Role Based Access Control
SELECT uses Role-Based Access Control (RBAC) to manage access to the platform. Permissions are granted by assigning the appropriate role to a user. To simplify the process of managing individual users, users can also be assigned to teams, so that roles can be granted to a team as a whole rather than to each individual user.
Roles and Role Entities
Roles have a level and an entity. The level defines the permissions associated with the role, with four levels available: Admin, Editor, Monitor Editor and Viewer. The entity defines the accounts and organizations within SELECT that the role can access. For example, the Viewer role on a Snowflake Account will have read-only access to all objects in the account, but will not have access to other accounts, and will not be able to edit any objects in the account. There are four entities: SELECT Organization, Snowflake Organization, Snowflake Account, and Usage Group.
Multiple roles can be granted to a user or team, allowing for a granular approach to access control. Where multiple roles are assigned, the permissions are additive.
Each level always has access to the permissions of the level below it, likewise a role on an entity always applies to all the entities below it. For example, a user with the Admin role on the SELECT Organization entity will also have Admin access to all Snowflake Organizations and Snowflake Accounts within it.
Roles and Permissions
The SELECT Organization Entity
Roles on the SELECT Organization entity provide the ability to perform user management actions such as inviting new users, removing existing users and managing teams. The Admin role grants the ability to perform these actions.
The user who initially configures SELECT is granted the Admin role on the SELECT Organization entity automatically.
SELECT Organization Roles and Permissions
| Action | Admin | Other Roles |
|---|---|---|
| Create & Edit Teams | ✅ | ❌ |
| Invite & Delete Users | ✅ | ❌ |
| Manage SSO Settings | ✅ | ❌ |
Example: Data Platform Team
A central data platform team manages several Snowflake Accounts for different business units. They want to be able to restrict security and team management to only a few select users, but also allow everyone in the central team to be able to view usage data within all of the business unit accounts. In this scenario we would recommend:
- Create a Team called Data Platform Team. Use an SSO group mapping to automatically add users to the team.
- Grant the Data Platform Team the Editor role on the SELECT Organization. This role will grant them the ability to view usage data across all accounts and create any resources within SELECT such as monitors and usage groups without having to manage individual grants on each account.
- Grant the few specific users who need to manage users and teams the Admin role on the SELECT Organization. You could do this directly, or again use an SSO group mapping to automatically add users to the team.
The Snowflake Organization & Account Entities
The Snowflake Organization and Snowflake Account entities have the same permissions and roles, with the exception of insights which are only generated at the account level.
- The
Adminrole additionally grants the ability to edit the configuration settings for the account or organization. - The
Editorrole additionally grants edit access to any usage groups, monitors and views within that account or organization. It also grants the ability to enable or disable the Automated Savings feature for associated accounts. - The
Monitor Editorrole additionally grants the ability to edit only monitors. - The
Viewerrole grants read access to the usage data within that account or organization.
Snowflake Organization & Account Roles and Permissions
| Action | Admin | Editor | Monitor Editor | Viewer |
|---|---|---|---|---|
| Edit Settings | ✅ | ❌ | ❌ | ❌ |
| Update User Roles on this Entity | ✅ | ❌ | ❌ | ❌ |
| Enable/Disable Automated Savings | ✅ | ✅ | ❌ | ❌ |
| Dismiss Insights | ✅ | ✅ | ❌ | ❌ |
| Edit Usage Group Definitions | ✅ | ✅ | ❌ | ❌ |
| Create & Edit Monitors | ✅ | ✅ | ✅ | ❌ |
| View Usage Group Definitions | ✅ | ✅ | ✅ | ✅ |
| View Settings | ✅ | ✅ | ✅ | ✅ |
| View Monitors | ✅ | ✅ | ✅ | ✅ |
| View User Roles | ✅ | ✅ | ✅ | ✅ |
| View Dashboards | ✅ | ✅ | ✅ | ✅ |
In addition to roles on Snowflake Accounts and Snowflake Organizations, some of the same permissions are also available on Usage Groups, which are detailed in the next section.
The Usage Group Entity
Usage Group Roles Eligibility
SELECT's Usage Group level roles are an add-on feature. Please contact SELECT to determine your eligiblity and receive a quote.
The Usage Group entity is the lowest level of entity and only grants access to usage data assigned to that usage group. There is only a Viewer role on the Usage Group entity as there are no associated editable objects.
Where multiple teams operate within the same Snowflake Account, the Usage Group entity allows for the ability to restrict access for those teams to only the usage data associated with their own Usage Group.
Usage Group Roles and Permissions
| Action | Viewer |
|---|---|
| View Dashboards | Only usage data for the granted usage group |
| Create Monitors | Only owned by teams the user has Editor resource access on |
| Edit Monitors | Only monitors owned by teams the user has Editor resource access on |
| View Monitors | Only monitors owned by teams the user is a member of |
| View Usage Group Definitions | ❌ |
| View User Roles | ❌ |
| View Settings | ❌ |
The only role available on Usage Groups is the Viewer role. This acts as a more restricted version of the Viewer role on the parent Snowflake Account.
For information about creating and managing teams, see Teams.