How to Build RBAC in Snowflake

This blog is intended to provide a baseline knowledge of Role Based Access Control (RBAC) is and the different types of roles available in Snowflake. As a Select Partner of Snowflake trusted advisor for our clients, this step by step guide will teach you how to implement and maintain RBAC in your organization. 

Before jumping in, the one prerequisite is having Snowflake Admin privileges to create specific user/roles and other snowflake objects to assign the corresponding permissions to respective roles. 

What is RBAC in Snowflake? 

Role-based access control (RBAC) is a widely used access control mechanism that restricts system access to authorized users based on their role within an organization. Implementing RBAC in an organization can help to reduce the risk of unauthorized access to sensitive information and improve the overall security posture. In this blog, we’ll provide a step-by-step guide involved in building RBAC for an organization. 

Step 1: Identify Roles 

The first step in building RBAC is to identify the roles that exist within the organization. This can be done by analyzing job descriptions, organizational charts, and the responsibilities of different departments. Roles should be defined based on the functions, responsibilities, and tasks that employees perform within the organization. Here are some types of roles we can categorize. 

These are roles that map to business functions within the organization, such as those for HR Specialists or Financial Analysts, or Managers. 

  • Access Roles: Access privileges have been granted for specific Snowflake account objects. 
  • Operational Roles: These are roles used to perform admin related activities. 
  • Service Roles: These roles are specific to services roles creates (e.g. ETL user) that will have access to specific objects needed in performing the role.

Here are our best practices for service roles:

  • List the number of teams who need access to Snowflake (Marketing, Sales, etc.) 
  • Map the snowflake users, schemas and access which covers all the teams (Marketing user needs access to Marketing DB). 
  • Based on the mapping new roles shall be created (Functional Role, Access role, Service role, Operational Role) 

Once new roles are created validate them using the queries below. 

Query:  SHOW ROLES; 

Tip: while creating any new object (User, Role) add appropriate comment why this user/Role is created, this helps in organizing and maintaining the roles as the list of user/Role grows. 

Step 2: Assign Permissions 

Once the roles have been identified, the next step is to assign permissions to each role. Permissions should be assigned based on the tasks and functions that each role is responsible for.  

For example, a marketing manager may have permission to create and edit marketing materials, while an IT administrator may have permission to configure and manage the organization’s network and server infrastructure. 

Example: Created roles will be granted with necessary schema access. 

Query: Grant ALL on schema “Schema Name” to ROLE “ROLE_NAME”; 

Show grants to role ROLE_NAME; 

Step 3: Define Access Levels 

Access levels should be defined for each role based on the level of access required to perform the role’s functions.  

For example, a sales representative may require read-only access to customer information, while a sales manager may require full access to customer information.  

Step 4: Implement RBAC 

The RBAC system should be implemented using a combination of technology and policies. The technology may include access control systems, authentication mechanisms, and auditing tools. Policies should be put in place to ensure that access to sensitive information is only granted to authorized users and that access is revoked when it is no longer required. 

 Example: Developers will have read and write access, Report users will have Read only access. 

Step 5: Test and Monitor 

The RBAC system should be tested thoroughly to ensure that it is working as intended. Regular monitoring should be conducted to identify and address any issues or vulnerabilities that may arise. Ongoing testing and monitoring are critical to ensuring that the RBAC system remains effective over time. 

Once validation is done, send Emails to individual users to confirm if they have access to role and default access is set right. 

Conclusion

RBAC is an effective access control mechanism that can help organizations improve their overall security posture. By identifying roles, assigning permissions, defining access levels, implementing RBAC, and testing and monitoring the system, organizations can ensure that only authorized users have access to sensitive information. 

Comments are closed