Teams

SELECT uses teams to simplify permission management, enable collaborative ownership of resources, and integrate with SSO group mappings.

Teams Overview

SELECT team settings

Teams play three key roles in SELECT:

  1. They are an abstraction which streamline permissions management for a group of users. Roles can be granted to a team, and then users added to that team to inherit the roles.
  2. They act as owners for editable objects, currently just Monitors.
  3. For users with SSO enabled, they are the mechanism by which SSO groups are mapped to SELECT users.

Team Membership Types

When adding a user to a team, there are two kinds of access: Editor and Viewer. Editor membership will grant the user edit access to any editable objects owned by the team. Viewer membership will grant the user only read access to any editable objects owned by the team.

SELECT team settings

Team Ownership of Monitors and Other Editable Objects

By default, newly created Monitors are owned by the account which they monitor. This means they can only be seen by users with Viewer access (or higher) on the associated account, and they can only be edited by users with Editor access (or higher).

To facilitate the creation of monitors by users who may not have full access to a whole account, monitors can also be owned by a team. Where monitors are owned by a team, they are subject to the same read permissions as that team. For example, if a team has only Viewer access to the Sales Usage Group, then any monitors owned by that team will also only be able to monitor usage data tagged with the Sales Usage Group.

SELECT team settings

Example: Data Platform Team

A central data platform team manages several Snowflake Accounts for different business units. They want to be able to restrict security and team management to only a few select users, but also allow everyone in the central team to be able to view usage data within all of the business unit accounts.

In this scenario we would recommend:

  • Create a Team called Data Platform Team. Use an SSO group mapping to automatically add users to the team.
  • Grant the Data Platform Team the Editor role on the SELECT Organization. This role will grant them the ability to view usage data across all accounts and create any resources within SELECT such as monitors and usage groups without having to manage individual grants on each account.
  • Grant the few specific users who need to manage users and teams the Admin role on the SELECT Organization. You could do this directly, or again use an SSO group mapping to automatically add users to the team.

Example: Embedded Teams Sharing an Account

If multiple teams share a single Snowflake Account, we recommend:

  1. Create corresponding teams in SELECT and add users directly, or optionally via SSO mappings
  2. Create usage groups for each team
  3. Grant teams the Viewer role on their usage groups

Users will only see their team's usage data and any monitors they create will be scoped to their team, providing clear isolation between teams.