@@ -3454,6 +3454,7 @@ ALTER TABLE CUSTOMERS MODIFY COLUMN email UNSET MASKING POLICY;
34543454```
34553455
34563456## Masking Examples
3457+
34573458``` sql
34583459-- ### More examples - 1 - ###
34593460-- leave email domain unmasked
@@ -3524,4 +3525,289 @@ SELECT * FROM CUSTOMERS;
35243525
35253526USE ROLE ANALYST_MASKED;
35263527SELECT * FROM CUSTOMERS;
3527- ```
3528+ ```
3529+
3530+ # ACCESS MANAGEMENT
3531+
3532+ ## What is Access Management
3533+ - Management of who can access and perfom actions on objects in snowflake
3534+ - There are 2 aspect of access control combined
3535+ - DAC - Discretionary Access Control: each object has an owner who can grant access to that object
3536+ - RBAC - Access privileges are assigned to roles, which are in turn assigned to users
3537+ Example:
3538+ ```
3539+ |--> USER 0
3540+ ROLE 1 ---> TABLE 1 ---> ROLE 2 ---> USER 1
3541+ |--> ROLE 3 ---> USER 2
3542+ |--> USER 3
3543+ ```
3544+ - Role 1 create tables 1 and then role 1 can give access to the table to whomever he wants
3545+ - Role 1 grive access to the table to Roles 2 and 3
3546+ - User 0 and 1 have the Role 2, so they can read table 1
3547+ - same for roles 3 and the users that have this roles
3548+ We have also 2 level off objects: Account Objects and Schema Objects. The schema objects are under the Database Object (which is an Account object)
3549+ - ACCOUNT OBJECTS: user, role, database, warehouse ...
3550+ - SCHEMA OBJECTS: table, view, stage, integration....
3551+ - Every object is owned by a single row
3552+ - Owner roles has all privileges by default
3553+
3554+ ### Key Concepts
3555+ - USER: Perople or system
3556+ - Role: entity taht receives the privileges
3557+ - Privilege: Level of access to an object (select, delete, create...)
3558+ - Securable Object: Object to which privileges can be granted
3559+
3560+ ## Snowflake Roles Overview
3561+ - there are 5 system defined roles
3562+ - ACCOUNTADMIN: can do all that opther roles do (limited users should have it)
3563+ - SECURITYADMIN: Do all USERADMIN can, manage users and roles, manage any object grant globally
3564+ - SYSADMIN: create WH and DB, recommended all custom roles are assigned this
3565+ - USERADMIN: dedicated to user and role management only, create roles and users
3566+ - PUBLIC: all user have this access, create own objects like other roles
3567+
3568+ ## ACCOUNTADMIN
3569+ - To level roles
3570+ - Manage & view all objects
3571+ - All configurations on account level
3572+ - All account operations (billing, create readear account)
3573+ - automatically assigned to first user
3574+ - Used mainly to initial setup & managin account level objects
3575+ BEST PRACTICES
3576+ - very controlled and few users should have it
3577+ - all user with it should have MFA
3578+ - at least 2 users should have this role
3579+ - avoid creating object with this role unless you have to
3580+
3581+ ## ACCOUNTADMIN in practice
3582+ - Select the ACCOUNTADMIN Role
3583+ - on UI you can then see the Account icon, enter on it, and you can manage
3584+ - Billing and payment
3585+ - reader account
3586+ - usage
3587+ - Users
3588+ - Roles
3589+ - sessions
3590+ - Policies
3591+ - Resource Monitor
3592+ - this role can also create MFA
3593+ - click arrow beside user > preferences > general > Enrol MFA > add phone number
3594+ - Can also set other account admins:
3595+ ``` sql
3596+ -- - User 1 ---
3597+ CREATE USER maria PASSWORD = ' 123'
3598+ DEFAULT_ROLE = ACCOUNTADMIN
3599+ MUST_CHANGE_PASSWORD = TRUE;
3600+
3601+ GRANT ROLE ACCOUNTADMIN TO USER maria;
3602+
3603+ -- - User 2 ---
3604+ CREATE USER frank PASSWORD = ' 123'
3605+ DEFAULT_ROLE = SECURITYADMIN
3606+ MUST_CHANGE_PASSWORD = TRUE;
3607+
3608+ GRANT ROLE SECURITYADMIN TO USER frank;
3609+
3610+ -- - User 3 ---
3611+ CREATE USER adam PASSWORD = ' 123'
3612+ DEFAULT_ROLE = SYSADMIN
