Can you configure a Snowflake Security Integration with Tableau to only allow specific roles?

Question

I am looking at these examples in the Snowflake documentation for creating OAuth integration with Tableau. I have noticed that there is a parameter called BLOCKED_ROLES_LIST which allows you to list specific roles which should not be able to use the integration.

Is there an equivalent parameter that I can use to list the allowed roles instead? Hypothetically, if we have 100 roles and only want to allow this integration for 1 of them, it seems overly cumbersome to have to list all 99 that we want to block, instead of the 1 to allow?

I have looked through the parameters in the documentation and cannot see a parameter to support this. There is a parameter called PRE_AUTHORIZED_ROLES_LIST however this is only supported for confidential clients only and appears to skip the authorisation entirely.

Can you configure a Snowflake Security Integration with Tableau to only allow specific roles?

Answer 1

I couldn't find an easy way to accomplish this.

The best I can recommend in the meantime is setting up an audit process that could constantly monitor the usage of the Tableau integration in Snowflake - and then trigger the automatic revoking of the privilege.

The basic element in this process is the ability to list the delegated authorizations:

SHOW DELEGATED AUTHORIZATIONS
TO SECURITY INTEGRATION td_oauth_int1;

Then to immediately revoke access (unless from the one role allowed):

ALTER USER fhoffa REMOVE DELEGATED AUTHORIZATION
OF ROLE sysadmin
FROM SECURITY INTEGRATION td_oauth_int1;