0
0
Snowflakecloud~10 mins

System-defined roles (ACCOUNTADMIN, SYSADMIN, etc.) in Snowflake - Step-by-Step Execution

Choose your learning style9 modes available
LearnWhyDeepVisualTryChallengeProjectRecallTime
Process Flow - System-defined roles (ACCOUNTADMIN, SYSADMIN, etc.)
Start: User logs in
Assign system-defined role
Role grants specific privileges
User performs actions
System checks role privileges
Allow or deny action
End
User logs in and is assigned a system-defined role. The role grants specific privileges. When the user acts, the system checks these privileges to allow or deny actions.
Execution Sample
Snowflake
USE ROLE ACCOUNTADMIN;
SHOW USERS;
USE ROLE SYSADMIN;
CREATE WAREHOUSE mywh;
USE ROLE PUBLIC;
SELECT CURRENT_ROLE();
This code switches roles and performs actions allowed by each role, showing how privileges differ.
Process Table
StepActionRole UsedPrivileges CheckedResult
1USE ROLE ACCOUNTADMINACCOUNTADMINFull admin privilegesRole switched to ACCOUNTADMIN
2SHOW USERSACCOUNTADMINCan view all usersList of users displayed
3USE ROLE SYSADMINSYSADMINManage warehouses, databasesRole switched to SYSADMIN
4CREATE WAREHOUSE mywhSYSADMINCan create warehousesWarehouse 'mywh' created
5USE ROLE PUBLICPUBLICMinimal privilegesRole switched to PUBLIC
6SELECT CURRENT_ROLE()PUBLICCan query current roleReturns 'PUBLIC'
7CREATE WAREHOUSE testwhPUBLICNo create warehouse privilegeError: insufficient privileges
💡 Execution stops after error due to insufficient privileges for PUBLIC role.
Status Tracker
VariableStartAfter Step 1After Step 3After Step 5After Step 7
Current RoleNoneACCOUNTADMINSYSADMINPUBLICPUBLIC
Key Moments - 3 Insights
Why does the CREATE WAREHOUSE command fail when using the PUBLIC role?
Because PUBLIC role has minimal privileges and cannot create warehouses, as shown in execution_table step 7 where the system denies the action.
Can the ACCOUNTADMIN role perform all actions without restrictions?
Yes, ACCOUNTADMIN has full admin privileges, so actions like SHOW USERS succeed as in step 2.
What happens when switching roles in Snowflake?
The current role changes and the system checks privileges based on the new role, as tracked in variable_tracker and shown in steps 1, 3, and 5.
Visual Quiz - 3 Questions
Test your understanding
Look at the execution_table, what is the current role after step 3?
AACCOUNTADMIN
BSYSADMIN
CPUBLIC
DNo role assigned
💡 Hint
Check the 'Role Used' column at step 3 in execution_table.
At which step does the system deny an action due to insufficient privileges?
AStep 2
BStep 4
CStep 7
DStep 6
💡 Hint
Look for 'Error' or 'insufficient privileges' in the Result column of execution_table.
If the user stays in SYSADMIN role, what would happen if they try to create a warehouse?
AWarehouse created successfully
BAction denied due to lack of privileges
CRole automatically switches to ACCOUNTADMIN
DError: role not found
💡 Hint
Refer to step 4 in execution_table where SYSADMIN creates a warehouse.
Concept Snapshot
System-defined roles in Snowflake control what users can do.
ACCOUNTADMIN has full privileges.
SYSADMIN manages warehouses and databases.
PUBLIC has minimal access.
Switch roles with USE ROLE command.
Actions succeed or fail based on current role privileges.
Full Transcript
In Snowflake, system-defined roles like ACCOUNTADMIN, SYSADMIN, and PUBLIC determine what actions a user can perform. When a user logs in, they can switch roles using the USE ROLE command. Each role has specific privileges: ACCOUNTADMIN has full control, SYSADMIN can manage warehouses and databases, and PUBLIC has very limited access. When a user performs an action, Snowflake checks if the current role has the needed privileges. If yes, the action succeeds; if not, it fails with an error. For example, creating a warehouse works under SYSADMIN but fails under PUBLIC. This flow ensures secure and organized access control.