User
You can provide configuration to Snowflake Object Lifecycle Engine for the following operations with user:
- Manage the lifecycle of new and existing users
- Manage the grants of a user
Usage
- Classic Configuration
- Data Products Configuration
users:
<user-name>:
<configuration-key>: <value>
- user:
name: <user-name>
<configuration-key>: <value>
Supported parameters
The engine supports the parameters listed below.
| Configuration Key | Required/Optional | Data Types and Values | Description |
|---|---|---|---|
comment | Optional | String | Specifies a comment for the user |
deleted | Optional | Boolean: True enables deletion prevention, False does nothing | Specifies what objects are allowed to be deleted |
disabled | Optional | Boolean | Specifies whether the user is disabled |
default_namespace | Optional | String/Object: See here for a definition of default_namespace | Specifies the namespace, database only or database and schema, that is active by default for the user's session upon login |
default_role | Optional | String | Specifies the role that is active by default for the user's session upon login |
default_warehouse | Optional | String | Specifies the virtual warehouse that is active by default for the user's session upon login |
display_name | Optional | String | Name displayed for the user in the Snowflake web interface |
email | Optional | String | Email address for the user |
environment | Optional | String | Specifies the environment in which the user is managed. Regex can be provided as well. |
first_name | Optional | String | First name of the user |
last_name | Optional | String | Last name of the user |
login_name | Optional | String | Name that the user enters to log into the system. Login names for users must be unique across your entire account. |
manage_mode | Optional | String: all (default), none | Configures what properties to manage for the user. See Changing Manage Mode before changing the value. |
must_change_password | Optional | Boolean | Specifies whether the user is forced to change their password on the next login (including their first/initial login) into the system |
namespacing | Optional | String: both (default), none, prefix, suffix | Specifies whether prefix or suffix or both are to be added to user name |
network_policy | Optional | String: SOLE managed and preexisting non-managed network_policy names | Attaches a network policy to the user |
password | Optional | String | The password for the user must be enclosed in single or double quotes. If no password is specified, the user cannot log into Snowflake until a password has been explicitly specified for them. |
rsa_public_key | Optional | String | Specifies the user's RSA public key, used for key-pair authentication |
rsa_public_key_2 | Optional | String | Specifies the user's second RSA public key, used to rotate the public and private keys for key-pair authentication based on an expiration schedule set by your organization |
user_type | Optional | String: USER (default), LEGACY_SERVICE, SERVICE | Specifies the user type in Snowflake |
User Types
Snowflake now supports the concept of a user type. The type determines if the user can log in without using MFA, and with a password.
Users can now specify the type of a user in SOLE using the user_type parameter.
- user:
name: DATAOPS_USER_1
user_type: USER
login_name: DATAOPS_USER_1
- user:
name: DATAOPS_USER_2
user_type: LEGACY_SERVICE
login_name: DATAOPS_USER_2
- user:
name: DATAOPS_USER_3
user_type: SERVICE
login_name: DATAOPS_USER_3
- user:
name: DATAOPS_USER_4
login_name: DATAOPS_USER_4 #user_type: USER is the default value
default_namespace parameter
You can specify the name of default_namespace if it belongs to the same schema and database as the user or the name of the schema and database.
This parameter supports the following parameters if explicitly provided:
| Configuration Key | Required/Optional | Data Types and Values | Description |
|---|---|---|---|
database | Optional | String | Name of the database |
schema | Optional | String | Name of the schema |
Examples
default_namespace:
database: "<database-name>"
schema: "<schema-name>"
Examples
- Classic Configuration
- Data Products Configuration
users:
SAM:
comment: "management"
login_name: "user_login"
password: "user_login"
disabled: false
display_name: "manager"
email: "user@example.com"
first_name: "user"
last_name: "login"
must_change_password: true
default_namespace:
database: "<database-name>"
schema: "<schema-name>"
default_warehouse: "<warehouse-name>"
default_role: "role"
rsa_public_key: "..."
rsa_public_key_2: "..."
network_policy: "<network-policy-name>"
- user:
name: SAM
comment: "management"
login_name: "user_login"
password: "user_login"
disabled: false
display_name: "manager"
email: "user@example.com"
first_name: "user"
last_name: "login"
must_change_password: true
default_namespace:
schema: rel(schema.<schema-name>)
default_warehouse: rel(warehouse.<warehouse-name>)
default_role: "role"
rsa_public_key: "..."
rsa_public_key_2: "..."
network_policy: rel(network_policy.<network-policy-name>)