Reacher234
Reputation: 230
Snowflake data steward discovery based on role hierarchy
Snowflake follows the role-based access control (RBAC) paradigm. Best practice for RBAC is, to have functional and access roles managing either user and clients or access privileges. This creates in worst-case a variety of roles that inherits permissions from and to each other. By nature, one can easily lose sight.
In snowflake, grants to roles and users are stored in ACCESS_USAGE.GRANTS_TO_ROLES and ACCESS_USAGE.GRANTS_TO_USERS. What is a proper approach to identify the data stewards/owner of a role automatically (if not labeled explicitly in a 3rd party tooling)?
Options I thought of:
- recursive lookup of
OWNERSHIPprivileges of roles of roles (will generate a lot of false positives) - recursive discovery of a service account that has advanced permission to a role and lookup the service account owner
- lookup over usage pattern of executed queries (might be actually more consumers than producers)
Upvotes: 0
Views: 90
Answers (1)
NickW
Reputation: 9798
A couple of options:
- Populate the role’s comment field with the relevant Data Steward information
- Use Tags (in public preview)
Upvotes: 1
Related Questions
- Granular access control for shared databases in Snowflake
- Snowflake sharing to Data Consumer
- Find the stale roles in snowflake
- snowflake - query grants to role
- Snowflake role redesigning
- Snowflake Role based Access control hierarchy
- Snowflake role creation with minimum privileges
- Limitation of roles and users in snowflake
- Which Role has which tables access in Snowflake
- Snowflake user/role management