0
votes

I'm trying to create a Role hierarchy in Snowflake with a "top level" role which will be used for my helpdesk support team to manage users and resources within Snowflake. But this role cannot have access to any stored data due to compliance restrictions.

For user management, I've just granted SECURITYADMIN to the role and it seems to work pretty well. But for databases I would like to avoid using SYSADMIN as I would be inheriting the ability to view everything in the databases. So I've come up with a hierarchy that I think makes sense, which is basically the following with some added project roles:

ACCOUNTADMIN >--- HELPDESK (create/drop db then hand off to OU_MANAGER)
                - OU_MANAGER (create/drop schema/tables and assign grants within the OU) > OU_MEMBER (usage on resources in db)

What I would like to do is create the databases with my HELPDESK role, then grant all on that db to the management role for the organizational unit and hand it off to them.

I'm not sure if this is possible in Snowflake, or if I just have my syntax wrong. But I get an error when I try to run a basic grant create database to role helpdesk, and I can't find anything definitive in the docs about granting this kind of access.

1
What error do you get? What role are you using when running this command? - NickW
I was using the accountadmin role, and the error I was running into was: SQL compilation error: syntax error line 1 at position 22 unexpected 'to'. I was able to get it fixed with the added "ON ACCOUNT" from the answer below. Thanks for looking! - tadhatch35

1 Answers

2
votes
use role accountadmin;
grant create database on account to role helpdesk;