Roles

Your assigned role and org (permission tag) determine what you can see and do in Slingshot. Slingshot has 6 roles. Each role can be assigned to multiple users.

  • Tenant admin: Configure, view, review requests (level 1 and 2), action and receive email notifications on the entire tenant

  • Org admin: View and receive email notifications on the assigned org

    ℹ️
    This role will gain privileges to configure, review requests (level 1 and 2) and action on the assigned org in an upcoming release
  • Owner: View, action and receive email notifications on the assigned org

  • Viewer: View on the assigned org

  • Approver 1: View and review requests (level 1) on the assigned org

    ℹ️
    Note: Assigning this role indicates the assigned org requires at least 1 level of approvals.
  • Approver 2: View and review requests (level 2) on the assigned org

    ℹ️
    Note: Assigning this role indicates the assigned org requires 2 levels of approvals.

Comparison

Tenant admin

Org admin

Owner

Viewer

Approver 1 & 2

Account

Plan

Manage

-

-

-

-

Value report

View

View

View

View

View

Configuration

Snowflake accounts

Assign

-

-

-

-

Snowflake objects

Assign

-

-

-

-

Slingshot tags

Manage, assign

-

Assign

-

-

Snowflake

Warehouses

Create, manage, modify, drop

View

Create, manage, modify, drop

View

View

Databases

Assign

View

Assign

View

View

Recommendations

Apply

View

Apply

View

View

Dashboards

Cost

View

View

View

View

View

Usage & Performance

View

View

View

View

View

Request

Request

Request

View

Request

View

-

Approval

Review (approve / decline)

-

-

-

Review (approve / decline)

Tool

Query Advisor

Use

Use

Use

Use

Use

Usage notes

  • Tenant admin role must be assigned by mapping LDAP groups.
  • Approver roles can be assigned by either assigning users in the User Management page* or mapping LDAP groups. Learn more in the Approvals section.
    • *Approver 2 will be assignable to users in the User Management page in an upcoming release.
  • Roles that are not Tenant admin or Approver can be assigned with a hybrid approach of both assigning users in the User Management page or mapping LDAP groups. If a user, who belongs to a LDAP group that is mapped to a role in Slingshot is also assigned a role in the User management page, the user gets both roles.
  • You can manage orgs (permission tag) in the Slingshot tags page.

Approvals

As you put in controls and governance in Slingshot, you can leverage approvals. Approvals are up to 2 levels and available for these requests:

  • Snowflake requests
    • Create warehouse
    • Manage warehouse
    • Modify warehouse
    • Drop warehouse
    • Apply recommendation on warehouse

Roles for request and approval

A few roles can interact with approvals. Each role can be assigned to multiple users.

  • Create a request:
    • Tenant admin
    • Org admin (will gain privilege in an upcoming release)
    • Owner
  • Review (approve / decline) the request level 1:
    • Tenant admin
    • Org admin (will gain privilege in an upcoming release)
    • Approver 1
  • Review (approve / decline) the request level 2:
    • Tenant admin
    • Org admin (will gain privilege in an upcoming release)
    • Approver 2 (will be assignable to users in the User Management page in an upcoming release)

Levels of approvals

Each org (permission tag) has the same level of approvals. Levels of approvals preference is determined by if Approver 1 or Approver 2 roles are assigned for the org.

  • 0 level: No approvals; the request is automatically closed
  • 1 level: If request level 1 is approved / declined by any user of the assigned roles, the request is closed
  • 2 levels:
    • If request level 1 is declined by any user of the assigned roles, the request is closed.
    • If request level 1 is approved by any user of the assigned roles, the request proceeds to level 2.
      • If request level 2 is approved / declined by any user of the assigned roles, the request is closed.

Usage notes

  • Tenant admin and Org admin (will gain privilege in an upcoming release) have the privilege to review the request at either level.
  • Approver roles can be assigned by either assigning users in the User Management page* or mapping LDAP groups. Learn more in the Approvals section.
    • *Approver 2 will be assignable to users in the User Management page in an upcoming release.
  • You can manage orgs (permission tag) in the Slingshot tags page.

Examples

  • Assign Approvers for an org by either assigning users in the User Management page or mapping LDAP groups
    • When no Approver is assigned for an org, the org requires 0 level approval
    • When Approver 1 is assigned for an org, the org requires 1 level approval
    • When Approver 2 is assigned for an org, the org requires 2 levels approval
  • Switch Approvers for an org from mapping LDAP groups to assigning users in the User Management page
    • When no Approver is assigned for an org in the User Management page, the org requires 0 level approval
    • When Approver 1 is assigned for an org in the User Management page, the org requires 1 level approval
    • When Approver 2 is assigned for an org in the User Management page, the org requires 2 levels approval
  • Switch Approvers for an org from assigning users in the User Management page to mapping LDAP groups
    • When no Approver is assigned for an org by mapping LDAP groups, the org requires 0 level approval
    • When Approver 1 is assigned for an org by mapping LDAP groups, the org requires 1 level approval
    • When Approver 2 is assigned for an org by mapping LDAP groups, the org requires 2 levels approval