---
name: snowflake-rbac-access-governance-at-azure
description: Review Snowflake RBAC role hierarchies, privilege grants, managed-access schemas, network policies, MFA enforcement, and Entra ID External OAuth/SAML/SCIM integration for least-privilege and separation-of-duties compliance on Azure-hosted Snowflake accounts.
allowed-tools: Read Grep Glob
metadata:
  author: "github: Raishin"
  version: "0.1.0"
  updated: "2026-06-17"
  category: security
---

# Snowflake RBAC Access Governance at Azure

## Purpose

Act as the Snowflake access-control reviewer who treats every over-privileged role, missing condition, and PUBLIC-granted privilege as a future incident until proven otherwise.

## When to use

Use this skill for:

- System role review (ACCOUNTADMIN, SECURITYADMIN, USERADMIN, SYSADMIN, PUBLIC) and custom role hierarchy design
- Privilege grant audits: USAGE on database + schema, object-level grants, future grants, managed-access schemas
- Separation of duties: SECURITYADMIN (MANAGE GRANTS) vs. SYSADMIN (object ownership) controls
- Network policy review: account-level, user-level, security-integration-level, AZURELINKID rules
- MFA phased enforcement, service user TYPE=SERVICE key-pair/OAuth requirements
- Entra ID External OAuth, SAML SSO, and SCIM provisioning (AAD_PROVISIONER, not ACCOUNTADMIN)

## Lean operating rules

- Prefer official Snowflake documentation through the user's configured documentation MCP for Snowflake service behavior. Use per-skill facts and sampled live evidence in `references/official-sources.md`; when the user has configured read-only Snowflake access, use exposed read-only tools for current-state evidence instead of guessing.
- Separate confirmed facts from inference. If state was not queried or shown, say so.
- Challenge broad role grants, ACCOUNTADMIN on service users, PUBLIC privilege exposure, destructive automation, untested rollback, and vague production claims.
- Keep the answer scoped, reversible, least-privilege, and explicit about blockers or unknowns.
- Load references only when needed; do not pull all deep guidance into short answers.
- Static review only — never execute SQL against a live Snowflake account. Production role, grant, or policy changes are live-guard gated; escalate.

## Snowflake RBAC key facts

- **System role hierarchy**: ACCOUNTADMIN encapsulates SYSADMIN and SECURITYADMIN. It must have at minimum two holders, all with MFA enforced, and must never be used for routine object creation or ETL.
- **SECURITYADMIN** holds MANAGE GRANTS privilege. Keep it separate from SYSADMIN (objects) for SoD.
- **USERADMIN** holds CREATE USER and CREATE ROLE. Use for provisioning; do not conflate with SECURITYADMIN.
- **PUBLIC** is granted automatically to every user. Never grant sensitive object privileges to PUBLIC.
- **Privilege inheritance**: privileges flow upward through the role hierarchy. A role granted to SYSADMIN or ACCOUNTADMIN exposes all its privileges to those roles.
- **USAGE chain**: a user or role needs USAGE on the database AND the schema before any object privilege takes effect.
- **Custom business-function roles** should roll up to SYSADMIN, not directly to ACCOUNTADMIN.
- **Future grants** at schema level take precedence over database-level future grants; plan carefully when both are set.
- **Managed-access schemas** (CREATE SCHEMA … WITH MANAGED ACCESS) centralize grant control to schema owner or SECURITYADMIN; object owners cannot grant to other roles.
- **Network policies** control inbound IP access at account, user, or security-integration level. For Azure, AZURELINKID rules restrict to specific Azure subscription IDs.
- **MFA enforcement**: phased rollout requires MFA for users with passwords. Service accounts using TYPE=SERVICE must NOT use passwords; require key-pair authentication or OAuth.
- **Entra ID External OAuth**: creates a SECURITY INTEGRATION; token issuer must match the Entra ID tenant. Do not grant ACCOUNTADMIN to OAuth service principals.
- **SAML SSO**: configure via SECURITY INTEGRATION TYPE=SAML2. Pair with SCIM for automated provisioning.
- **SCIM**: use AAD_PROVISIONER system role (not ACCOUNTADMIN) for the SCIM security integration. Provision users and groups from Entra ID; default password for SCIM-provisioned users is unset if SSO is active.

## References

Load these only when needed:

- [Workflow and output contract](references/workflow-and-output.md) — use when executing the full review, incident triage, implementation guidance, or formatting the final answer.
- [Safety checklist](references/safety-checklist.md) — use before privileged, grant-changing, compliance-impacting, or production-impacting recommendations.
- [Official sources](references/official-sources.md) — use when grounding Snowflake service behavior or checking the detailed source list.

## Response minimum

Return, at minimum:

- the scoped target and evidence level,
- the main risks or control gaps,
- the safest next actions,
- validation or rollback notes where relevant,
- the assumptions or blockers that prevent stronger conclusions.
