Goal: Avoid giving ACCOUNTADMIN to everyone and build clean role structures.
Why Role Hierarchy Matters
Snowflake RBAC is designed so privileges flow downward from higher-level roles to lower-level roles.
By creating a clear hierarchy, you:
- Reduce the risk of privilege overreach.
- Make it easier to audit and manage.
- Follow the principle of least privilege.
Recommended Role Hierarchy
ACCOUNTADMIN
↓
SECURITYADMIN
↓
SYSADMIN
↓
Custom Business Roles
- ACCOUNTADMIN – Full control, rarely used.
- SECURITYADMIN – Manages users and roles.
- SYSADMIN – Manages objects (databases, warehouses, etc.).
- Custom Business Roles – Specific access for departments or use cases.
🚀 Copy & Paste: Role Hierarchy Setup
sql -- Create business roles CREATE ROLE reporting; CREATE ROLE data_engineering; -- Assign privileges to roles GRANT USAGE ON WAREHOUSE wh_analytics TO ROLE reporting; GRANT SELECT ON ALL TABLES IN SCHEMA sales.public TO ROLE reporting; GRANT USAGE ON WAREHOUSE wh_etl TO ROLE data_engineering; GRANT CREATE TABLE ON SCHEMA raw.public TO ROLE data_engineering; -- Link roles into the hierarchy GRANT ROLE reporting TO ROLE sysadmin; GRANT ROLE data_engineering TO ROLE sysadmin; 
Top comments (0)