Skip to main content

Role

You can provide configuration to Snowflake Object Lifecycle Engine for the following operations with roles:

  • Manage the lifecycle of new and existing roles
  • Manage the lifecycle of cloned role
  • Manage grants of role

Usage

note

We have introduced SOLE for Data Products as a new framework for SOLE to help you easily build an ecosystem of data products. Learn more about SOLE for Data Products which is currently available as a private preview.

roles:
<role-name>:
<configuration-key>: <value>
roles:
- <role-name>
- <role-name>
users:
- <user-name>
- <user-name>

Supported parameters

The engine supports the parameters listed below.

Configuration KeyRequired/OptionalData Types and ValuesDescription
commentOptionalStringSpecifies a comment for the role
deletedOptionalBoolean: True enables deletion prevention, False does nothingSpecifies what objects are allowed to be deleted
environmentOptionalStringSpecifies the environment in which the role is managed. Regex can be provided as well.
manage_modeOptionalString: all (default), none, grantsConfigures what properties to manage for the role.
See Changing Manage Mode before changing the value.
namespacingOptionalString: both (default), prefix, suffix, noneSpecifies whether prefix or suffix or both are to be added to role name - doesn't apply to default database
roles or granted_to_rolesOptionalListList of roles to which current roles are granted.
Caution: You cannot use both configuration keys roles and granted_to_roles simultaneously in a role configuration.
roles or granted_to_rolesOptionalListList of users to which current roles are granted.
Caution: You cannot use both configuration keys users and granted_to_users at the same time in a role configuration.

Examples

Role creation

roles:
DEV_ROLE:
comment: "Role for Ingestion Developers"

Role with grants to roles and users

roles:
MODELLING_ROLE:
comment: "Role for Ingestion Developers"
roles:
- INGESTION_ROLE
- ACCOUNTADMIN
users:
- DATAOPS_ADMIN
- INGESTION_USER