Managing Your Account

The Account area in the new web interface allows users to take the following actions at the account level:

Tab

Description

Usage

View the current monthly charges for your account for data storage, virtual warehouses (compute) resources, and cloud services. For information, see Viewing Account-level Credit and Storage Usage in the Web Interface.

Roles

View a set of roles and explore details of individual roles. . . Create, modify, and drop roles. . . Access control: View the privileges that have been granted on individual roles; grant or revoke privileges.

Users

View a set of users and explore details of individual users. . . Create, modify, and drop users. . . Access control: View the privileges that have been granted on individual users; grant or revoke privileges.

Network Policies

View all network policies in the account. Create, activate, modify, and drop network policies.

Sessions

View all user sessions that are currently open in the account.

Billing

Add or change the credit card associated with a trial account. For information, see Trial Accounts.

In this Topic:

Roles

Navigation:

Account » Roles

The Roles page enables administrators to create and manage roles for access control in your Snowflake account.

Exploring Roles

In the table of roles on the page, click on the name of a role. The role details page opens. The page displays either of two views:

Graph

Browse the list to the left of the main graph pane. Filter the list by submitting a search in the search box above the list.

The list displays either roles or users in your account:

  • By default, the list displays roles in your account. Click on a role name to display the role in the context of its hierarchy, if applicable.

  • Click the Users option above the search box to display users in your account. Click on a user name to view any roles that have been granted to the user, in the context of their hierarchy. The roles that are granted to the user directly are highlighted.

The graph displays roles in their hierarchy, if applicable. A role becomes part of a hierarchy either when it is granted to another role, or another role is granted to it. Any roles above a role in a hierarchy are ancestors of that role. Any roles below a role in a hierarchy are descendents. Above the graph, click the View menu and choose Ancestors, Descendents, or Ancestors and Descendents to view these relationships in the graph.

Hover over a role in the graph to view details of the role. Click on a role and then click the Focus button to view only the selected role in its hierarchy.

Add Grants

To add grants for a role:

  1. Click on a role in the graph.

  2. In the Details pane to the right of the graph, click the + Grant menu.

  3. Choose one of the following options:

    • Grant Role: Grant another role to the current role (i.e., add the other role as a descendent of the current role).

    • Grant to Role: Grant the current role to another role (i.e., the other role as an ancestor of the current role).

    • Grant to User: Grant the current role to a user.

Table

Explore the set of roles in the account in a table. Click on a role to view details of the role.

Creating Roles

  1. Click the Create » Role dropdown in the top-right corner of the page. The New Role dialog opens.

  2. Specify the following properties:

    Property

    Description

    Name

    Identifier for the role; must be unique for your account.

    Parent Role

    Create a role hierarchy, or add this role to an existing role hierarchy, by granting this role to an existing role.

    Any privileges associated with the role you creating are inherited by any roles above that role in the hierarchy.

    Comment (optional)

    Comment for the role.

  3. Click the Create Role button. The new role is created.

Modifying Role Properties

Navigation:

Account » Roles » Table view.

  1. Click the actions () button in the row for a role » Edit. The Edit Role dialog opens.

  2. Edit any of the properties. For descriptions of the properties, see Creating Roles (in this topic).

Dropping Roles

Navigation:

Account » Roles » Table view.

  1. Click the actions () button in the row for a role » Drop. The Drop Role dialog opens.

  2. Confirm the action.

Managing Access Control on Roles

Navigation:

Account » Roles » Table view.

  1. Navigate to the role you want to grant privileges on.

  2. Scroll to the Privileges area of the page. The Privileges area lists the privilege grants by role. To group the list by privilege, choose this option from the menu at the top of the Privileges area.

    When the listing of privilege grants is grouped by privilege, the Inherited privileges symbol beside a role indicates that the privilege was inherited from a child role in a role hierarchy. Hover your pointer over the role to view the child role from which the privilege was inherited.

    Administrators of roles can perform either of the following actions to manage the privileges granted on roles:

    Either action requires one of the following roles:

    • The owner of a role (e.g. the role with the OWNERSHIP privilege on the role).

    • A role with the global MANAGE GRANTS privilege.

Users

Navigation:

Account » Users

The Users page enables administrators to create and manage users in your Snowflake account.

Exploring Users

In the table of users on the page, click on the name of a user. The user details page opens.

Creating Users

  1. Click the Create » User dropdown in the top-right corner of the page. The New User dialog opens.

  2. Specify the following properties:

    Property

    Description

    User Name

    Identifier for the user; must be unique for your account.

    The identifier must start with an alphabetic character and cannot contain spaces or special characters unless the entire identifier string is enclosed in double quotes (e.g. "My object").

