Using SELECT
Manage Access
Assigning Roles
Through the User Roles & Permissions in SELECT, users can enable fine-grained access control in SELECT. There are currently 3 roles available in SELECT:
- Admin: Can perform all actions in SELECT (invite new users, update roles, modify settings, etc.)
- Editor: Can view all pages in SELECT and update Monitors, but cannot invite new users, change roles, or update general settings.
- Viewer: Can view all pages in SELECT but cannot adjust any settings or configuration.
| Action | Admin | Editor | Viewer |
|---|---|---|---|
| View Usage Groups | ✅ | ✅ | ✅ |
| Edit Usage Groups | ✅ | ✅ | ❌ |
| Invite Users | ✅ | ❌ | ❌ |
| Delete Users | ✅ | ❌ | ❌ |
| Edit Settings | ✅ | ❌ | ❌ |
| View Settings | ✅ | ✅ | ✅ |
| View Monitors | ✅ | ✅ | ✅ |
| Edit Monitors | ✅ | ✅ | ❌ |
| View User Roles | ✅ | ✅ | ✅ |
| Update User Roles | ✅ | ❌ | ❌ |
| View Dashboards, Workloads, Budgets, etc. | ✅ | ✅ | ✅ |
| Enable/Disable Automated Savings | ✅ | ✅ | ❌ |
| Dismiss Insights | ✅ | ✅ | ❌ |
Roles can be assigned when inviting a teammate (see below), or after the fact in the roles table.
Organization vs. Account Level Roles
Roles can be assigned to users at the Snowflake organization level or the Snowflake account level. Account roles grant permissions only to that account. Organization roles apply to the organization and all accounts within that organization. When performing account-level actions, the most permissive role granted to either that account or its organization takes precedence.
Here are some examples:
- If a user only has a Viewer role for a single Snowflake account, they will not be able to view any pages on the Snowflake Organization Overview Dashboard.
- If a user has a Viewer role for the Snowflake organization, they will be able to view all pages in SELECT.
- If a user is an organization viewer and an account editor, they are permitted to edit usage groups on the account, but not for other accounts in the organization.
- If a user has an Admin role for a single Snowflake account, they will be able to invite users to SELECT and assign them a role for that Snowflake account only. They will not be able to assign them an organization-based role, or a role for another account.
Default Roles
Default roles can be used to assign specific roles to all users of the app, ensuring baseline access permissions across the entire Snowflake organization and its accounts. These roles are applied universally and help maintain consistent user access levels without the need for manual role assignment for each new user or account. When other roles are assigned manually, the most permissive role granted will take precedence.
Default roles can be applied at both the organization level and the account level:
- Organization-level default roles are assigned to every user within the Snowflake organization, granting them permissions across all accounts under that organization.
- Account-level default roles are assigned to all users for specific Snowflake accounts, granting them permissions limited to that account.
To assign a default role, choose any role from the dropdown in the 'Default Roles' section of the user settings page. Default roles appear in the Roles dropdown in the Users table.
Roles Integration with SSO
Rather than manually assigning each user a role in SELECT, you can configure roles to be automatically assigned based on the user's SSO group. After users are granted access to SELECT through your SSO provider, they will be assigned to the roles you specify based on their SSO group name.
To achieve this, follow the steps below:
- Configure your SSO provider to pass the user's SSO group name to SELECT
- Instructions for Okta can be found here
- No actions are required for Azure AD, proceed to step #2
- Add the SSO Group mappings in SELECT
To create a SSO group role mapping, go to the settings page.
Click the Add Mapping button
Enter the name of your SSO group and choose one or more roles.
That's it! Next time they log in, members of these groups will be the configured roles in SELECT.
Default role assignment
Users who do not belong to any mapped group will be assigned the default role you specify as described in the section above.
Troubleshooting Roles Access
When managing roles via SSO Groups, the user's access will not be shown in the Users table since roles are explicitly set for each user. To help with troubleshooting, we've added the SSO group names being passed through along with the user's SELECT roles. If a role was explicitly assigned to the User through the Users table, it will be marked as a User Role. If a role was granted through an SSO Group mapping, it will be marked as a Group Role.
Invite a Teammate
To invite a co-worker to SELECT, click the "Invite a Teammate" link in the sidebar.
Under Settings -> Users you will see a list of current users with access to SELECT and any outstanding invitations.
To invite a teammate, click the Invite button and enter the user's email address and associated role.
Remove Users
To remove a user, click the trash can icon to the right of the user and confirm the deletion in the modal that appears.