CREATE USER¶
Creates a new user or replaces an existing user in the system. For more details, see User management.
Note
Only user administrators (i.e. users with the USERADMIN role or higher), or another role with the CREATE USER privilege on the account, can create users.
- See also:
Syntax¶
CREATE [ OR REPLACE ] USER [ IF NOT EXISTS ] <name>
[ objectProperties ]
[ objectParams ]
[ sessionParams ]
[ [ WITH ] TAG ( <tag_name> = '<tag_value>' [ , <tag_name> = '<tag_value>' , ... ] ) ]
Where:
objectProperties ::= PASSWORD = '<string>' LOGIN_NAME = <string> DISPLAY_NAME = <string> FIRST_NAME = <string> MIDDLE_NAME = <string> LAST_NAME = <string> EMAIL = <string> MUST_CHANGE_PASSWORD = TRUE | FALSE DISABLED = TRUE | FALSE DAYS_TO_EXPIRY = <integer> MINS_TO_UNLOCK = <integer> DEFAULT_WAREHOUSE = <string> DEFAULT_NAMESPACE = <string> DEFAULT_ROLE = <string> DEFAULT_SECONDARY_ROLES = ( 'ALL' ) | () MINS_TO_BYPASS_MFA = <integer> RSA_PUBLIC_KEY = <string> RSA_PUBLIC_KEY_FP = <string> RSA_PUBLIC_KEY_2 = <string> RSA_PUBLIC_KEY_2_FP = <string> TYPE = PERSON | SERVICE | LEGACY_SERVICE | NULL COMMENT = '<string_literal>'objectParams ::= ENABLE_UNREDACTED_QUERY_SYNTAX_ERROR = TRUE | FALSE NETWORK_POLICY = <string>sessionParams ::= ABORT_DETACHED_QUERY = TRUE | FALSE AUTOCOMMIT = TRUE | FALSE BINARY_INPUT_FORMAT = <string> BINARY_OUTPUT_FORMAT = <string> DATE_INPUT_FORMAT = <string> DATE_OUTPUT_FORMAT = <string> ERROR_ON_NONDETERMINISTIC_MERGE = TRUE | FALSE ERROR_ON_NONDETERMINISTIC_UPDATE = TRUE | FALSE JSON_INDENT = <num> LOCK_TIMEOUT = <num> QUERY_TAG = <string> ROWS_PER_RESULTSET = <num> SIMULATED_DATA_SHARING_CONSUMER = <string> STATEMENT_TIMEOUT_IN_SECONDS = <num> STRICT_JSON_OUTPUT = TRUE | FALSE TIMESTAMP_DAY_IS_ALWAYS_24H = TRUE | FALSE TIMESTAMP_INPUT_FORMAT = <string> TIMESTAMP_LTZ_OUTPUT_FORMAT = <string> TIMESTAMP_NTZ_OUTPUT_FORMAT = <string> TIMESTAMP_OUTPUT_FORMAT = <string> TIMESTAMP_TYPE_MAPPING = <string> TIMESTAMP_TZ_OUTPUT_FORMAT = <string> TIMEZONE = <string> TIME_INPUT_FORMAT = <string> TIME_OUTPUT_FORMAT = <string> TRANSACTION_DEFAULT_ISOLATION_LEVEL = <string> TWO_DIGIT_CENTURY_START = <num> UNSUPPORTED_DDL_ACTION = <string> USE_CACHED_RESULT = TRUE | FALSE WEEK_OF_YEAR_POLICY = <num> WEEK_START = <num>
Note
For readability, the complete list of session parameters that can be set for a user is not included here. For a complete list of all session parameters, with their descriptions, as well as account and object parameters, see Parameters.
Required parameters¶
name
Identifier for the user; must be unique for your account.
The identifier must start with an alphabetic character and cannot contain spaces or special characters unless the entire identifier string is enclosed in double quotes (e.g.
"My object"
). Identifiers enclosed in double quotes are also case-sensitive.For more details, see Identifier requirements.
