Snowflake offers five default roles. It is important to understand the default Snowflake roles as they can help you managing access control to data within your organisation.
These default roles are hierarchically ordered: each role inherits the capabilities of the roles below it. Drawing from the Snowflake documentation on roles, I have built a tree diagram in Tableau to show the hierarchy of Snowflake default roles.
Click on each role in the visualisation below to learn more about them, or scroll down to read each definition one after the other. If you want to see the visualisation in a full page you can find it on my Tableau Public profile.
The Public role is granted to all users and roles by default.
Public can own securable objects, but keep in mind that since all roles and users are given the public role, all roles and users will own whatever public owns.
This role can be handy In an organization where there is no need for access control, that is, where there is no need to limit users’ access to databases and other objects.
The Sysadmin role can create (and potentially grant privileges on) warehouses, databases and other objects.
Snowflake’s recommendation is to assign all custom roles to the Sysadmin. This way, the Sysadmin will be able to grant the roles privileges to warehouses, databases and other objects.
The Useradmin role is in charge of user and role creation and management.
The Useradmin role is granted the CREATE USER and CREATE ROLE privileges.
Unless otherwise specified, or unless ownership is later transferred, the creator of an object is also the owner of that object. If the Useradmin is the owner of a user or a role, it can also manage them.
The Securityadmin manages object grants through the MANAGE GRANTS privilege.
This role is above Useradmin in the role hierarchy and inherits from it the ability to create, monitor, and manage users and roles.
The Account admin role combines SYSADMIN and SECURITYADMIN.
It is the most powerful role, at the top of the hierarchy.