ACCESS CONTROL IN SNOWFLAKE

---------------------------
1.WHAT IS ACCESS CONTROL IN SNOW FLAKE
ACCESS CONTROL DETERMINES WHO CAN ACCESS DATA BASE OBJECTS AND PERFORM OPERATIONS
ON SPECIFIC OBJECTS IN SNOW FLAKE

SNOW FLAKE SUPPORT AND COMBINES BOTH OF BELOW ACCESS CONTROL MODELS.

DAC(DISCRETIONARY ACCESS CONTROL:

---------------------------------
EACH OBJECTS HAS AN OWNER WHO CAN IN TURN GRANT ACCESS TO THAT OBJECTS.

RBAC(ROLE BASED ACCESS CONTROL):

ACCESS PRIVILAGES ARE ASSIGNED TO ROLES ,WHICH ARE IN TURN ASSIGNED TO USERS.

ACCOUNT ADMIN:
--------------
1.User1-Account Admin

CREATE USER Donald PASSWORD = 'abc123'

DEFAULT ROLE = ACCOUNTADMIN
MUST_CHNAGE_PASSWORD = TRUE;

GRANT ROLE ACCOUNTADMIN TO USER Donald;

2.User2-Security Admin

CREATE USER Charles PASSWORD = 'abc123'

DEFAULT ROLE = SECURITYADMIN
MUST_CHNAGE_PASSWORD = TRUE;

GRANT ROLE SECURITYADMIN TO USER Charles;

3.User2-System Admin

CREATE USER Janet PASSWORD = 'abc123'

DEFAULT ROLE = SYSADMIN
MUST_CHNAGE_PASSWORD = TRUE;

GRANT ROLE SYSADMIN TO USER Charles;

- lOGIN with Charles (Security Admin)

1.Security Admin can switch role to (SECURITYADMIN,PUBLIC,USERADMIN)
2.Security Admin have less nuber of privilagaes and when we click on Account we can
able t
to see Users and roles

//Login as user Charles who is Security admin

//Create Sales Roles & Users for SALES

CREATE ROLE sales_admin;

CREATE ROLE sales_users;

//Create hierarchy
GRANT ROLE sales_users to ROLE sales_admin;
GRANT ROLE sales_admin to ROLE SYSADMIN;

//create user sales user

CREATE USER Amar_sales PASSWORD = 'abc123'

DEFAULT_ROLE = sales_users
MUST_CHANGE_PASSWORD = TRUE;

GRANT ROLE sales_user TO USER Amar_sales;

//create user for sales administartion

CREATE USER Akbar_sales_admin PASSWORD = 'abc123'

DEFAULT_ROLE = sales_admin
MUST_CHANGE_PASSWORD = TRUE;

GRANT ROLE sales_admin TO USER Akbar_sales_admin;

//2.Create Roles and Users for HR

CREATE ROLE hr_admin;

CREATE ROLE hr_users;

//Create hierarchy

GRANT ROLE hr_users to ROLE hr_admin;

--This time we will not assign roles to SYSADMIN

--grant role hr_admin to role SYSADMIN;

//Create hr user

CREATE USR Bobby_hr PASSWORD = 'abc123'

DEFAULT_ROLE = hr_users
MUST_CHANGE_PASSWORD = TRUE;

GRANT ROLE hr_users TO USER Bobby_hr;

//Create user for sales administation

CREATE USR Balu_hr_admin PASSWORD = 'abc123'

DEFAULT_ROLE = hr_admin
MUST_CHANGE_PASSWORD = TRUE;

GRANT ROLE hr_admin TO USER Balue_hr_admin;

Try to login with the SYSADMIN(Janet)

-------------------------------------
Note SYSADMIN can switch role to (SYSADMIN,PUBLIC,SALES_ADMIN,SALES_USERS)
//create a warehouse of small size

CREATE WAREHOUSE public_wh

WITH WAREHOUSE_SIZE = 'SMALL'
AUTO_SUSPEND=300
AUTO_RESUME=TRUE;

//grant usage on warehouse to role_public

GRANT USAGE ON WAREHOUSE public_wh TO ROLE PUBLIC

//create database accessible to every one

CREATE DATABASE public_db;
GRANT USAGE ON DATABASE public_db TO ROLE PUBLIC

//Create sales database

CREATE DATABASE sales_db;

//grant ownership to sales_admin that we had created using SECURITY ADMIN

GRANT OWNERSHIP ON DATABASE sales_db TO ROLE sales_admin;

//now the owner of this database is sales_admin which is assigned to SYSADMIN

GRANT OWNERSHIP ON SCHEMA sales_db.public TO ROLE sales_admin;

//create hr database
CREATE DATABSE hr_db;

//grant ownership to hr_admin that we had created using SECURITY ADMIN

GRANT OWNERSHIP ON DATABASE hr_db TO ROLE hr_admin;

//now the owner of this database is hr_admin which is not assigned to SYSADMIN

GRANT OWNERSHIP ON SCHEMA hr_db.public TO ROLE hr_admin;

//Try to drop hr_db - but we cant drop

DROP DATABASE hr_db;

CUSTOM ROLES:
------------
//Operate with the custom roles we had created
USE ROLE sales_admin;
USE sales_db;

//create table
create or replace table customers
(
id number,
full_name varchar,
email varchar,
phone varchar,
create_date DATE DEFAULT CURRENT_DATE
);