Account And Access Security Flashcards
(20 cards)
What are the two frameworks for access control?
Role-based Access Control (RBAC) and Discretionary Access Control (DAC)
RBAC assigns access privileges to roles, while DAC allows object owners to grant access.
What is a securable object?
An object owned by a single role, access denied unless granted
Owning role has privileges to manage grants and ownership.
What can the owning role do?
- Grant or revoke privileges on an object to other roles
- Transfer ownership to another role
- Share control of the object if shared
The owning role has all privileges on the role.
How many system-defined roles are there in Snowflake?
Six
The roles are ORGADMIN, ACCOUNTADMIN, SECURITYADMIN, SYSADMIN, USERADMIN, and PUBLIC.
What is the role of ORGADMIN?
- Manages operations at the organization level
- Can create accounts in the organization
- Can view all accounts and regions in the organization
ORGADMIN also views usage info across organizations.
What is the primary function of ACCOUNTADMIN?
- Most powerful role for account management
- Encapsulates SYSADMIN and SECURITYADMIN roles
- Responsible for configuring account-level parameters
Should be granted to limited users due to its power.
What does SECURITYADMIN manage?
Manages grants globally via the MANAGE GRANTS privilege
Also responsible for creating, monitoring, and managing users and roles.
What is a custom role in Snowflake?
A role with custom and fine-grained security privileges defined
Admins can exercise the principle of least privilege to reduce risks.
What are the four categories of security privileges?
- Global
- For Account objects
- For Schemas
- For Schema objects
Each category defines different access levels and actions.
What is the default method of user authentication in Snowflake?
User-provided username and password credentials
This can be done through the UI or client applications.
What are the password requirements for Snowflake users?
- At least 8 characters
- Must contain 1 digit
- Must include at least 1 uppercase and 1 lowercase letter
Passwords can be up to 256 characters and can be case-sensitive.
What does Multi-Factor Authentication (MFA) provide?
An additional layer of security requiring proof of identity beyond just a password
MFA in Snowflake is powered by Duo Security.
What is Federated Authentication?
Connects to Snowflake using SSO via a SAML 2.0 compliant external identity provider
Native support includes Okta and ADFS IdPs.
What is the purpose of Network Policies?
To allow or deny access based on a single IP address or a list of addresses
Provides an additional layer of security on top of authentication.
What is the encryption method used for data at rest in Snowflake?
AES-256
All data in the storage layer is encrypted by default.
What is Dynamic Data Masking?
Sensitive data loaded in plain text with masking applied at runtime
Masking policies define who can see the column’s data.
What does Row Level Security enable?
Restricts which rows are returned to a query based on conditions
Policies are applied transparently and return type is always BOOLEAN.
What is the purpose of Secure Views?
Limit access to underlying tables or internal structural details of a view
Secure views can bypass query optimizations, potentially affecting performance.
What is the function of the SNOWFLAKE database?
Provides shared read-only access to account usage metrics
It contains six schemas for fine-grained usage metrics.
What is Object Tagging in Snowflake?
Allows assigning specific metadata to database objects for classification
Helps with data governance and can be applied at the CREATE or ALTER stage.
