System-defined roles (ACCOUNTADMIN, SYSADMIN, etc.) in Snowflake - Time & Space Complexity

We want to understand how the time to check or assign system-defined roles changes as the number of users or roles grows.

How does the system handle these roles efficiently as more users or permissions are involved?

Analyze the time complexity of querying role grants for users.

-- List roles granted to a user
SHOW GRANTS TO USER some_user;

-- List users granted a system-defined role
SHOW GRANTS OF ROLE SYSADMIN;

-- Assign a system-defined role to a user
GRANT ROLE SYSADMIN TO USER some_user;
    

This sequence shows checking and assigning system-defined roles to users.

Look at the main operations that happen repeatedly when managing roles.

• Primary operation: Checking role grants involves scanning role assignments.
• How many times: Once per user or role queried, but can involve multiple role entries.

As the number of users or roles grows, the system checks more entries.

Input Size (n)	Approx. API Calls/Operations
10 users/roles	About 10 role checks
100 users/roles	About 100 role checks
1000 users/roles	About 1000 role checks

Pattern observation: The number of checks grows roughly in direct proportion to the number of users or roles involved.

Time Complexity: O(n)

This means the time to check or assign system-defined roles grows linearly with the number of users or roles.

[X] Wrong: "Assigning a system-defined role is instant no matter how many users exist."

[OK] Correct: Even though the command is simple, the system must update and verify role assignments, which takes longer as more users or roles exist.

Understanding how role management scales helps you design secure and efficient access controls in cloud systems.

"What if we cached role assignments? How would the time complexity change when checking roles for many users?"