3613+ MUST_CHANGE_PASSWORD = TRUE;
3614+ GRANT ROLE SYSADMIN TO USER adam;
3615+ ```
3616+
3617+ ## SECUTIRYADMIN
3618+ - Still have some access to Account tab, but limitedd
3619+ - Can create and manage users and roles
3620+ - Grant and Revoke privileges to roles
3621+
3622+ ## SECUTIRYADMIN in Practice
3623+ - we have created some roles before, lets re use them
3624+ - for this example we gonna create a sales Admin role as child of SYSADMIN, and a Sales Role as a child os Sales Admin
3625+ - Also, for testing, we will create a HR Admin Role (NOT CHILD OF SYSADMIN) and HR Role child of HR ADMIN (TO SHOW PROBLEMS)
3626+ ``` sql
3627+ -- SECURITYADMIN role --
3628+ -- Create and Manage Roles & Users --
3629+ -- Create Sales Roles & Users for SALES--
3630+ -- first login with frank account, created on past lecture
3631+ -- enter the context of SECURITYADMIN to perform below actions
3632+ create role sales_admin;
3633+ create role sales_users;
3634+
3635+ -- Create hierarchy
3636+ grant role sales_users to role sales_admin;
3637+
3638+ -- As per best practice assign roles to SYSADMIN
3639+ grant role sales_admin to role SYSADMIN;
3640+
3641+ -- create sales user
3642+ CREATE USER simon_sales PASSWORD = ' 123' = sales_users
3643+ MUST_CHANGE_PASSWORD = TRUE;
3644+ GRANT ROLE sales_users TO USER simon_sales;
3645+
3646+ -- create user for sales administration
3647+ CREATE USER olivia_sales_admin PASSWORD = ' 123' = sales_admin
3648+ MUST_CHANGE_PASSWORD = TRUE;
3649+ GRANT ROLE sales_admin TO USER olivia_sales_admin;
3650+
3651+ -- ---------------------------------
3652+ -- lets to the same thing here, but not assing the admin to sysadmin
3653+ -- Create Sales Roles & Users for HR--
3654+ create role hr_admin;
3655+ create role hr_users;
3656+
3657+ -- Create hierarchy
3658+ grant role hr_users to role hr_admin;
3659+
3660+ -- This time we will not assign roles to SYSADMIN (against best practice)
3661+ -- grant role hr_admin to role SYSADMIN;
3662+
3663+ -- create hr user
3664+ CREATE USER oliver_hr PASSWORD = ' 123' = hr_users
3665+ MUST_CHANGE_PASSWORD = TRUE;
3666+ GRANT ROLE hr_users TO USER oliver_hr;
3667+
3668+ -- create user for sales administration
3669+ CREATE USER mike_hr_admin PASSWORD = ' 123' = hr_admin
3670+ MUST_CHANGE_PASSWORD = TRUE;
3671+ GRANT ROLE hr_admin TO USER mike_hr_admin;
3672+ ```
3673+ - we used the SECURITYADMIN for its purpose or creating security via roles
3674+ - next lecture lets see why we need to assing admin roles to SYSADMIN
3675+
3676+ ## SYSADMIN
3677+ - Can create and manage objects: WH, DB , tables, etc
3678+ - Custom roles should be assigned to the SYSADMIN as the parent
3679+ - Then, this role has the ability to grant provileges on WH, DB, and other objects to the custom rols
3680+ - This is the recommended best practice
3681+
3682+ ## SYSADMIN in Practice
3683+ - for this practice we gonna create VW, DB and tables and assign it to the custom roles
3684+ ``` sql
3685+ -- SYSADMIN --
3686+ -- login as Adam, roles created in previous lecture
3687+ -- Create a warehouse of size X-SMALL
3688+ create warehouse public_wh with
3689+ warehouse_size= ' X-SMALL'
3690+ auto_suspend= 300
3691+ auto_resume= true
3692+
3693+ -- grant usage to role public
3694+ grant usage on warehouse public_wh
3695+ to role public
3696+
3697+ -- create a database accessible to everyone
3698+ create database common_db ;
3699+ grant usage on database common_db to role public;
3700+
3701+ -- create sales database for sales
3702+ create database sales_database ;
3703+ grant ownership on database sales_database to role sales_admin;
3704+ grant ownership on schema sales_database .public to role sales_admin
3705+
3706+ -- see the owner of each DB
3707+ SHOW DATABASES;
3708+
3709+ -- create database for hr
3710+ create database hr_db ;
3711+ -- grant the ownership to hr_admin
3712+ grant ownership on database hr_db to role hr_admin;
