Getting Started with Organizations¶
This topic discusses how to work with organizations, including how to assign the ORGADMIN role to organization administrators.
Snowflake customers never directly create an organization. For users who sign-up for a Snowflake account using the self-service option, an organization is automatically created with a system-generated name when the account is created. For entities who work directly with Snowflake personnel to set up accounts, Snowflake creates the organization to which the accounts belong using a custom name. In either case, users can create additional accounts that belong to the organization after it is created with the initial account.
Viewing the Name of Your Organization and Its Accounts¶
If you are the organization administrator, you can view the name of your organization and its accounts through the web interface or using SQL:
Users with any role, not just ORGADMIN, can execute the CURRENT_ORGANIZATION_NAME function to return the organization of the current account.
Users with any role can also find the organization name and account name for a specific account that they have previously signed in to. See Finding the Organization and Account Name for an Account.
Changing the Name of Your Organization¶
If you want to change the name of an organization, for example to change a system-generated name to a more user-friendly one, contact Snowflake Support.
When you contact Snowflake Support, you must decide whether users can temporarily access accounts in the organization using the original account URL. If you keep the original account URL, it is automatically dropped after 90 days, at which time users must use the new account URL to access the account. If you want to drop the account URL before the 90 days expire, see Deleting an Organization URL.
Enabling the ORGADMIN Role in an Account¶
An organization administrator uses an account with the ORGADMIN role enabled to work with data and features that pertain to all accounts in the organization. Once the ORGADMIN role is enabled, the organization administrator can log in to the account and use the role to perform organization-focused tasks like listing all accounts in the organization and creating new accounts.
Every organization has at least one account with the ORGADMIN role enabled. The organization administrator can use the ALTER ACCOUNT … SET IS_ORG_ADMIN command to enable the role in additional accounts.
For example, to enable the ORGADMIN role for existing account
my_account1, the organization administrator can execute the following
command from an account that already has the ORGADMIN role enabled:
USE ROLE orgadmin;
ALTER ACCOUNT my_account1 SET IS_ORG_ADMIN = TRUE;
Keep the following in mind when enabling the ORGADMIN role:
Disabling the ORGADMIN Role¶
An organization administrator can use the ALTER ACCOUNT command to remove the ORGADMIN role from an account by setting the
IS_ORG_ADMIN property to
FALSE. For example:
ALTER ACCOUNT my_account1 SET IS_ORG_ADMIN = FALSE;
The ORGADMIN role cannot be removed for the current account. As a workaround, enable the role in a different account, and then switch to that account before executing the ALTER ACCOUNT command.
Assigning the ORGADMIN Role to a User or Role¶
Once enabled in an account, the ORGADMIN role can be granted to any user or role in the account by an ACCOUNTADMIN using the GRANT ROLE command. For more information about system roles and best practices for managing access control, see Access control considerations.
-- Assume the ACCOUNTADMIN role
USE ROLE accountadmin;
-- Grant the ORGADMIN role to a user
GRANT ROLE orgadmin TO USER user1;
-- Grant ORGADMIN to a role
GRANT ROLE orgadmin TO ROLE custom_role;