Snowflake System Roles - USERADMIN vs SECURITYADMIN

Question

Looking for inputs on when to leverage USERADMIN vs SECURITYADMIN, As per documentation SECURITYADMIN inherits privileges of USERADMIN

What is the right approach in leveraging these two roles for User, Role and Grants management. I am using as below

USERADMIN - Used for the following

• CREATE USERS or DROP USERS
• CREATE ROLES or DROP ROLES

SECURITYADMIN - Used for the following

• GRANT/REVOKE Privileges to ROLES
• GRANT/REVOKE imported privileges on share databases to ROLES

Question is, who should be performing the following. Is it USERADMIN or SECURITYADMIN? If both these roles can technically perform, is there any standard guidance on this.

• GRANT ROLES TO another ROLES
• GRANT ROLES to USERS

Thank you.

Answer 1

The USERADMIN role didn't exist before April 2020, as this new role was introduced as an improvement to enable accounts to separate the management of users and roles from the SECURITYADMIN role - if desired.

• https://docs.snowflake.com/en/release-notes/2020-04.html#new-useradmin-system-role

You can use either system role to GRANT ROLE. The best practice should be determined by your own security policy.

Because the USERADMIN role is assigned to the SECURITYADMIN role, users with the SECURITYADMIN role can still administer users and roles. However, companies can now assign the USERADMIN role to separate the management of users and roles from the management of all grants.

Use of the USERADMIN role to separate these duties is optional. The decision to use the USERADMIN role is driven entirely by the security model implemented for your account.

My own recommendation: Since USERADMIN can GRANT ROLE, and USERADMIN is the more restricted role — then choose to use USERADMIN when granting roles.