3713+ -- try to grant something else, not possible because hr_admin is not a child of SYSADMIN
3714+ -- we can no longer do anyrhing
3715+ -- it makes really hard to sysadmin to manage the roles
3716+ grant ownership on schema hr_db .public to role hr_admin;
3717+ ```
3718+
3719+ ## Custom Roles
3720+ - used to customize roles according to needs and also reflect the hierarchy on your company
3721+ - they are usually created by SECURITYADMIN
3722+ - also assigned to SYSADMIN to allow it to manage
3723+
3724+ ## Custom Roles in Practice
3725+ - we gonna reuse the roles created on previous lecture to test
3726+ - continue logged as Adam and on contect of sysadmin
3727+
3728+ ``` sql
3729+ -- select the roles to administrate sales objects
3730+ USE ROLE SALES_ADMIN;
3731+ USE SALES_DATABASE;
3732+
3733+ -- Create table - we are the owner of it
3734+ create or replace table customers (
3735+ id number ,
3736+ full_name varchar ,
3737+ email varchar ,
3738+ phone varchar ,
3739+ spent number ,
3740+ create_date DATE DEFAULT CURRENT_DATE );
3741+
3742+ -- insert values in table --
3743+ insert into customers (id, full_name, email,phone,spent)
3744+ values
3745+ (1 ,' Lewiss MacDwyer' ' lmacdwyer0@un.org' ' 262-665-9168' 140 ),
3746+ (2 ,' Ty Pettingall' ' tpettingall1@mayoclinic.com' ' 734-987-7120' 254 ),
3747+ (3 ,' Marlee Spadazzi' ' mspadazzi2@txnews.com' ' 867-946-3659' 120 ),
3748+ (4 ,' Heywood Tearney' ' htearney3@patch.com' ' 563-853-8192' 1230 ),
3749+ (5 ,' Odilia Seti' ' oseti4@globo.com' ' 730-451-8637' 143 ),
3750+ (6 ,' Meggie Washtell' ' mwashtell5@rediff.com' ' 568-896-6138' 600 );
3751+
3752+ SHOW TABLES;
3753+
3754+ -- query from table --
3755+ -- with roles sales_admin we should be able to query it
3756+ -- changing to sales_user we should not be able
3757+ SELECT * FROM CUSTOMERS;
3758+ USE ROLE SALES_USERS;
3759+ SELECT * FROM CUSTOMERS;
3760+
3761+
3762+ -- grant usage to role
3763+ USE ROLE SALES_ADMIN;
3764+
3765+ GRANT USAGE ON DATABASE SALES_DATABASE TO ROLE SALES_USERS;
3766+ GRANT USAGE ON SCHEMA SALES_DATABASE .PUBLIC TO ROLE SALES_USERS;
3767+ GRANT SELECT ON TABLE SALES_DATABASE .PUBLIC .CUSTOMERS TO ROLE SALES_USERS
3768+
3769+
3770+ -- Validate privileges --
3771+ USE ROLE SALES_USERS;
3772+ SELECT * FROM CUSTOMERS; -- able
3773+ DROP TABLE CUSTOMERS; -- not able
3774+ DELETE FROM CUSTOMERS; -- not able
3775+ SHOW TABLES;
3776+
3777+ -- grant DROP on table
3778+ -- now user should be able to delete
3779+ USE ROLE SALES_ADMIN;
3780+ GRANT DELETE ON TABLE SALES_DATABASE .PUBLIC .CUSTOMERS TO ROLE SALES_USERS
3781+ ```
3782+
3783+ ## USERADMIN
3784+ - dedicated to users and roles ( user and roles management )
3785+ - the diferenece between this and securityadmin is that this one cant grant much privileges (only to the object it owns)
3786+
3787+ ## USERADMNI in Practice
3788+ - lets try to solve the HR_ADMIN Problem with objects created that are not linked to sysadmin
3789+ ``` sql
3790+ -- USERADMIN --
3791+ -- set the context to USERADMIN
3792+ -- - User 4 ---
3793+ CREATE USER ben PASSWORD = ' 123'
3794+ DEFAULT_ROLE = ACCOUNTADMIN
3795+ MUST_CHANGE_PASSWORD = TRUE;
3796+
3797+ -- try to grant the role using useradmin, will not work
3798+ -- then try with sysadmin, should work
3799+ GRANT ROLE HR_ADMIN TO USER ben;
3800+
3801+ SHOW ROLES;
3802+ -- with secutiry admin you can the fix the HR_ADMIN not linked to SYSADMIN
3803+ -- this is thge main difference: USER ADMIN cant grant accesss to other roles, because it has small priovileges
3804+ GRANT ROLE HR_ADMIN TO ROLE SYSADMIN;
3805+ ```
3806+
3807+ ## PUBLIC
3808+ - Least privileged roles
3809+ - every user have this roles
3810+ - can own objects, and this is avaialbe to all users
3811+ - useful for data that should be accessible to everyone
3812+ - the last one in the hierarchy
3813+
0 commit comments