Role

You can provide configuration to Snowflake Object Lifecycle Engine for the following operations with roles:

Manage the lifecycle of new and existing roles
Manage the lifecycle of cloned roles
Manage grants of roles

Usage

Classic Configuration
Data Products Configuration

roles:
  <role-name>:
    <configuration-key>: <value>
    roles:
      - <role-name>
      - <role-name>
    users:
      - <user-name>
      - <user-name>

- role:
    name: <role-name>
    <configuration-key>: <value>
    roles:
      - rel(role.<role-name>)
      - rel(role.<role-name>)
    users:
      - rel(user.<user-name>)
      - rel(user.<user-name>)

Supported parameters

The engine supports the parameters listed below.

Configuration Key	Required/Optional	Data Types and Values	Description
`comment`	Optional	String	Specifies a comment for the role
`deleted`	Optional	Boolean: `True` enables deletion prevention, `False` does nothing	Specifies what objects are allowed to be deleted
`depends_on`	Optional	List of String: See Object Dependencies for a definition of `depends_on`	List of SOLE-managed objects that this role depends on. Objects defined in the list will be added to the generated HCL dependencies list to ensure proper creation order.
`environment`	Optional	String	Specifies the environment in which the role is managed. Regex can be provided as well.
`manage_mode`	Optional	String: `all` (default), `none`, `grants`	Configures what properties to manage for the role. See Changing Manage Mode before changing the value.
`namespacing`	Optional	String: `both` (default), `prefix`, `suffix`, `none`	Specifies whether prefix or suffix or both are to be added to role name - doesn't apply to default database
`roles` or `granted_to_roles`	Optional	List	List of roles to which current roles are granted. Caution: You cannot simultaneously use both configuration keys `roles` and `granted_to_roles` in a role configuration.
`users` or `granted_to_users`	Optional	List	List of users to which current roles are granted. Caution: You cannot simultaneously use both configuration keys `users` and `granted_to_users` in a role configuration.

Examples

Role creation

Classic Configuration
Data Products Configuration

roles:
  DEV_ROLE:
    comment: "Role for Ingestion Developers"

- role:
    name: DEV_ROLE
    comment: "Role for Ingestion Developers"

Role with grants to roles and users

Classic Configuration
Data Products Configuration

roles:
  MODELLING_ROLE:
    comment: "Role for Ingestion Developers"
    roles:
      - INGESTION_ROLE
      - ACCOUNTADMIN
    users:
      - DATAOPS_ADMIN
      - INGESTION_USER

- role:
    name: MODELLING_ROLE
    comment: "Role for Ingestion Developers"
    roles:
      - rel(role.INGESTION_ROLE)
      - ACCOUNTADMIN
    users:
      - rel(user.DATAOPS_ADMIN)
      - rel(user.INGESTION_USER)

Role revoking

Define an empty list for roles: under the name of a particular role to revoke it.

Role in Current Configuration
Role in SOLE for Data Products

roles:
  MODELLING_ROLE:
    comment: "Role for Ingestion Developers"
    roles: []

- role:
    name: MODELLING_ROLE
    comment: "Role for Ingestion Developers"
    roles: []

Usage​

Supported parameters​

Examples​

Role creation​

Role with grants to roles and users​

Role revoking​