Note
The user does not use this value to log into Snowflake; instead, the user uses the value specified for the LOGIN_NAME
property to log in. However, if no login name is explicitly specified for the user, the user name/identifier serves as the default
login name.
Optional object properties (objectProperties
)¶
PASSWORD = 'string'
The password for the user must be enclosed in single or double quotes. If no password is specified, the user cannot log into Snowflake until a password has been explicitly specified for them.
If the password uses the backslash (i.e.
\
) character, escape the character with a backslash or use double dollar sign (i.e.$$
) delimiters when specifying the password in a SQL command. For details, refer to String & binary data types.For more information about passwords in Snowflake, refer to Password policies.
Default:
NULL
LOGIN_NAME = string
Name that the user enters to log into the system. Login names for users must be unique across your entire account.
A login name can be any string, including spaces and non-alphanumeric characters, such as exclamation points (
!
), percent signs (%
), and asterisks (*
); however, if the string contains spaces or non-alphanumeric characters, it must be enclosed in single or double quotes. Login names are always case-insensitive.Snowflake allows specifying different user and login names to enable using common identifiers (e.g. email addresses) for login.
Default: User’s name/identifier (i.e. if no value is specified, the value specified for
name
is used as the login name)DISPLAY_NAME = string
Name displayed for the user in the Snowflake web interface.
Default: User’s name/identifier (i.e. if no value is specified, the value specified for
name
is used as the display name)FIRST_NAME = string
, .MIDDLE_NAME = string
, .LAST_NAME = string
First, middle, and last name of the user.
Default:
NULL
EMAIL = string
Email address for the user.
An email address is not required to use Snowflake; however, to access the Snowflake Community to open support tickets or contribute to the community forums, a valid email address must be specified for the user.
We recommend specifying a business email address rather than a personal email address. User email addresses are visible to all other users in your Snowflake account.
Default:
NULL
MUST_CHANGE_PASSWORD = TRUE | FALSE
Specifies whether the user is forced to change their password on next login (including their first/initial login) into the system.
Default:
FALSE
DISABLED = TRUE | FALSE
Specifies whether the user is disabled, which prevents the following actions:
For a new user, the user is locked out of Snowflake and cannot log in.
For an existing user, setting the property aborts all their currently-running queries and does not allow the user to issue any new queries; the user is also immediately locked out of Snowflake and cannot log back in.
Default:
FALSE
DAYS_TO_EXPIRY = integer
Specifies the number of days after which the user status is set to “Expired” and the user is no longer allowed to log in. This is useful for defining temporary users (i.e. users who should only have access to Snowflake for a limited time period). In general, you should not set this property for account administrators (i.e. users with the ACCOUNTADMIN role) because Snowflake locks them out when they become “Expired”.
Once set, the value counts down to
0
, but doesn’t stop. A negative value indicates the status for the user is “Expired”. To reset the value, use ALTER USER to set the following values:To re-enable the user as a temporary user, set the value to a value greater than
0
.To specify the user as a permanent user, set the value to
NULL
or0
.
Default:
NULL
MINS_TO_UNLOCK = integer
Specifies the number of minutes until the temporary lock on the user login is cleared. To protect against unauthorized user login, Snowflake places a temporary lock on a user after five consecutive unsuccessful login attempts:
A positive value indicates the status for the user is “Locked”.
Once the value counts down to
0
(or a negative value), the lock is cleared and the user is allowed to log in again.When the user successfully logs into Snowflake, the value resets to
NULL
.
When creating a user, this property can be set to prevent them from logging in until the specified amount of time passes.
To remove a lock immediately for a user, use ALTER USER and specify a value of
0
for this parameter.Default:
NULL
DEFAULT_WAREHOUSE = string
Specifies the virtual warehouse that is active by default for the user’s session upon login.
A user can specify or change their current default virtual warehouse using ALTER USER. In addition, after starting a session (i.e. logging in), a user can change the virtual warehouse for the session using USE WAREHOUSE.
