Access Control
RBAC (Role-Based Access Control)
Snoweaver implements Role-Based Access Control (RBAC) using Snowflake application roles. These roles are designed to manage the application and control access to its resources effectively. Snoweaver provides two main categories of roles:
Global Roles: These roles have broad privileges across the entire application.
Project Roles: These roles are specific to individual projects and control access at a more granular level.
Global Roles
Global roles have broad privileges within the application. The following is a list of global roles currently available:
APP_ADMIN
The APP_ADMIN role is created and assigned to the application owner role during the installation of Snoweaver. This role has exclusive access to the Admin console and API procedures of Snoweaver. It is the highest level of administrative access within the application. While initially assigned to the application owner, you can grant this role to other user roles if additional administrators are needed.
Note
Although the APP_ADMIN role can create projects via the admin console, it does not have access to individual projects. Project access must be granted through project roles.
Project Roles
During project initialization, a set of dedicated roles is created for each project. These roles follow a specific naming convention: <Project Name>_<Role Name>.
By default, project roles are automatically granted to the application owner role upon project creation. You can grant these project roles to other user roles as needed. This flexibility allows for customized access control within each project, tailoring permissions to your organization’s specific requirements and workflow.
The following matrix describes the privileges for each of the project roles currently available:
Role Name |
Project Console |
CODE (Stage) |
DATA (Stage) |
RESULTS (Table) |
API Procs |
Job Instances |
---|---|---|---|---|---|---|
<PROJ>_DEVELOPER |
✔ |
Read, Write |
Read, Write |
All Privileges |
✔ |
✔ |
<PROJ>_OPERATOR |
❌ |
❌ |
Read, Write |
All Privileges |
❌ |
✔ |
<PROJ>_READER |
❌ |
❌ |
Read |
Read |
❌ |
❌ |
Role Assignment
Snowflake’s security model requires that application roles be granted indirectly to users through existing user roles. This means you cannot directly assign an application role to a user. Instead, you need to follow a two-step process:
Grant the Snoweaver application role to an existing user role.
Ensure the user is assigned to that user role.
GRANT APPLICATION ROLE SNOWEAVER.<App Role> TO ROLE <User Role>;
GRANT ROLE <User Role> TO USER <User Account>;