Roles

Overview

Slingshot access control consists of two components:

Role determines what visibility and actions a user has in Slingshot. When a role is assigned to the parent org, the role has access to all of its child units.
ℹ️
To assign orgs and roles to users, go to User Management.
Org determines which objects a user can access in Slingshot. When a role is assigned to the parent org, the role has access to all of its child units.
ℹ️
- To manage orgs, go to Slingshot tags > Manage tags.
- To assign orgs to objects, go to Assign Snowflake objects.

Your assigned role and org (permission tag) determine what you can see and do in Slingshot. Slingshot has 6 roles. Each role can be assigned to multiple users.

Tenant admin: Configure, view, review requests (level 1 and 2), action and receive email notifications on the entire tenant
Snowflake admin: Configure assigned org and platform, view, review requests (level 1 and 2), perform actions and receive email notifications on objects in the assigned org and platform
Snowflake owner: View, perform actions, and receive email notifications on objects in the assigned org and platform
Snowflake viewer: View objects in the assigned org and platform
Snowflake approver 1: View and review requests (level 1) on objects in the assigned org and platform
ℹ️
Note: Assigning this role indicates the assigned org requires at least 1 level of approvals.
Snowflake approver 2: View and review requests (level 2) on objects in the assigned org and platform
ℹ️
Note: Assigning this role indicates the assigned org requires 2 levels of approvals.

Comparison

		Tenant admin	Snowflake admin	Snowflake owner	Snowflake viewer	Snowflake approver 1 & 2
Account	Plan	Manage	-	-	-	-
Account	Value report	View	View	View	View	View
Configuration	User management	Assign role and org	Assign role and org	-	-	-
	Snowflake accounts	Connect	Connect	-	-	-
	Snowflake objects	Assign org	Assign org	-	-	-
	Slingshot tags	Manage tag, manage org, assign tag	Manage tag, manage unit (child), assign tag	Assign tag	-	-
	Warehouse alerts	Manage alerts	-	-	-	-
Snowflake
	Warehouses	Create, manage, modify, drop	Create, manage, modify, drop	Create, manage, modify, drop	View	View
	Warehouses	Manage alerts	Manage alerts	Manage alerts	-	-
	Databases	Assign	Assign	Assign	View	View
	Warehouse recommendations	Apply	Apply	Apply	View	View
	Warehouse recommendations	Manage alerts	Manage alerts	Manage alerts	-	-
Dashboards	Cost Analysis & Warehouse Performance	View	View	View	View	View
Dashboards	Contract Analysis & Usage Analysis	View	-	-	-	-
Request	Request	Request	Request	Request	View	-
Request	Approval	Review (approve / decline)	Review (approve / decline)	-	-	Review (approve / decline)
Tool	Query Advisor	Use	Use	Use	Use	Use

Usage notes

Tenant admin roles must be assigned by mapping LDAP groups.
Approver roles can be assigned by either assigning users on the User management page* or by mapping LDAP groups, but assigning users via a second method will override the previous assignments.
- For example, mapping LDAP groups and then assigning users on the User management page will override the previous LDAP group assignments. Learn more in the Approvals section.
  ℹ️
  *Approver 2 will be assignable to users on the User management page in an upcoming release.
Roles that are neither Tenant admin nor Approver can be assigned to users on the User management page, by mapping LDAP groups, or both methods without overriding previous assignments.
- For example, if a user belonging to a LDAP group that is mapped to a role in Slingshot is also assigned a role on the User management page, the user gets both roles.
Tenant admin and Snowflake admin have the privilege to review the request at either level.
Admin roles can manage orgs (permission tags) on the Slingshot tags page.
Users who are assigned org roles (via the User management UI page) automatically receive org role-based email notifications.

Approvals

As you put in controls and governance in Slingshot, you can leverage approvals. Approvals are up to 2 levels and available for these requests:

Snowflake requests
- Create warehouse
- Manage warehouse
- Modify warehouse
- Drop warehouse
- Apply recommendation on warehouse

Roles for request and approval

A few roles can interact with approvals. Each role can be assigned to multiple users.

Create a request:
- Tenant admin
- Snowflake admin
- Snowflake owner
Review (approve / decline) the request level 1:
- Tenant admin
- Snowflake admin
- Snowflake approver 1
Review (approve / decline) the request level 2:
- Tenant admin
- Snowflake admin
- Snowflake approver 2 (will be assignable to users in the User Management page in an upcoming release)

Levels of approvals

Each org (permission tag) has the same level of approvals. Levels of approvals preference is determined by if Approver 1 or Approver 2 roles are assigned for the org.

0 level: No approvals; the request is automatically closed
1 level: If request level 1 is approved / declined by any user of the assigned roles, the request is closed
2 levels:
- If request level 1 is declined by any user of the assigned roles, the request is closed.
- If request level 1 is approved by any user of the assigned roles, the request proceeds to level 2.
  - If request level 2 is approved / declined by any user of the assigned roles, the request is closed.

Example

Imagine you have 3 different teams: “Analytics”, “Business Intelligence”, and “Corporate development”.

If the “Analytics” org does not want any approval flow, then you will not assign the Approver 1 or Approver 2 roles.
If the “Business intelligence” org wants any of Bai, Ben, Billie or Brooke to approve requests, then you will
- Assign Bai, Ben, Billie, and Brooke to Approver 1.
If the “Corporate development” org wants any of Casey, Cameron, Charlie or Corey to approve first, and then Dani, Damien, Devi or Dylan to approve as the second level, then you will:
- Assign Casey, Cameron, Charlie and Corey to Approver 1.
- Assign Dani, Damien, Devi and Dylan to Approver 2.

Org Management User Management