Note that the CREATE USER operation does not verify that the warehouse exists.
Default:
NULL
DEFAULT_NAMESPACE = string
Specifies the namespace (database only or database and schema) that is active by default for the user’s session upon login:
To specify a database only, enter the database name.
To specify a schema, enter the fully-qualified schema name in the form of
db_name.schema_name
.
A user can specify or change their current default namespace using ALTER USER. In addition, after starting a session (i.e. logging in), a user can change the namespace for their session using USE DATABASE or USE SCHEMA.
Note that the CREATE USER operation does not verify that the namespace exists.
Default:
NULL
DEFAULT_ROLE = string
Specifies the primary role that is active by default for the user’s session upon login. The primary role is a single role that authorizes the execution of CREATE <object> statements or any other SQL action. The permissions to perform these actions can be granted to the primary role or any lower role in the role hierarchy.
Note that specifying a default role for a user does not grant the role to the user. The role must be granted explicitly to the user using the GRANT ROLE command. In addition, the CREATE USER operation does not verify that the role exists.
A user can specify or change their current default role using ALTER USER. In addition, after starting a session (i.e. logging in), a user can change the role for the session using USE ROLE. In either case, they can only choose from roles that have been explicitly granted to them.
Default:
NULL
DEFAULT_SECONDARY_ROLES = ( 'ALL' ) | ()
Specifies the set of secondary roles that are active for the user’s session upon login. Secondary roles are a set of roles that authorize any SQL action other than the execution of CREATE <object> statements. The permissions to perform these actions can be granted to the primary role, secondary roles, or any lower roles in the role hierarchies.
Note that specifying a default secondary role for a user does not grant the role to the user. The role must also be granted explicitly to the user using the GRANT ROLE command.
The following values are supported:
('ALL')
All roles that have been granted to the user.
Note that the set of roles is reevaluated when each SQL statement executes. If additional roles are granted to the user, and that user executes a new SQL statement, the newly granted roles are active secondary roles for the new SQL statement. The same logic applies to roles that are revoked from a user.
()
No roles.
Default:
NULL
MINS_TO_BYPASS_MFA = integer
Specifies the number of minutes to temporarily bypass MFA for the user.
This property can be used to allow a MFA-enrolled user to temporarily bypass MFA during login in the event that their MFA device is not available.
RSA_PUBLIC_KEY = string
Specifies the user’s RSA public key; used for key pair authentication.
RSA_PUBLIC_KEY_FP = string
Specifies the fingerprint of the user’s RSA public key; used for key pair authentication.
RSA_PUBLIC_KEY_2 = string
Specifies the user’s second RSA public key; used to rotate the public and private keys for key pair authentication based on an expiration schedule set by your organization.
RSA_PUBLIC_KEY_2_FP = string
Specifies the fingerprint of the user’s second RSA public key; used to rotate the public and private keys for key pair authentication based on an expiration schedule set by your organization.
TYPE = PERSON | SERVICE | LEGACY_SERVICE | NULL
Specifies the type of user. You can set this property to differentiate between human, service, and legacy service users.
Default:
NULL
- PERSON:
Users do not have restrictions when the
TYPE
property is set toPERSON
,NULL
, or whenTYPE
is unset.- NULL:
See PERSON.
- SERVICE:
To improve the security posture of non-interactive use cases, users with the
TYPE
property set toSERVICE
have the following characteristics:They cannot log in using a password.
They cannot log in using SAML SSO.
They cannot enroll in MFA.
They are not subject to authentication policy MFA enforcement.
