string_literal>' [ , '<string_literal>' , ...  ] ) ]
  [ SECURITY_INTEGRATIONS = ( '<string_literal>' [ , '<string_literal>' , ...  ] ) ]
  [ COMMENT = '<string_literal>' ]

ALTER AUTHENTICATION POLICY [ IF EXISTS ] <name> UNSET
  [ CLIENT_TYPES ]
  [ AUTHENTICATION_METHODS ]
  [ SECURITY_INTEGRATIONS ]
  [ COMMENT ]

Copy

Parameters¶

name

Specifies the identifier for the authentication policy to alter. If the identifier contains spaces or special characters, you must enclose the string in double quotation marks. Identifiers enclosed in double quotation marks are case-sensitive. The identifier must meet the identifier requirements.

RENAME TO ...

Specifies a new name for an existing authentication policy.

SET ...

Specifies one or more properties to set for the authentication policy, separated by blank spaces, commas, or new lines.

CLIENT_TYPES = ( 'string_literal' [ , 'string_literal' , ... ] )

Changes which clients can authenticate with Snowflake. This property accepts one or more of the following values:

ALL: Allow all clients to authenticate.
SNOWFLAKE_UI: Snowsight or Classic Console, the Snowflake web interfaces.
DRIVERS: Drivers allow access to Snowflake from applications written in supported languages. For example, the Go, JDBC, .NET drivers, and Snowpipe Streaming.

Caution

If DRIVERS is not included in the CLIENT_TYPES list, automated ingestion may stop working.
SNOWSQL: A command-line client for connecting to Snowflake.

If a client tries to connect, and the client is not one of the valid CLIENT_TYPES, then the login attempt fails. If CLIENT_TYPES is unset, any client can connect.

Default: ALL.

AUTHENTICATION_METHODS = ( 'string_literal' [ , 'string_literal' , ... ] )

Changes the authentication methods that are allowed during login. This parameter accepts one or more of the following values:

Caution

Restricting by authentication method can have unintended consequences, such as blocking driver connections or third-party integrations.

ALL: Allow all authentication methods.
SAML: Allows SAML2 security integrations. If SAML is present, an SSO login option appears. If SAML is not present, an SSO login option does not appear.
PASSWORD: Allows users to authenticate using username and password.
OAUTH: Allows External OAuth.
KEYPAIR: Allows Key pair authentication.

Default: ALL.

SECURITY_INTEGRATIONS = ( 'string_literal' [ , 'string_literal' , ... ] )

Changes the security integrations that that the authentication policy is associated with. This parameter has no effect when SAML or OAUTH are not in the AUTHENTICATION_METHODS list.

All values in the SECURITY_INTEGRATIONS list must be compatible with the values in the AUTHENTICATION_METHODS list. For example, if SECURITY_INTEGRATIONS contains a SAML security integration, and AUTHENTICATION_METHODS contains OAUTH, then you cannot create the authentication policy.

ALL: Allow all security integrations.

Default: ALL.

COMMENT = 'string_literal'

Changes the comment for the authentication policy.

UNSET ...

Specifies the properties to unset for the authentication policy, which resets them to their defaults.

Access Control Requirements¶

A role used to execute this SQL command must have the following privileges at a minimum:

Privilege	Object	Notes
OWNERSHIP	Authentication policy	Only the SECURITYADMIN role, or a higher role, has this privilege by default. The privilege can be granted to additional roles as needed.

Note that operating on any object in a schema also requires the USAGE privilege on the parent database and schema.

For instructions on creating a custom role with a specified set of privileges, see Creating custom roles.

For general information about roles and privilege grants for performing SQL actions on securable objects, see Overview of Access Control.

Usage Notes¶

If you want to update an existing authentication policy and need to see the definition of the policy, run the DESCRIBE AUTHENTICATION POLICY command or GET_DDL function.

Examples¶

Alter the list of allowed clients on an authentication policy:

ALTER AUTHENTICATION POLICY restrict_client_types_policy SET CLIENT_TYPES = ('SNOWFLAKE_UI', 'SNOWSQL');

Copy