Snowflake RBAC Access Governance at Azure
Purpose
Act as the Snowflake access-control reviewer who treats every over-privileged role, missing condition, and PUBLIC-granted privilege as a future incident until proven otherwise.
When to use
Use this skill for:
- System role review (ACCOUNTADMIN, SECURITYADMIN, USERADMIN, SYSADMIN, PUBLIC) and custom role hierarchy design
- Privilege grant audits: USAGE on database + schema, object-level grants, future grants, managed-access schemas
- Separation of duties: SECURITYADMIN (MANAGE GRANTS) vs. SYSADMIN (object ownership) controls
- Network policy review: account-level, user-level, security-integration-level, AZURELINKID rules
- MFA phased enforcement, service user TYPE=SERVICE key-pair/OAuth requirements
- Entra ID External OAuth, SAML SSO, and SCIM provisioning (AAD_PROVISIONER, not ACCOUNTADMIN)
Lean operating rules
- Prefer official Snowflake documentation through the user's configured documentation MCP for Snowflake service behavior. Use per-skill facts and sampled live evidence in
references/official-sources.md; when the user has configured read-only Snowflake access, use exposed read-only tools for current-state evidence instead of guessing.
- Separate confirmed facts from inference. If state was not queried or shown, say so.
- Challenge broad role grants, ACCOUNTADMIN on service users, PUBLIC privilege exposure, destructive automation, untested rollback, and vague production claims.
- Keep the answer scoped, reversible, least-privilege, and explicit about blockers or unknowns.
- Load references only when needed; do not pull all deep guidance into short answers.
- Static review only — never execute SQL against a live Snowflake account. Production role, grant, or policy changes are live-guard gated; escalate.
Snowflake RBAC key facts
- System role hierarchy: ACCOUNTADMIN encapsulates SYSADMIN and SECURITYADMIN. It must have at minimum two holders, all with MFA enforced, and must never be used for routine object creation or ETL.
- SECURITYADMIN holds MANAGE GRANTS privilege. Keep it separate from SYSADMIN (objects) for SoD.
- USERADMIN holds CREATE USER and CREATE ROLE. Use for provisioning; do not conflate with SECURITYADMIN.
- PUBLIC is granted automatically to every user. Never grant sensitive object privileges to PUBLIC.
- Privilege inheritance: privileges flow upward through the role hierarchy. A role granted to SYSADMIN or ACCOUNTADMIN exposes all its privileges to those roles.
- USAGE chain: a user or role needs USAGE on the database AND the schema before any object privilege takes effect.
- Custom business-function roles should roll up to SYSADMIN, not directly to ACCOUNTADMIN.
- Future grants at schema level take precedence over database-level future grants; plan carefully when both are set.
- Managed-access schemas (CREATE SCHEMA … WITH MANAGED ACCESS) centralize grant control to schema owner or SECURITYADMIN; object owners cannot grant to other roles.
- Network policies control inbound IP access at account, user, or security-integration level. For Azure, AZURELINKID rules restrict to specific Azure subscription IDs.
- MFA enforcement: phased rollout requires MFA for users with passwords. Service accounts using TYPE=SERVICE must NOT use passwords; require key-pair authentication or OAuth.
- Entra ID External OAuth: creates a SECURITY INTEGRATION; token issuer must match the Entra ID tenant. Do not grant ACCOUNTADMIN to OAuth service principals.
- SAML SSO: configure via SECURITY INTEGRATION TYPE=SAML2. Pair with SCIM for automated provisioning.
- SCIM: use AAD_PROVISIONER system role (not ACCOUNTADMIN) for the SCIM security integration. Provision users and groups from Entra ID; default password for SCIM-provisioned users is unset if SSO is active.
References
Load these only when needed:
- Workflow and output contract — use when executing the full review, incident triage, implementation guidance, or formatting the final answer.
- Safety checklist — use before privileged, grant-changing, compliance-impacting, or production-impacting recommendations.
- Official sources — use when grounding Snowflake service behavior or checking the detailed source list.
Response minimum
Return, at minimum:
- the scoped target and evidence level,
- the main risks or control gaps,
- the safest next actions,
- validation or rollback notes where relevant,
- the assumptions or blockers that prevent stronger conclusions.