They cannot have the following properties:
FIRST_NAME
MIDDLE_NAME
LAST_NAME
PASSWORD
MUST_CHANGE_PASSWORD
MINS_TO_BYPASS_MFA
The following commands cannot be used:
ALTER USER RESET PASSWORD
ALTER USER SET
DISABLE_MFA = TRUE
If a user has their
TYPE
property set toSERVICE
using the ALTER USER command, then the incompatible properties remain stored, but are not returned in user views returned by commands such as DESCRIBE USER. The incompatible properties cannot be set using the ALTER USER command.If a user, with their
TYPE
property set toSERVICE
, is changed to a user with theirTYPE
property set toPERSON
orNULL
, the incompatible properties are restored and can be changed, including theirPASSWORD
property.- LEGACY_SERVICE:
A user with their
TYPE
property set toLEGACY_SERVICE
represents a non-interactive integration.LEGACY_SERVICE
users let services or applications that cannot easily use more secure authentication methods authenticate using password or SAML authentication.LEGACY_SERVICE
users have the following characteristics:They can log in using password or SAML authentication, unlike
SERVICE:
users.They do not have the properties of a
SERVICE
user, but have thePASSWORD
andMUST_CHANGE_PASSWORD
properties available.They have the command restrictions of a
SERVICE
user, but can use the ALTER USER RESET PASSWORD command.They are not affected by authentication policy multi-factor authentication (MFA) enforcement. This property lets administrators set account-level authentication policies that require MFA for password authentication without needing to set a user-level authentication policy to prevent
LEGACY_SERVICE
users from requiring MFA for password authentication.
COMMENT = 'string_literal'
Specifies a comment for the user.
Default:
NULL
Optional object parameters (objectParams
)¶
ENABLE_UNREDACTED_QUERY_SYNTAX_ERROR = { TRUE | FALSE }
Controls how queries that fail due to syntax or parsing errors show up in a query history. If FALSE, the contents of a failed query is redacted from the views, pages, and functions that provide a query history.
This parameter controls behavior for the user viewing the query history, not the user who executed the query.
Only users with a role that is granted or inherits the AUDIT privilege can set the ENABLE_UNREDACTED_QUERY_SYNTAX_ERROR parameter.
NETWORK_POLICY = string
Specifies an existing network policy is active for the user. The network policy restricts the list of user IP addresses when exchanging an authorization code for an access or refresh token and when using a refresh token to obtain a new access token.
If this parameter is not set, the network policy for the account (if any) is used instead.
Optional session parameters (sessionParams
)¶
Specifies one (or more) session parameter defaults to set for the user (separated by blank spaces, commas, or new lines). These defaults are set each time the user logs into Snowflake and initiates session. The user can always change these defaults themselves within the session using ALTER SESSION.
For the complete list of session parameters, including their default values, that can be specified for a user, see Parameters.
Optional parameters¶
TAG ( tag_name = 'tag_value' [ , tag_name = 'tag_value' , ... ] )
Specifies the tag name and the tag string value.
The tag value is always a string, and the maximum number of characters for the tag value is 256.
For information about specifying tags in a statement, see Tag quotas for objects and columns.
Access control requirements¶
A role used to execute this SQL command must have the following privileges at a minimum:
Privilege |
Object |
Notes |
---|---|---|
CREATE USER |
Account |
Only the USERADMIN role, or a higher role, has this privilege by default. The privilege can be granted to additional roles as needed. |
For instructions on creating a custom role with a specified set of privileges, see Creating custom roles.
For general information about roles and privilege grants for performing SQL actions on securable objects, see Overview of Access Control.
Usage notes¶
Regarding metadata:
Attention
Customers should ensure that no personal data (other than for a User object), sensitive data, export-controlled data, or other regulated data is entered as metadata when using the Snowflake service. For more information, see Metadata fields in Snowflake.
CREATE OR REPLACE <object> statements are atomic. That is, when an object is replaced, the old object is deleted and the new object is created in a single transaction.
Examples¶
Create a user with all default properties, a default role, and a basic password that must be changed by the user after their first login:
CREATE USER user1 PASSWORD='abc123' DEFAULT_ROLE = myrole DEFAULT_SECONDARY_ROLES = ('ALL') MUST_CHANGE_PASSWORD = TRUE;