Account Access & Security Flashcards
Role-based Access Control (RBAC)
an access control framework in which access privileges are assigned to roles and in turn assigned to users.
Discretionary Access Control (DAC)
Snowflake combines RBAC with Discretionary Access Control (DAC) in which each object has an owner, who can in turn grant access to that object.
What command shows the role of the securable object?
SHOW <object></object>
Owning Role
- Has all privileges on the object by default
- Can grant or revoke privileges on the object to other roles
- Transfer ownership to another role
- Share control of an object if the owning role is shared
What privilege access is granted to roles?
- Ability to create a Warehouse
- Ability to list tables contained in a schema
- Ability to add data to a table
What objects are securable?
Unless allowed by a grant, access to a securable object will be __________.
denied
Role
an entity to which privileges on securable objects can be granted or revoked
User
- Roles are assigned to users to give them the authorization to perform actions
- A user can have multiple roles and switch between them within a Snowflake session
- Roles can be granted to other roles creating a role hierarchy
- Privileges of child roles are inherited by parent roles
System-defined Roles type
- ORGADMIN
- ACCOUNTADMIN
- SECURITYADMIN
- SYSADMIN
- USERADMIN
- PUBLIC
ORGADMIN
- Manages operations at organization level
- Can create account in an organization
- Can view all accounts in an organization
- Can view usage information across an organization
ACCOUNTADMIN
- Top-level and most powerful role for an account
- Encapsulates SYSADMIN & SECURITYADMIN
- Responsible for configuring account-level parameters
- View and operate on all objects in an account
- View and manage Snowflake billing and credit data
- Stop any running SQL statements
SYSADMIN
- Can create warehouses, databases, schemas and other objects in an account
SECURITYADMIN
- Manage grants globally via the MANAGE GRANTS privilege
- Create, monitor and manage users and roles
USERADMIN
- User and Role management via CREATE USER and CREATE ROLE security privileges
- Can create users and roles in an account
PUBLIC
- Automatically granted to every user and every role in an account
- Can own securable objects, however objects owned by PUBLIC role are available to every other user and role in an account
Customer Role
- allows you to create a role with custom and fine-grained security privileges defined
- allow administrators working with the system-defined roles to exercise the security principle of least privilege
- can be created by the SECURITYADMIN & USERADMIN roles as well as by any role to which the CREATE ROLE privilege has been granted
- it is recommend to create a hierarch of custom roles with the top-most custom role assigned to the SYSADMIN role
- if custom roles are not assigned to the SYSADMIN role, system admins will not be able to manage the objects owned by the custom role
Privilege
A security privilege defines a level of access to an object
For each object there is a set of security privileges that can be granted on it
What are the 4 categories of security privileges?
- Global privileges
- Privileges for account objects
- Privileges for schemas
- Privileges for schema objects
Global Privileges–>Account Objects–>Schemas–>Schema Objects
Privileges are managed using the ___________ and __________ commands.
GRANT; REVOKE
GRANT USAGE ON DATABASE MY_DB TO ROLE MY_ROLE;
REVOKE USAGE ON DATABASE MY_DB TO ROLE MY_ROLE;
Statement to grant future privileges for objects not yet created.
GRANT SELECT ON FUTURE TABLES IN SCHEMA MY_SCHEMA TO ROLE MY_ROLE;
User Authentication
the process of authenticating with Snowflake via user provided username and password credentials
the default method of authentication
Users with the ______________ role can create additional Snowflake users, which makes use of the ______________ privilege.
USERADMIN; CREATE USER
CREATE USER USER1
PASSWORD=’ABC123’
DEFAULT_ROLE = MYROLE
MUST_CHANGE_PASSWORD = TRUE;
Password Requirements
- can be any case-sensitive string up to 256 characters
- must be at least 8 characters long
- must contain at least 1 digit
- must contain at least 1 uppercase letter and 1 lowercase letter
Multi-factor Authentication (MFA)
an additional layer of security, requiring the user to prove their identity not only with a password but with an additional piece of information (or factor)
MFA in Snowflake is powered by a service called __________.
Duo Security