Role-Based Access Control for Connectors¶
The Snowflake connector for Google Analytics Aggregate Data is subject to the Connector Terms.
The following sections describe application roles used in the connector application:
ADMIN
VIEWER
DATA_READER
These application roles are automatically assigned to the account level role responsible for installing the application on the account. They can be reassigned to others to grant control and data access to connector data and the connector itself. See also GRANT APPLICATION ROLE.
ADMIN application role¶
You must use Snowflake Role ACCOUNTADMIN role paired with Application Role ADMIN
to perform initial configuration of the connector, including the installation.
You can pair the ADMIN
application role with any other Snowflake role after initial configuration to manage connector data synchronization.
The ADMIN
application role grants access to all public views and procedures, which when paired with granted account level privileges can be used to:
View Home Tab and ingestions statistics.
View and manage data synchronization.
View settings, connector configuration, and manage alerts.
Attention
To manage connector alert grant either the ACCOUNTADMIN role or the CREATE INTEGRATION privilege to role, which has ADMIN application assigned to it.
To grant these rights execute the following SQL:
GRANT CREATE INTEGRATION ON ACCOUNT TO ROLE <replace-with-your-role-name>;
VIEWER application role¶
The VIEWER
application role can be assigned to any role and is used to:
View the connector home tab and ingestions statistics.
View connector data synchronization.
View connector settings and configuration.
DATA_READER application role¶
Anyone who wants to access the ingested data should use only the DATA_READER
role.
The DATA_READER
application role must be used to grant read privilege on replicated data.
This role is used to grant access to ingested data. To grant access to ingested data assign the DATA_READER
role
you can use either Manage access in Snowsight or execute the following SQL statement:
GRANT APPLICATION ROLE DATA_READER to ROLE <replace-with-your-role-name>;
Do not attempt to access replicated data by changing ownership to destination database,
instead grant the DATA_READER
application role.
To view replicated data, a user must have the following privileges:
USAGE
on destination databaseUSAGE
on the destination schemaSELECT
on destination table
The connector grants USAGE
/ SELECT
privileges to this role on all tables and views created by the application.
Attention
Please note: The DATA_READER
application role is only granted privileges on objects created by the application.
If the destination database or destination schema already exists and is not owned by the connector application,
the connector won’t be able to grant proper privileges to the DATA_READER
role on these objects.
In such situations, account level roles with the DATA_READER
application role must to be manually updated with USAGE
grant on these objects.
Limitations¶
- The Role-Based Access Control for Connectors has the following limitations:
The ADMIN application role, without the ACCOUNTADMIN privilege, cannot install and configure the connector. To install and configure connector log in using an account granted the ACCOUNTADMIN role.