A New Snowflake Feature: Snowflake Organization Users- Simplify User Access to Various Snowflake Accounts Through Centralized Identity Management
Photo by Patrick Federi on Unsplash
tl;dr
Snowflake Organization Users enable the creation and management of users at the organization level, rather than for individual accounts. This means that a single user identity can be granted access to multiple Snowflake accounts within your organization.
This could be helpful mostly by transferring administrator or engineering roles to each account without creating users.
Key benefits include:
- Centralized user administration
- Simplified access management for users
- Streamlined onboarding/offboarding
- Consistent security posture across your Snowflake ecosystem
You’ll primarily use the GLOBALORGADMIN role and SQL commands to manage these users.
CREATE USER ... WITH IS_ORG_USER = TRUE, GRANT ROLE ... TO USER
... IN ORGANIZATION, and GRANT ROLE ... TO USER ... IN ACCOUNT
Requires Enterprise Edition or higher at a minimum.
The Challenge: User Sprawl in a Growing Snowflake Ecosystem
As organizations embrace Snowflake more and more, it’s quite common to see many accounts popping up! You might find yourself with separate accounts for development, testing, and production, or even different business units or geographical regions having their own dedicated Snowflake instances. While this can be great for isolation and billing, it often makes user management a little tricky.
Picture this: you’re bringing a new data analyst on board who needs access to three different Snowflake accounts. Traditionally, this meant juggling three separate user accounts, each with its own credentials and role assignments, or configuring multi-SSO configurations. When it comes time to offboard them, the process can become just as challenging, with administrators having to track down and disable each individual account. Not only does this add to the administrative workload, but it also opens the door to potential security risks if accounts aren’t managed consistently. It just doesn't seem very easy.
Enter Snowflake Organization Users
Snowflake Organization Users offer a wonderful solution to this challenge by introducing a way to manage users at the organization level. In Snowflake, an "organization" serves as a connection between multiple accounts. With Organization Users, you only need to define a user once at the organization level, and then you can easily grant that single identity access and specific roles within any of your linked accounts. It makes user management so much simpler!
Deep Dive: Concepts and Implementation
Let’s review the use of the Organization Users feature, a few key concepts, and the associated SQL commands.
Core Concepts:
- Organization : A collection of Snowflake accounts that are linked together via the Snowflake Organizations feature.
- GLOBALORGADMIN Role : This role is a vital part of our organization, focusing on effectively managing Organization Users and various organization-level settings. It’s important to note that this role differs from account-level positions, such as ACCOUNTADMIN.
USE ROLE GLOBALORGADMIN;
or if ORGADMIN is enabled before,
USE ROLE ORGADMIN;
FYI: The ORGADMIN role is being phased out for multi-account organizations. Consider using the GLOBALORGADMIN role for organization-level tasks. Snowflake will notify customers at least three months before this change.
- Organization User : An organization-level user identity. This user doesn't “belong” to a specific account by default but can access accounts within the organization.
- Account-Level Roles : These are the known roles (SYSADMIN, SECURITYADMIN, and custom roles) that establish permissions in a specific Snowflake account.
Implementation with Example
Let’s walk through some common scenarios. For most of these operations, you'll need to use the ORGADMIN role.
Creating an Organization User
You create an organization user using the standard CREATE USER command with the additional IS_ORG_USER = TRUE clause.
-- Creating a new Snowflake organization user
USE ROLE GLOBALORGADMIN;
CREATE USER org_user
PASSWORD = 'ComplexSecurePassword1!' - Replace with a strong password or manage via IdP
LOGIN_NAME = 'org_user'
DISPLAY_NAME = 'Organization User'
EMAIL = 'org.user@organization.com'
MUST_CHANGE_PASSWORD = TRUE
IS_ORG_USER = TRUE; -- key command
-- Verify Users was created
SHOW USERS LIKE 'org_user' IN ORGANIZATION;
-- Verify user creation (as ORGADMIN)
USE ROLE GLOBALORGADMIN;
SHOW USERS LIKE 'org_user';
Creating an Organization Group
You create an organization user using the standard CREATE USER command with the additional IS_ORG_USER = TRUE clause.
CREATE ORGANIZATION USER GROUP archetypeorgadmin;
Unlinking Users and Groups
If you decide that you do not want to keep users or groups linked, then these two functions allow for separation:
- SYSTEM$UNLINK_ORGANIZATION_USER function unlinks the local user from the organization while preserving all user properties, enabling future local user management.
- SYSTEM$UNLINK_ORGANIZATION_USER_GROUP function unlinks a role from an organization user group while retaining all other role attributes.
Scenarios and Use Cases:
- Central IT/Security Team Managing All Users : A central team uses ORGADMIN to manage Snowflake users. Account-specific teams (ACCOUNTADMINS) grant these organization users necessary roles within their accounts.
- Cross-Account Data Engineers : A data engineer requires access to development, staging, and production accounts. Create one organization user and grant appropriate roles in each account.
- Auditors Requiring Broad, Read-Only Access : An auditor can be granted read-only roles across multiple accounts for compliance checks.
- Simplified User Lifecycle Management : Create one org user when an employee joins, and disable/drop it when they leave.
Best Practices and Considerations
- Principle of Least Privilege : Even with centralized users, always grant the minimum necessary permissions within each account. Don’t give an organization user ACCOUNTADMIN in every account unless absolutely required.
- Role Design is Still Crucial : Organization Users simplify identity management. A clear role-based access control (RBAC) strategy is essential. Define granular account roles.
- ORGADMIN Sparingly : Limit ORGADMIN role usage to essential tasks. Consider dual control or approval processes for actions.
- Naming Conventions : Use clear naming conventions for organization users (e.g., firstname.lastname.org or _org_ in the username) to distinguish them from account-specific users in a hybrid model.
- Auditing : Audit ORGADMIN activities and user access regularly. Snowflake’s QUERY_HISTORY and ACCESS_HISTORY views are invaluable but should be examined in the context of the organization or specific accounts.
- Integration with Identity Providers (IdP): Integrate Snowflake Organization Users with your corporate IdP (e.g., Okta, Azure AD) for SSO and centralized credential management, often configuring SCIM for user provisioning.
Conclusion
Snowflake Organization Users are a wonderful way to simplify identity and access management in your multi-account Snowflake environments. By centralizing user creation and lifecycle management, you can significantly reduce administrative overhead, enhance security, and create a smoother user experience. This is useful for administrative or engineering roles, for example, even in the case of SSO integration.
It sets up a cleaner, more manageable foundation for your expanding data cloud. It does not avoid the need to set up multiple SAML/SSO integrations for each account, but value still can be gained.
My critical eye here is that it still does not address how major organizations operate. There should be one SAML SSO integration that simply works once across the organization's setup. This is a step in the right direction, but not really a complete step.
Sources
- Snowflake Documentation: Organization Users
- Snowflake Documentation: ORGADMIN role
- Snowflake Documentation:Managing Users & Roles in an Organization
Top comments (0)