    Identifiers enclosed in double quotes are also case-sensitive.

    For more details, see Identifier Requirements.

    Note that the user does not use this value to log into Snowflake; instead, the user uses the value specified for the LOGIN_NAME property to log in. However, if no login name is explicitly specified for the user, the user name/identifier serves as the default login name.

    Email

    Email address for the user.

    An email address is not required to use Snowflake; however, to access the Snowflake Community to open support tickets or contribute to the community forums, a valid email address must be specified for the user.

    Password

    The password for the user. If no password is specified, the user cannot log into Snowflake until a password has been explicitly specified for them.

    For more information about passwords in Snowflake, see Snowflake Password Policy.

    Comment (optional)

    Comment for the user.

  3. Click the Advanced User Options show/hide control to display the following additional fields:

    Property

    Description

    Login Name

    Name that the user enters to log into the system. Login names for users must be unique across your entire account.

    A login name can be any string, including spaces and non-alphanumeric characters, such as exclamation points (!), percent signs (%), and asterisks (*); however, if the string contains spaces or non-alphanumeric characters, it must be enclosed in single or double quotes. Login names are always case-insensitive.

    Snowflake allows specifying different user and login names to enable using common identifiers (e.g. email addresses) for login.

    If no value is specified, the value specified for User Name is used as the login name.

    Display Name

    Name displayed for the user in the Snowflake web interface.

    If no value is specified, the value specified for User Name is used as the login name.

    First Name . Last Name

    First and last name of the user.

    Default Role

    The role that is active by default for the user’s session upon login.

    Note that specifying a default role for a user does not grant the role to the user. The role must be granted explicitly to the user using the GRANT ROLE command. In addition, the CREATE USER operation does not verify that the role exists.

    Default Warehouse

    The virtual warehouse that is active by default for the user’s session upon login.

    Default Namespace

    The namespace (database only or database and schema) that is active by default for the user’s session upon login:

    To specify a database only, enter the database name.

    To specify a schema, enter the fully-qualified schema name in the form of db_name.schema_name.

  4. Click the Create User button. The new user is created.

Modifying User Properties

  1. Click the actions () button in the row for a user » Edit. The Edit User dialog opens.

  2. Edit any of the properties. For descriptions of the properties, see Creating Users (in this topic).

Dropping Users

  1. Click the actions () button in the row for a user » Drop. The Drop User dialog opens.

  2. Confirm the action.

Managing Access Control on Users

  1. Navigate to a user you manage.

  2. Scroll to the Privileges area of the page. The Privileges area lists the privilege grants by role. To group the list by privilege, choose this option from the menu at the top of the Privileges area.

    When the listing of privilege grants is grouped by privilege, the Inherited privileges symbol beside a role indicates that the privilege was inherited from a child role in a role hierarchy. Hover your pointer over the role to view the child role from which the privilege was inherited.

    Administrators of users can perform either of the following actions to manage the privileges granted on users:

    Either action requires one of the following roles:

    • The owner of a user (e.g. the role with the OWNERSHIP privilege on the user).

    • A role with the global MANAGE GRANTS privilege.

Granting Privileges on Users to Other Roles

To grant privileges on users:

  1. From the Privileges area on the details page for a user, click the + Privileges button. The Grant new privileges dialog opens.

  2. Select a role from the dropdown menu.

  3. Select a privilege from the dropdown menu. The dialog displays the privilege below the dropdown menus. To give the selected role the ability to grant the privilege to other roles, click the Grant option box.

  4. Repeat the previous step for any additional privileges you want to grant to the same role.

  5. Click the Grant Privileges button. The dialog closes. The privileges you selected are added to the role.

Revoking Privileges on Users From Other Roles

To revoke privileges on users:

  1. From the Privileges area on the details page for a user, click on the row for a role. The Edit privileges for <role_name> dialog opens. The dialog lists the privileges currently granted on the user to the selected role.

  2. Click the X button to the right of a privilege. The privilege is removed from the dialog.

  3. Repeat the previous step for any additional privileges you want to revoke from the same role.

  4. Click the Update Privileges button. The dialog closes. The privileges you removed are revoked from the role.

Network Policies

Navigation:

Account » Security » Policies

The Policies page provides controls for administrators to create and manage network policies in your Snowflake account.

Network policies enable restricting access to your account based on user IP address. A network policy is composed of an IP allowed list and, optionally, an IP blocked list. A single network policy can be activated at the account level at a time to filter traffic to your Snowflake account.

For instructions on creating and managing network policies at the account level, see Network Policies.

Sessions

Navigation:

Account » Security » Sessions

View a table of all open sessions, including the session ID, start time, Snowflake client, and authentication method for each open session.