Roles
Your assigned role and org (permission tag) determine what you can see and do in Slingshot. Slingshot has 6 roles. Each role can be assigned to multiple users.
Tenant admin: Configure, view, review requests (level 1 and 2), action and receive email notifications on the entire tenant
Org admin: View and receive email notifications on the assigned org
ℹ️This role will gain privileges to configure, review requests (level 1 and 2) and action on the assigned org in an upcoming releaseOwner: View, action and receive email notifications on the assigned org
Viewer: View on the assigned org
Approver 1: View and review requests (level 1) on the assigned org
ℹ️Note: Assigning this role indicates the assigned org requires at least 1 level of approvals.Approver 2: View and review requests (level 2) on the assigned org
ℹ️Note: Assigning this role indicates the assigned org requires 2 levels of approvals.
Comparison
Tenant admin | Org admin | Owner | Viewer | Approver 1 & 2 | ||
---|---|---|---|---|---|---|
Account | Plan | Manage | - | - | - | - |
Value report | View | View | View | View | View | |
Configuration | Snowflake accounts | Assign | - | - | - | - |
Snowflake objects | Assign | - | - | - | - | |
Slingshot tags | Manage, assign | - | Assign | - | - | |
Snowflake | Warehouses | Create, manage, modify, drop | View | Create, manage, modify, drop | View | View |
Databases | Assign | View | Assign | View | View | |
Recommendations | Apply | View | Apply | View | View | |
Dashboards | Cost | View | View | View | View | View |
Usage & Performance | View | View | View | View | View | |
Request | Request | Request | View | Request | View | - |
Approval | Review (approve / decline) | - | - | - | Review (approve / decline) | |
Tool | Query Advisor | Use | Use | Use | Use | Use |
Usage notes
- Tenant admin role must be assigned by mapping LDAP groups.
- Approver roles can be assigned by either assigning users in the User Management page* or mapping LDAP groups. Learn more in the Approvals section.
- *Approver 2 will be assignable to users in the User Management page in an upcoming release.
- Roles that are not Tenant admin or Approver can be assigned with a hybrid approach of both assigning users in the User Management page or mapping LDAP groups. If a user, who belongs to a LDAP group that is mapped to a role in Slingshot is also assigned a role in the User management page, the user gets both roles.
- You can manage orgs (permission tag) in the Slingshot tags page.
Approvals
As you put in controls and governance in Slingshot, you can leverage approvals. Approvals are up to 2 levels and available for these requests:
- Snowflake requests
- Create warehouse
- Manage warehouse
- Modify warehouse
- Drop warehouse
- Apply recommendation on warehouse
Roles for request and approval
A few roles can interact with approvals. Each role can be assigned to multiple users.
- Create a request:
- Tenant admin
- Org admin (will gain privilege in an upcoming release)
- Owner
- Review (approve / decline) the request level 1:
- Tenant admin
- Org admin (will gain privilege in an upcoming release)
- Approver 1
- Review (approve / decline) the request level 2:
- Tenant admin
- Org admin (will gain privilege in an upcoming release)
- Approver 2 (will be assignable to users in the User Management page in an upcoming release)
Levels of approvals
Each org (permission tag) has the same level of approvals. Levels of approvals preference is determined by if Approver 1 or Approver 2 roles are assigned for the org.
- 0 level: No approvals; the request is automatically closed
- 1 level: If request level 1 is approved / declined by any user of the assigned roles, the request is closed
- 2 levels:
- If request level 1 is declined by any user of the assigned roles, the request is closed.
- If request level 1 is approved by any user of the assigned roles, the request proceeds to level 2.
- If request level 2 is approved / declined by any user of the assigned roles, the request is closed.
Usage notes
- Tenant admin and Org admin (will gain privilege in an upcoming release) have the privilege to review the request at either level.
- Approver roles can be assigned by either assigning users in the User Management page* or mapping LDAP groups. Learn more in the Approvals section.
- *Approver 2 will be assignable to users in the User Management page in an upcoming release.
- You can manage orgs (permission tag) in the Slingshot tags page.
Examples
- Assign Approvers for an org by either assigning users in the User Management page or mapping LDAP groups
- When no Approver is assigned for an org, the org requires 0 level approval
- When Approver 1 is assigned for an org, the org requires 1 level approval
- When Approver 2 is assigned for an org, the org requires 2 levels approval
- Switch Approvers for an org from mapping LDAP groups to assigning users in the User Management page
- When no Approver is assigned for an org in the User Management page, the org requires 0 level approval
- When Approver 1 is assigned for an org in the User Management page, the org requires 1 level approval
- When Approver 2 is assigned for an org in the User Management page, the org requires 2 levels approval
- Switch Approvers for an org from assigning users in the User Management page to mapping LDAP groups
- When no Approver is assigned for an org by mapping LDAP groups, the org requires 0 level approval
- When Approver 1 is assigned for an org by mapping LDAP groups, the org requires 1 level approval
- When Approver 2 is assigned for an org by mapping LDAP groups, the org requires 2 levels approval