How to Implement RBAC in Snowflake

How do I set up RBAC in Snowflake?

Snowflake RBAC secures data by granting privileges to roles, then assigning roles to users.

Welcome to the Galaxy, Guardian!

Oops! Something went wrong while submitting the form.

Description

What is RBAC in Snowflake?

Role-based access control (RBAC) assigns privileges to roles instead of users. Users inherit permissions through a hierarchy of roles, enabling least-privilege security and simplified audits.

How do I create a role?

Switch to SECURITYADMIN and run CREATE ROLE.This separates security duties from data-loading roles.

CREATE ROLE analyst;

How do I grant table privileges?

GRANT SELECT, INSERT, UPDATE, DELETE, or ALL on tables, schemas, or databases to a role.

GRANT SELECT ON TABLE ecommerce.Orders TO ROLE analyst;

How do I build a role hierarchy?

GRANT ROLE lets a parent role inherit child role privileges, reducing duplicate grants.

GRANT ROLE analyst TO ROLE reporting_team;

How do I assign roles to users?

ACCOUNTADMIN or SECURITYADMIN attaches roles to users so they inherit all lower-level rights.

GRANT ROLE reporting_team TO USER jane_doe;

How do I revoke access quickly?

REVOKE removes a privilege or inherited role immediately, closing gaps in your security posture.

REVOKE SELECT ON TABLE ecommerce.Orders FROM ROLE analyst;

Which Snowflake views help audit RBAC?

SHOW GRANTS and ACCOUNT_USAGE.GRANTS_TO_ROLES expose every current grant, letting you trace privilege lineage for compliance.

RBAC best practices

Create functional (analyst) and object (ecom_read) roles.
Grant roles, never direct object privileges, to users.
Follow least privilege—give SELECT by default, write access by exception.
Audit grants monthly with ACCOUNT_USAGE views.

Why How to Implement RBAC in Snowflake is important

How to Implement RBAC in Snowflake Example Usage


-- Create a read-only analyst role and attach it to a user
USE ROLE SECURITYADMIN;
CREATE ROLE analyst;
GRANT SELECT ON TABLE ecommerce.Orders TO ROLE analyst;
GRANT SELECT ON TABLE ecommerce.Products TO ROLE analyst;
GRANT ROLE analyst TO USER dev_anna;

How to Implement RBAC in Snowflake Syntax


CREATE ROLE <role_name>;
GRANT ROLE <child_role> TO ROLE <parent_role>;
GRANT { SELECT | INSERT | UPDATE | DELETE | ALL } ON { DATABASE | SCHEMA | TABLE | VIEW } <object_name> TO ROLE <role_name>;
GRANT ROLE <role_name> TO USER <user_name>;
REVOKE { SELECT | INSERT | UPDATE | DELETE | ALL } ON <object_name> FROM ROLE <role_name>;
REVOKE ROLE <role_name> FROM USER <user_name>;

Common Mistakes

Granting privileges directly to users. This breaks least privilege and complicates audits. Fix by revoking direct grants and granting through roles only.
Using ACCOUNTADMIN for daily work. This exposes powerful rights. Fix by creating functional roles and reserving ACCOUNTADMIN for break-glass situations.

Frequently Asked Questions (FAQs)

Can I grant privileges at the schema level?

Yes. Schema-level grants like GRANT SELECT ON ALL TABLES IN SCHEMA ecommerce TO ROLE analyst cascade to new tables if you also enable the FUTURE keyword.