Role
You can provide configuration to Snowflake Object Lifecycle Engine for the following operations with roles:
- Manage the lifecycle of new and existing roles
- Manage the lifecycle of cloned roles
- Manage grants of roles
Usage
We have introduced SOLE for Data Products as a new framework for SOLE to help you easily build an ecosystem of data products. The major difference is in how you define Snowflake objects in the configuration file.
Rather than having a grouped collection of objects, SOLE for Data Products goes for modular, self-describing, and explicit object definition.
Learn more about SOLE for Data Products, currently available as a public preview.
We have also introduced Data products as an extra layer on top of the data product platform capabilities making managing data products easier than ever. Learn more about Data Products, currently available as a private preview.
- Default Configuration
- Data Products Configuration
roles:
<role-name>:
<configuration-key>: <value>
roles:
- <role-name>
- <role-name>
users:
- <user-name>
- <user-name>
- role:
name: <role-name>
<configuration-key>: <value>
roles:
- rel(role.<role-name>)
- rel(role.<role-name>)
users:
- rel(user.<user-name>)
- rel(user.<user-name>)
Supported parameters
The engine supports the parameters listed below.
| Configuration Key | Required/Optional | Data Types and Values | Description |
|---|---|---|---|
comment | Optional | String | Specifies a comment for the role |
deleted | Optional | Boolean: True enables deletion prevention, False does nothing | Specifies what objects are allowed to be deleted |
environment | Optional | String | Specifies the environment in which the role is managed. Regex can be provided as well. |
manage_mode | Optional | String: all (default), none, grants | Configures what properties to manage for the role. See Changing Manage Mode before changing the value. |
namespacing | Optional | String: both (default), prefix, suffix, none | Specifies whether prefix or suffix or both are to be added to role name - doesn't apply to default database |
roles or granted_to_roles | Optional | List | List of roles to which current roles are granted. Caution: You cannot simultaneously use both configuration keys roles and granted_to_roles in a role configuration. |
users or granted_to_users | Optional | List | List of users to which current roles are granted. Caution: You cannot simultaneously use both configuration keys users and granted_to_users in a role configuration. |
Examples
Role creation
- Default Configuration
- Data Products Configuration
roles:
DEV_ROLE:
comment: "Role for Ingestion Developers"
- role:
name: DEV_ROLE
comment: "Role for Ingestion Developers"
Role with grants to roles and users
- Default Configuration
- Data Products Configuration
roles:
MODELLING_ROLE:
comment: "Role for Ingestion Developers"
roles:
- INGESTION_ROLE
- ACCOUNTADMIN
users:
- DATAOPS_ADMIN
- INGESTION_USER
- role:
name: MODELLING_ROLE
comment: "Role for Ingestion Developers"
roles:
- rel(role.INGESTION_ROLE)
- ACCOUNTADMIN
users:
- rel(user.DATAOPS_ADMIN)
- rel(user.INGESTION_USER)
Role revoking
Define an empty list for roles: under the name of a particular role to revoke it.
- Role in Current Configuration
- Role in SOLE for Data Products
roles:
MODELLING_ROLE:
comment: "Role for Ingestion Developers"
roles: []
- role:
name: MODELLING_ROLE
comment: "Role for Ingestion Developers"
roles: []