DESCRIBE USER¶
Describes a user, including the current and default values of the properties of the user.
DESCRIBE can be abbreviated to DESC.
- See also:
Syntax¶
Parameters¶
nameSpecifies the identifier for the user to describe.
If the identifier contains spaces or special characters, the entire string must be enclosed in double quotes. Identifiers enclosed in double quotes are also case-sensitive.
For more information, see Identifier requirements.
Output¶
The output of the command includes the following columns, which describe the properties and metadata of the object:
Column |
Description |
|---|---|
|
The name of the property (see Properties of users). |
|
The data type of the property (for example, |
|
The value assigned to the property. |
|
The default value of the property. |
The property column can include the following properties of the user:
Property |
Description |
|---|---|
|
Name of the user. |
|
Comment about the user. |
|
Name displayed for the user in Snowsight. |
|
Type of the user. For a list of possible values, see Types of users. |
|
Name that the user enters to log into the system. |
|
First name of the user. |
|
Middle name of the user. |
|
Last name of the user. |
|
Email address for the user. |
|
Obfuscated password of the user. |
|
If TRUE, the user is forced to change their password on next login (including their first/initial login) into the system. |
|
If TRUE, the user is locked out of Snowflake and cannot log back in. |
|
If TRUE, the user is locked by Snowflake. When a user is locked, they are unable to log in until the lock is removed. |
|
If TRUE, Snowflake Support is allowed to use the user or account. |
|
Number of days after which the user status is set to “Expired” and the user is no longer allowed to log in. |
|
Number of minutes until the temporary lock on the user login is cleared. |
|
Virtual warehouse that is active by default for the user’s session upon logging in. |
|
Namespace (database only or database and schema) that is active by default for the user’s session upon logging in. |
|
Primary role that is active by default for the user’s session upon logging in. |
|
Set of secondary roles that are active for the user’s session upon logging in. |
|
If TRUE, Duo is enabled for the user, which requires the user to use MFA (multi-factor authentication) when logging in. |
|
Authorization ID used for Duo. |
|
Default MFA method for the user. |
|
If TRUE, the user is enrolled in multi-factor authentication (MFA). |
|
If TRUE, the user has one or more programmatic access tokens. |
|
If TRUE, the user is configured to authenticate with workload identity federation. |
|
Number of minutes to temporarily bypass MFA requirement for the user. |
|
Number of minutes to temporarily bypass the requirement of having a network policy for programmatic access tokens. |
|
RSA public key of the user for key-pair authentication. |
|
Fingerprint of the user’s RSA public key. |
|
Date and time when the RSA public key was last set for the user. |
|
Second RSA public key of the user for use during key-pair rotation. |
|
Fingerprint of the user’s second RSA public key. |
|
Date and time when the second RSA public key was last set for the user. |
|
Date and time when the last non-NULL password was set for the user. If no password was set, the value of this property is NULL. |
|
Reserved for future use. |
|
Reserved for future use. |
|
If TRUE, the user was imported from a global organization user. |
Access control requirements¶
Individual users can see their own properties by executing this command and specifying their own name.
To view the properties of another user, you must use a role that has the following privilege:
Privilege |
Object |
Notes |
|---|---|---|
OWNERSHIP |
User |
For instructions on creating a custom role with a specified set of privileges, see Creating custom roles.
For general information about roles and privilege grants for performing SQL actions on securable objects, see Overview of Access Control.
Usage notes¶
The user object property
MINS_TO_BYPASS_NETWORK_POLICYdefines the number of minutes in which a user can access Snowflake without conforming to an existing network policy. The number of minutes can only be set by Snowflake (Default:NULL) and is intended as a temporary workaround to allow user access to Snowflake. To set a value for this property, please contact Snowflake Support.This command does not show the session parameter defaults for a user. Instead, use SHOW PARAMETERS IN USER.
The user object property
PASSWORD_LAST_SET_TIMEdefaults toNullif no password has been set yet. Values of292278994-08-17 07:12:55.807or1969-12-31 23:59:59.999indicate the password was set before the inclusion of this row. A value of1969-12-31 23:59:59.999can also indicate an expired password and the user needs to change their password.
To post-process the output of this command, you can use the pipe operator (
->>) or the RESULT_SCAN function. Both constructs treat the output as a result set that you can query.For example, you can use the pipe operator or RESULT_SCAN function to select specific columns from the SHOW command output or filter the rows.
When you refer to the output columns, use double-quoted identifiers for the column names. For example, to select the output column
type, specifySELECT "type".You must use double-quoted identifiers because the output column names for SHOW commands are in lowercase. The double quotes ensure that the column names in the SELECT list or WHERE clause match the column names in the SHOW command output that was scanned.
Examples¶
The following example describes the user named my_user: