CREATE SESSION POLICY¶
Creates a new session policy or replaces an existing session policy.
A session policy defines the idle session timeout period in minutes. Administrators can optionally set different timeout values for the Snowflake web interface and other Snowflake clients.
After creating a session policy, apply the session policy to your Snowflake account using an ALTER ACCOUNT statement or a user using an ALTER USER statement.
- See also:
Syntax¶
CREATE [OR REPLACE] SESSION POLICY [IF NOT EXISTS] <name>
[ SESSION_IDLE_TIMEOUT_MINS = <integer> ]
[ SESSION_UI_IDLE_TIMEOUT_MINS = <integer> ]
[ ALLOWED_SECONDARY_ROLES = ( [ { 'ALL' | <role_name> [ , <role_name> ... ] } ] ) ]
[ COMMENT = '<string_literal>' ]
Required parameters¶
name
Identifier for the session policy; must be unique for your account.
The identifier value must start with an alphabetic character and cannot contain spaces or special characters unless the entire identifier string is enclosed in double quotes (e.g.
"My object"
). Identifiers enclosed in double quotes are also case-sensitive.For more details, see Identifier requirements.
Optional parameters¶
SESSION_IDLE_TIMEOUT_MINS = integer
For Snowflake clients and programmatic clients, the number of minutes in which a session can be idle before users must authenticate to Snowflake again. If a value is not specified, Snowflake uses the default value.
The number of minutes can be any integer between
5
and240
, inclusive.Default:
240
(4 hours)SESSION_UI_IDLE_TIMEOUT_MINS = integer
For Snowsight, the number of minutes in which a session can be idle before a user must authenticate to Snowflake again. If a value is not specified, Snowflake uses the default value.
The number of minutes can be any integer between
5
and240
, inclusive.Default:
240
(4 hours)ALLOWED_SECONDARY_ROLES = ( [ { 'ALL' | role_name [ , role_name ... ] } ] )
Specifies the secondary roles for a session policy, if any.
The possible values for the property are:
()
Disallows secondary roles.
('ALL')
Allows all secondary roles.
( role_name [ , role_name ... ] )
Allows the specified roles as secondary roles. The secondary roles can be user-defined account roles or system roles. Specify the role name as it is stored in Snowflake. For details, see Identifier requirements.
Default:
('ALL')
. If you do not set the property when you create a new session policy, all secondary roles are allowed.COMMENT = 'string_literal'
Adds a comment or overwrites an existing comment for the session policy.
Access control requirements¶
A role used to execute this SQL command must have the following privileges at a minimum:
Privilege |
Object |
Notes |
---|---|---|
CREATE SESSION POLICY |
Schema |
The USAGE privilege on the parent database and schema are required to perform operations on any object in a schema.
For instructions on creating a custom role with a specified set of privileges, see Creating custom roles.
For general information about roles and privilege grants for performing SQL actions on securable objects, see Overview of Access Control.
For additional details on session policy DDL and privileges, see Managing session policies.
Usage notes¶
If you want to replace an existing session policy and need to see the current definition of the policy, call the GET_DDL function or run the DESCRIBE SESSION POLICY command.
Regarding metadata:
Attention
Customers should ensure that no personal data (other than for a User object), sensitive data, export-controlled data, or other regulated data is entered as metadata when using the Snowflake service. For more information, see Metadata fields in Snowflake.
CREATE OR REPLACE <object> statements are atomic. That is, when an object is replaced, the old object is deleted and the new object is created in a single transaction.
Examples¶
Create a session policy for your current account:
CREATE SESSION POLICY session_policy_prod_1 SESSION_IDLE_TIMEOUT_MINS = 30 SESSION_UI_IDLE_TIMEOUT_MINS = 30 COMMENT = 'session policy for use in the prod_1 environment' ;