Role-Based Access Control for Connectors

The Snowflake connector for Google Analytics Aggregate Data is subject to the Connector Terms.

The following sections describe application roles used in the connector application:

  • ADMIN

  • VIEWER

  • DATA_READER

These application roles are automatically assigned to the account level role responsible for installing the application on the account. They can be reassigned to others to grant control and data access to connector data and the connector itself. See also GRANT APPLICATION ROLE.

ADMIN application role

You must use Snowflake Role ACCOUNTADMIN role paired with Application Role ADMIN to perform initial configuration of the connector, including the installation.

You can pair the ADMIN application role with any other Snowflake role after initial configuration to manage connector data synchronization. The ADMIN application role grants access to all public views and procedures, which when paired with granted account level privileges can be used to:

  • View Home Tab and ingestions statistics.

  • View and manage data synchronization.

  • View settings, connector configuration, and manage alerts.

Attention

To manage connector alert grant either the ACCOUNTADMIN role or the CREATE INTEGRATION privilege to role, which has ADMIN application assigned to it. To grant these rights execute the following SQL: GRANT CREATE INTEGRATION ON ACCOUNT TO ROLE <replace-with-your-role-name>;

VIEWER application role

The VIEWER application role can be assigned to any role and is used to:

  • View the connector home tab and ingestions statistics.

  • View connector data synchronization.

  • View connector settings and configuration.

DATA_READER application role

Anyone who wants to access the ingested data should use only the DATA_READER role. The DATA_READER application role must be used to grant read privilege on replicated data.

This role is used to grant access to ingested data. To grant access to ingested data assign the DATA_READER role you can use either Manage access in Snowsight or execute the following SQL statement:

GRANT APPLICATION ROLE DATA_READER to ROLE <replace-with-your-role-name>;
Copy

Do not attempt to access replicated data by changing ownership to destination database, instead grant the DATA_READER application role.

To view replicated data, a user must have the following privileges:

  • USAGE on destination database

  • USAGE on the destination schema

  • SELECT on destination table

The connector grants USAGE / SELECT privileges to this role on all tables and views created by the application.

Attention

Please note: The DATA_READER application role is only granted privileges on objects created by the application. If the destination database or destination schema already exists and is not owned by the connector application, the connector won’t be able to grant proper privileges to the DATA_READER role on these objects. In such situations, account level roles with the DATA_READER application role must to be manually updated with USAGE grant on these objects.

Limitations

The Role-Based Access Control for Connectors has the following limitations:

  • The ADMIN application role, without the ACCOUNTADMIN privilege, cannot install and configure the connector. To install and configure connector log in using an account granted the ACCOUNTADMIN role.

Language: English