Snowflake provides several system-defined roles that form the foundation of access control within an account. These roles are created automatically and cannot be deleted. Understanding them is essential for the SnowPro Core Certification.
**ACCOUNTADMIN** is the most powerful role, combining the c…Snowflake provides several system-defined roles that form the foundation of access control within an account. These roles are created automatically and cannot be deleted. Understanding them is essential for the SnowPro Core Certification.
**ACCOUNTADMIN** is the most powerful role, combining the capabilities of SYSADMIN and SECURITYADMIN. It has full control over all objects and users in the account. This role should be assigned sparingly and used carefully, as it can manage billing, resource monitors, and account-level parameters. Best practice recommends enabling multi-factor authentication for users with this role.
**SYSADMIN** (System Administrator) is designed for creating and managing objects like warehouses, databases, schemas, and other database objects. It can grant privileges on objects it owns to other roles. SYSADMIN should be the parent role for all custom roles that own objects, ensuring proper hierarchy management.
**SECURITYADMIN** manages security aspects including users, roles, and grants. It owns the built-in USERADMIN role and can manage any grant in the account through its MANAGE GRANTS privilege. This role focuses on access control rather than object management.
**USERADMIN** is specifically for user and role management. It can create users and roles but has limited privileges compared to SECURITYADMIN. It possesses the CREATE USER and CREATE ROLE privileges.
**PUBLIC** is a special role automatically granted to every user and role in the account. Objects granted to PUBLIC become accessible to all users. Use this role cautiously when sharing access broadly.
**ORGADMIN** manages operations across an organization, including creating accounts, viewing usage across accounts, and enabling replication.
The recommended role hierarchy has ACCOUNTADMIN at the top, with SECURITYADMIN and SYSADMIN beneath it. USERADMIN falls under SECURITYADMIN, and custom roles should be granted to SYSADMIN to maintain proper access control structure.
System-Defined Roles in Snowflake: ACCOUNTADMIN, SYSADMIN, SECURITYADMIN & More
Why System-Defined Roles Matter
System-defined roles are fundamental to Snowflake's security model. Understanding these roles is crucial for the SnowPro Core exam because they form the backbone of access control and privilege management in Snowflake. Questions about these roles appear frequently and test your knowledge of role hierarchies, responsibilities, and best practices.
What Are System-Defined Roles?
Snowflake provides five pre-configured system-defined roles that cannot be dropped or renamed:
1. ACCOUNTADMIN - The most powerful role in Snowflake - Combines privileges of SYSADMIN and SECURITYADMIN - Can manage billing, resource monitors, and account-level parameters - Should be granted to a limited number of users - Requires multi-factor authentication (MFA) as a best practice
2. SECURITYADMIN - Manages security aspects of the account - Can create, modify, and drop users and roles - Has the MANAGE GRANTS privilege (can grant/revoke privileges on any object) - Cannot create warehouses or databases
3. SYSADMIN - Creates and manages objects (warehouses, databases, schemas) - Recommended role for creating all custom roles - All custom roles should be granted to SYSADMIN to maintain hierarchy - Cannot manage users or other roles
4. USERADMIN - Dedicated to user and role management - Can create users and roles - Has the CREATE USER and CREATE ROLE privileges - Cannot grant privileges on objects
5. PUBLIC - Automatically granted to every user and role - Lowest level of privileges - Any privilege granted to PUBLIC is available to all users - Cannot be revoked from users
Roles higher in the hierarchy inherit all privileges from roles below them.
Key Concepts to Remember
- Principle of Least Privilege: Always use the lowest-level role that can perform the required task - ACCOUNTADMIN should not be used for daily tasks - Custom roles should be granted to SYSADMIN to ensure proper hierarchy management - SECURITYADMIN can manage grants on ANY object through MANAGE GRANTS privilege - Object ownership defaults to the role that created the object
Exam Tips: Answering Questions on System-Defined Roles
Tip 1: When asked which role should perform a task, always choose the most restrictive role that can accomplish it. Avoid selecting ACCOUNTADMIN unless the question specifically involves billing, resource monitors, or account parameters.
Tip 2: Remember the separation of duties: SYSADMIN handles objects, SECURITYADMIN handles users/roles/grants, ACCOUNTADMIN handles account-level settings.
Tip 3: If a question mentions creating warehouses or databases, SYSADMIN or ACCOUNTADMIN are the correct answers, not SECURITYADMIN or USERADMIN.
Tip 4: Questions about granting privileges across the account typically point to SECURITYADMIN due to the MANAGE GRANTS privilege.
Tip 5: PUBLIC role questions often test whether you understand that privileges granted to PUBLIC affect all users in the account.
Tip 6: Best practice questions about ACCOUNTADMIN usually involve MFA requirements, limiting access, and avoiding use for routine operations.
Tip 7: Watch for questions about role hierarchy - remember that privileges flow upward through granted relationships.