Access Control

RBAC (Role-Based Access Control)

Snoweaver implements Role-Based Access Control (RBAC) using Snowflake application roles. These roles are designed to manage the application and control access to its resources effectively. Snoweaver provides two main categories of roles:

  • Global Roles: These roles have broad privileges across the entire application.

  • Connection Roles: These roles are specific to individual connections and control access at a more granular level.

Global Roles

Global roles have broad privileges within the application. The following is a list of global roles currently available:

APP_ADMIN

The APP_ADMIN role is created and assigned to the application owner role during the installation of Snoweaver. This role has exclusive access to the Admin console. While initially assigned to the application owner, you can grant this role to other user roles if additional administrators are needed.

Note

Although the APP_ADMIN role can create connections via the admin console, it does not have access to individual connections. Connection access must be granted through connection roles.

Connection Roles

During connection initialization, a set of dedicated roles is created for each connection. These roles follow a specific naming convention: <Connection Name>_<Role Name>.

By default, connection roles are automatically granted to the application owner role upon connection creation. You can grant these connection roles to other user roles as needed. This flexibility allows for customized access control within each connection, tailoring permissions to your organization’s specific requirements and workflow.

The following matrix describes the privileges for each of the connection roles currently available:

Role Name

DATA (Stage)

API

<Connection>_OPERATOR

Read, Write

<Connection>_READER

Read

Role Assignment

Snowflake’s security model requires that application roles be granted indirectly to users through existing user roles. This means you cannot directly assign an application role to a user. Instead, you need to follow a two-step process:

  1. Grant the Snoweaver application role to an existing user role.

  2. Ensure the user is assigned to that user role.

GRANT APPLICATION ROLE SNOWEAVER.<App Role> TO ROLE <User Role>;
GRANT ROLE <User Role> TO USER <User Account>;