Snowflake’s approach to access control combines aspects from Discretionary Access Control (DAC) where each object has an owner, who can in turn grant access to that object. Also included are aspects from Role-based Access Control (RBAC) where access privileges are assigned to roles, which are in turn assigned to users.
There are key concepts that are necessary in order to understand access control in Snowflake. These include:
Securable objects: Entities to which access can be granted.
Roles: An entity to which privileges can be granted. Roles are in turn assigned to users. Note that roles can also be assigned to other roles, creating a role hierarchy which is a critical concept to understand in Snowflake
Privileges: The ability to perform some action on an object. Multiple distinct privileges may be used to control the granularity of access granted.
Users: A user identity recognized by Snowflake, whether associated with a person or application.
In the Snowflake role-based access model, access to securable objects is allowed via privileges assigned to roles, which are in turn assigned to other roles or users. In addition, each securable object has an owner that can grant access to other roles. This model differs from user-based access control models, where rights and privileges are assigned to each user or group of users. The Snowflake model is designed to provide a significant amount of both control and flexibility.
After completing this course you will have a complete understanding of these concepts and more.