Role-based access control for connectors

The Snowflake connector for Google Analytics Aggregate Data is subject to the Connector Terms.

The following sections describe application roles used in the connector application:

  • ADMIN

  • VIEWER

  • DATA_READER

These application roles are automatically assigned to the account level role responsible for installing the application on the account. They can be reassigned to others to grant control and data access to connector data and to the connector itself. See also GRANT APPLICATION ROLE.

ADMIN application role

You must use Snowflake Role ACCOUNTADMIN role paired with Application Role ADMIN to perform initial configuration of the connector, including the installation.

You can pair the ADMIN application role with any other Snowflake role after initial configuration to manage connector data synchronization. The ADMIN application role grants access to all public views and procedures, which when paired with granted account level privileges can be used to:

  • View Home Tab and ingestions statistics.

  • View and manage data synchronization.

  • View settings and connector configuration and manage alerts.

Attention

To manage connector alerts, grant either the ACCOUNTADMIN role or the CREATE INTEGRATION privilege to the role that the ADMIN application is assigned to. To grant these rights, execute the following SQL code: GRANT CREATE INTEGRATION ON ACCOUNT TO ROLE <replace-with-your-role-name>;

VIEWER application role

The VIEWER application role can be assigned to any role and is used to:

  • View the connector home tab and ingestion statistics.

  • View connector data synchronization.

  • View connector settings and configuration.

DATA_READER application role

Users who want to access the ingested data should use only the DATA_READER role. The DATA_READER application role must be used to grant read privileges on replicated data.

This role is used to grant access to ingested data. To assign the DATA_READER role, you can either use Manage access in Snowsight or execute the following SQL statement:

GRANT APPLICATION ROLE DATA_READER to ROLE <replace-with-your-role-name>;
Copy

Do not attempt to access replicated data by changing ownership to destination database, instead grant the DATA_READER application role.

To view replicated data, a user must have the following privileges:

  • USAGE on destination database

  • USAGE on the destination schema

  • SELECT on destination table

The connector grants USAGE / SELECT privileges to this role on all tables and views created by the application.

Attention

The DATA_READER application role is only granted privileges on objects created by the application. If the destination database or destination schema already exists and is not owned by the connector application, the connector won’t be able to grant proper privileges to the DATA_READER role on these objects. In such situations, account level roles with the DATA_READER application role must be manually updated with a USAGE grant on these objects.