Roles
Overview
Slingshot access control consists of two components:
- Role determines what visibility and actions a user has in Slingshot. When a role is assigned to the parent org, the role has access to all of its child units.ℹ️To assign orgs and roles to users, go to User Management.
- Org determines which objects a user can access in Slingshot. When a role is assigned to the parent org, the role has access to all of its child units.ℹ️
- To manage orgs, go to Slingshot tags > Manage tags.
- To assign orgs to objects, go to Assign Snowflake objects.
Your assigned role and org (permission tag) determine what you can see and do in Slingshot. Slingshot has 6 roles. Each role can be assigned to multiple users.
Tenant admin: Configure, view, review requests (level 1 and 2), action and receive email notifications on the entire tenant
Snowflake admin: Configure assigned org and platform, view, review requests (level 1 and 2), perform actions and receive email notifications on objects in the assigned org and platform
Snowflake owner: View, perform actions, and receive email notifications on objects in the assigned org and platform
Snowflake viewer: View objects in the assigned org and platform
Snowflake approver 1: View and review requests (level 1) on objects in the assigned org and platform
ℹ️Note: Assigning this role indicates the assigned org requires at least 1 level of approvals.Snowflake approver 2: View and review requests (level 2) on objects in the assigned org and platform
ℹ️Note: Assigning this role indicates the assigned org requires 2 levels of approvals.
Comparison
Tenant admin | Snowflake admin | Snowflake owner | Snowflake viewer | Snowflake approver 1 & 2 | ||
---|---|---|---|---|---|---|
Account | Plan | Manage | - | - | - | - |
Value report | View | View | View | View | View | |
Configuration | User management | Assign role and org | Assign role and org | - | - | - |
Snowflake accounts | Connect | Connect | - | - | - | |
Snowflake objects | Assign org | Assign org | - | - | - | |
Slingshot tags | Manage tag, manage org, assign tag | Manage tag, manage unit (child), assign tag | Assign tag | - | - | |
Warehouse alerts | Manage alerts | - | - | - | - | |
Snowflake | ||||||
Warehouses | Create, manage, modify, drop | Create, manage, modify, drop | Create, manage, modify, drop | View | View | |
Manage alerts | Manage alerts | Manage alerts | - | - | ||
Databases | Assign | Assign | Assign | View | View | |
Warehouse recommendations | Apply | Apply | Apply | View | View | |
Manage alerts | Manage alerts | Manage alerts | - | - | ||
Dashboards | Cost | View | View | View | View | View |
Usage & Performance | View | View | View | View | View | |
Request | Request | Request | Request | Request | View | - |
Approval | Review (approve / decline) | Review (approve / decline) | - | - | Review (approve / decline) | |
Tool | Query Advisor | Use | Use | Use | Use | Use |
Usage notes
- Tenant admin role must be assigned by mapping LDAP groups.
- Approver roles can be assigned by either assigning users in the User Management page* or mapping LDAP groups. Learn more in the Approvals section.
- *Approver 2 will be assignable to users in the User Management page in an upcoming release.
- Roles that are not Tenant admin or Approver can be assigned with a hybrid approach of both assigning users in the User Management page or mapping LDAP groups. If a user, who belongs to a LDAP group that is mapped to a role in Slingshot is also assigned a role in the User management page, the user gets both roles.
- Admins can manage orgs (permission tag) in the Slingshot tags page.
Approvals
As you put in controls and governance in Slingshot, you can leverage approvals. Approvals are up to 2 levels and available for these requests:
- Snowflake requests
- Create warehouse
- Manage warehouse
- Modify warehouse
- Drop warehouse
- Apply recommendation on warehouse
Roles for request and approval
A few roles can interact with approvals. Each role can be assigned to multiple users.
- Create a request:
- Tenant admin
- Snowflake admin
- Snowflake owner
- Review (approve / decline) the request level 1:
- Tenant admin
- Snowflake admin
- Snowflake approver 1
- Review (approve / decline) the request level 2:
- Tenant admin
- Snowflake admin
- Snowflake approver 2 (will be assignable to users in the User Management page in an upcoming release)
Levels of approvals
Each org (permission tag) has the same level of approvals. Levels of approvals preference is determined by if Approver 1 or Approver 2 roles are assigned for the org.
- 0 level: No approvals; the request is automatically closed
- 1 level: If request level 1 is approved / declined by any user of the assigned roles, the request is closed
- 2 levels:
- If request level 1 is declined by any user of the assigned roles, the request is closed.
- If request level 1 is approved by any user of the assigned roles, the request proceeds to level 2.
- If request level 2 is approved / declined by any user of the assigned roles, the request is closed.
Usage notes
- Tenant admin and Snowflake admin have the privilege to review the request at either level.
- Approver roles can be assigned by either assigning users in the User Management page* or mapping LDAP groups. Learn more in the Approvals section.
- *Approver 2 will be assignable to users in the User Management page in an upcoming release.
- You can manage orgs (permission tag) in the Slingshot tags page.
Example
Imagine you have 3 different teams: “Analytics”, “Business Intelligence”, and “Corporate development”.
- If the “Analytics” org does not want any approval flow, then you will not assign the Approver 1 or Approver 2 roles.
- If the “Business intelligence” org wants any of Bai, Ben, Billie or Brooke to approve requests, then you will
- Assign Bai, Ben, Billie, and Brooke to Approver 1.
- If the “Corporate development” org wants any of Casey, Cameron, Charlie or Corey to approve first, and then Dani, Damien, Devi or Dylan to approve as the second level, then you will:
- Assign Casey, Cameron, Charlie and Corey to Approver 1.
- Assign Dani, Damien, Devi and Dylan to Approver 2.