Roles & Permissions in SELECT

Overview

Users can enable fine-grained access control in SELECT. There are currently 3 roles available:

• Admin: Can perform all actions in SELECT (invite new users, update roles, modify settings, etc.)
• Editor: Can view all pages in SELECT and update Monitors, but cannot invite new users, change roles, or update general settings.
• Viewer: Can view all pages in SELECT but cannot adjust any settings or configuration.

Roles can be assigned when inviting a teammate (see below), or after the fact in the roles table.

Organization vs. Account Roles

Roles can be assigned to users at the Snowflake organization level or the Snowflake account level. Account roles grant permissions only to that account. Organization roles apply to the organization and all accounts within that organization. When performing account-level actions, the most permissive role granted to either that account or its organization takes precedence.

Here are some examples:

• If a user only has a Viewer role for a single Snowflake account, they will not be able to view any pages on the Snowflake Organization Overview Dashboard.
• If a user has a Viewer role for the Snowflake organization, they will be able to view all pages in SELECT.
• If a user is an organization viewer and an account editor, they are permitted to edit usage groups on the account, but not for other accounts in the organization.
• If a user has an Admin role for a single Snowflake account, they will be able to invite users to SELECT and assign them a role for that Snowflake account only. They will not be able to assign them an organization-based role, or a role for another account.

Default Roles

Default roles can be used to assign specific roles to all users of the app, ensuring baseline access permissions across the entire Snowflake organization and its accounts. These roles are applied universally and help maintain consistent user access levels without the need for manual role assignment for each new user or account. When other roles are assigned manually, the most permissive role granted will take precedence.

Default roles can be applied at both the organization level and the account level:

• Organization-level default roles are assigned to every user within the Snowflake organization, granting them permissions across all accounts under that organization.
• Account-level default roles are assigned to all users for specific Snowflake accounts, granting them permissions limited to that account.

To assign a default role, choose any role from the dropdown in the 'Default Roles' section of the user settings page. Default roles appear in the Roles dropdown in the Users table.

SSO Roles

Rather than manually assigning each user a role in SELECT, you can configure roles to be automatically assigned based on the user's SSO group. After users are granted access to SELECT through your SSO provider, they will be assigned to the roles you specify based on their SSO group name.

To achieve this, follow the steps below:

1. Configure your SSO provider to pass the user's SSO group name to SELECT
   • Instructions for Okta can be found here
   • No actions are required for Azure AD, proceed to step #2
2. Add the SSO Group mappings in SELECT

To create a SSO group role mapping, go to the settings page.

Click the Add Mapping button

Enter the name of your SSO group and choose one or more roles.

That's it! Next time they log in, members of these groups will be the configured roles in SELECT.

Viewing SSO Roles

SSO Roles can be viewed in the UI from the Users table.

Alternatively, individual users can see their own roles by clicking their icon in the sidebar.