Goal: Avoid giving ACCOUNTADMIN to everyone and build clean role structures.
Why Role Hierarchy Matters
Snowflake RBAC is designed so privileges flow downward from higher-level roles to lower-level roles.
By creating a clear hierarchy, you:
- Reduce the risk of privilege overreach.
- Make it easier to audit and manage.
- Follow the principle of least privilege.
Recommended Role Hierarchy
ACCOUNTADMIN
↓
SECURITYADMIN
↓
SYSADMIN
↓
Custom Business Roles
- ACCOUNTADMIN – Full control, rarely used.
- SECURITYADMIN – Manages users and roles.
- SYSADMIN – Manages objects (databases, warehouses, etc.).
- Custom Business Roles – Specific access for departments or use cases.
🚀 Copy & Paste: Role Hierarchy Setup
sql
-- Create business roles
CREATE ROLE reporting;
CREATE ROLE data_engineering;
-- Assign privileges to roles
GRANT USAGE ON WAREHOUSE wh_analytics TO ROLE reporting;
GRANT SELECT ON ALL TABLES IN SCHEMA sales.public TO ROLE reporting;
GRANT USAGE ON WAREHOUSE wh_etl TO ROLE data_engineering;
GRANT CREATE TABLE ON SCHEMA raw.public TO ROLE data_engineering;
-- Link roles into the hierarchy
GRANT ROLE reporting TO ROLE sysadmin;
GRANT ROLE data_engineering TO ROLE sysadmin;
Top comments (0)