Roles

Overview

Slingshot access control consists of two components:

  • Role determines what visibility and actions a user has in Slingshot. When a role is assigned to the parent org, the role has access to all of its child units.
    ℹ️
    To assign orgs and roles to users, go to User Management.
  • Org determines which objects a user can access in Slingshot. When a role is assigned to the parent org, the role has access to all of its child units.
    ℹ️
    • To manage orgs, go to Slingshot tags > Manage tags.
    • To assign orgs to objects, go to Assign Snowflake objects.

Your assigned role and org (permission tag) determine what you can see and do in Slingshot. Slingshot has 6 roles. Each role can be assigned to multiple users.

  • Tenant admin: Configure, view, review requests (level 1 and 2), action and receive email notifications on the entire tenant

  • Snowflake admin: Configure assigned org and platform, view, review requests (level 1 and 2), perform actions and receive email notifications on objects in the assigned org and platform

  • Snowflake owner: View, perform actions, and receive email notifications on objects in the assigned org and platform

  • Snowflake viewer: View objects in the assigned org and platform

  • Snowflake approver 1: View and review requests (level 1) on objects in the assigned org and platform

    ℹ️
    Note: Assigning this role indicates the assigned org requires at least 1 level of approvals.
  • Snowflake approver 2: View and review requests (level 2) on objects in the assigned org and platform

    ℹ️
    Note: Assigning this role indicates the assigned org requires 2 levels of approvals.

Comparison

Tenant admin

Snowflake admin

Snowflake owner

Snowflake viewer

Snowflake approver 1 & 2

Account

Plan

Manage

-

-

-

-

Value report

View

View

View

View

View

Configuration

User management

Assign role and org

Assign role and org

-

-

-

Snowflake accounts

Connect

Connect

-

-

-

Snowflake objects

Assign org

Assign org

-

-

-

Slingshot tags

Manage tag, manage org, assign tag

Manage tag, manage unit (child), assign tag

Assign tag

-

-

Warehouse alerts

Manage alerts

-

-

-

-

Snowflake

Warehouses

Create, manage, modify, drop

Create, manage, modify, drop

Create, manage, modify, drop

View

View

Manage alerts

Manage alerts

Manage alerts

-

-

Databases

Assign

Assign

Assign

View

View

Warehouse recommendations

Apply

Apply

Apply

View

View

Manage alerts

Manage alerts

Manage alerts

-

-

Dashboards

Cost

View

View

View

View

View

Usage & Performance

View

View

View

View

View

Request

Request

Request

Request

Request

View

-

Approval

Review (approve / decline)

Review (approve / decline)

-

-

Review (approve / decline)

Tool

Query Advisor

Use

Use

Use

Use

Use

Usage notes

  • Tenant admin role must be assigned by mapping LDAP groups.
  • Approver roles can be assigned by either assigning users in the User Management page* or mapping LDAP groups. Learn more in the Approvals section.
    • *Approver 2 will be assignable to users in the User Management page in an upcoming release.
  • Roles that are not Tenant admin or Approver can be assigned with a hybrid approach of both assigning users in the User Management page or mapping LDAP groups. If a user, who belongs to a LDAP group that is mapped to a role in Slingshot is also assigned a role in the User management page, the user gets both roles.
  • Admins can manage orgs (permission tag) in the Slingshot tags page.

Approvals

As you put in controls and governance in Slingshot, you can leverage approvals. Approvals are up to 2 levels and available for these requests:

  • Snowflake requests
    • Create warehouse
    • Manage warehouse
    • Modify warehouse
    • Drop warehouse
    • Apply recommendation on warehouse

Roles for request and approval

A few roles can interact with approvals. Each role can be assigned to multiple users.

  • Create a request:
    • Tenant admin
    • Snowflake admin
    • Snowflake owner
  • Review (approve / decline) the request level 1:
    • Tenant admin
    • Snowflake admin
    • Snowflake approver 1
  • Review (approve / decline) the request level 2:
    • Tenant admin
    • Snowflake admin
    • Snowflake approver 2 (will be assignable to users in the User Management page in an upcoming release)

Levels of approvals

Each org (permission tag) has the same level of approvals. Levels of approvals preference is determined by if Approver 1 or Approver 2 roles are assigned for the org.

  • 0 level: No approvals; the request is automatically closed
  • 1 level: If request level 1 is approved / declined by any user of the assigned roles, the request is closed
  • 2 levels:
    • If request level 1 is declined by any user of the assigned roles, the request is closed.
    • If request level 1 is approved by any user of the assigned roles, the request proceeds to level 2.
      • If request level 2 is approved / declined by any user of the assigned roles, the request is closed.

Usage notes

  • Tenant admin and Snowflake admin have the privilege to review the request at either level.
  • Approver roles can be assigned by either assigning users in the User Management page* or mapping LDAP groups. Learn more in the Approvals section.
    • *Approver 2 will be assignable to users in the User Management page in an upcoming release.
  • You can manage orgs (permission tag) in the Slingshot tags page.

Example

Imagine you have 3 different teams: “Analytics”, “Business Intelligence”, and “Corporate development”.

  • If the “Analytics” org does not want any approval flow, then you will not assign the Approver 1 or Approver 2 roles.
  • If the “Business intelligence” org wants any of Bai, Ben, Billie or Brooke to approve requests, then you will
    • Assign Bai, Ben, Billie, and Brooke to Approver 1.
  • If the “Corporate development” org wants any of Casey, Cameron, Charlie or Corey to approve first, and then Dani, Damien, Devi or Dylan to approve as the second level, then you will:
    • Assign Casey, Cameron, Charlie and Corey to Approver 1.
    • Assign Dani, Damien, Devi and Dylan to Approver 2.