I read that it is recommended practice for custom roles to be assigned to SYSADMIN.
What is the point of this ?
Asked
Active
Viewed 96 times
-1
-
Best practice, see SYSADMIN as the Godfather of data objects, not as high up as accountadmin (that would be the godfather's dad). As the custom roles create objects themselves ultimately sysadmin can be used to manage those objects as well. Of course you don't use sysadmin day to day (unless that fits your operating model) as this role is quote possible. By default accountadmin inherits what sysadmin + useradmin + securityadmin does... – patrick_at_snowflake Oct 19 '21 at 23:20
1 Answers
2
The point is to avoid making a mess (or rather, to make the administration of access control as easy, but as powerful, as possible)
When custom roles are assigned to SYSADMIN (not necessarily directly, but ultimately through inheritance), then sysadmins will be able manage all objects in the account, such as warehouses and database objects (while still restricting management of users and roles to the SECURITYADMIN or ACCOUNTADMIN roles). If they are not assigned to SYSADMIN then only those roles granted the MANAGE GRANTS privilege will see the objects and be able to modify their access grants, which, with many custom roles, can become quite a mess to manage.
Robert Long
- 5,722
- 5
- 29
- 50