Issue types
This page describes some of the issues that we check for in more detail.
Over-provisioned access
Access is over-provisioned or not used recently.
This recommendation is created when a user is granted a role that doesn't appear in their query history during the specified time period (default: last 90 days).
For example, say Alice is granted ACME_READER
, which grants her access to the ACME
database. If Alice hasn't queried any tables in the ACME
database within the last 90 days, then her access is considered over-provisioned, and an issue will be created with the recommended remediation: "Revoke ACME_READER
from user Alice."
Note: If a role is used only for it's access to non-table objects (e.g. warehouse access), then an issue may still be created.
Unused role
Roles should be in use.
This recommendation is created when a role is not being used. A few requirements:
The role must be at least 30 days old (recently-created roles are excluded).
The role must be granted to 0 users and 0 roles.
The role may be granted permissions to Snowflake objects.
Note: Spyglass only scans user-created roles, and excludes Snowflake-native roles, such as ACCOUNTADMIN
, PUBLIC
, etc.
Duplicate role
Roles should have unique privileges.
This recommendation is created when multiple roles are found that have overlapping privileges, so that users can decide how they want to clean up these redundancies.
Expiring access
Expiring access should be renewed or revoked.
This recommendation is created when a user's access was granted by an access request that had an expiration date. Rather than access being revoked immediately on the expiration date, an issue is created so that an administrator can decide the best course of action.
Remediations are available to revoke the access or extend the existing access for a longer period, both of which open a new access request that can be approved and merged like usual.
Sysadmin missing role
Sysadmin should be a superset of all user roles.
This recommendation is created to detect deviations from Snowflake's suggested best practice in aligning object access with business functions:
Following best practices for role hierarchies, grant the highest-level functional roles in a role hierarchy to the system administrator (SYSADMIN) role. System administrators can then grant privileges on database objects to any roles in this hierarchy:
Note: Spyglass only scans user-created roles, and excludes Snowflake-native roles, such as ACCOUNTADMIN
, PUBLIC
, etc.
Functional role check
Active roles should be functional roles.
This recommendation is created when a role is found to have been used recently, and hasn't yet been converted to a functional role. The functional roles framework provides a significantly simpler model for structuring access, and roles can be converted in a few clicks in Spyglass's UI.
ACCOUNTADMIN user change
Monitor when role ACCOUNTADMIN is granted or revoked from a user.
This alert is created whenever the ACCOUNTADMIN
is granted or revoked from users. When this change is detected, Spyglass admins receive a notification (via email), and can view the open alerts on the issue details page.
Options are available to acknowledge the alert: mark the change as intended and acceptable; or dismiss it: ignore this incident, and similar future incidents.
Sensitive data check
Sensitive data (i.e. PII) needs to be masked.
This check is currently in only available to Private Preview customers.
This recommendation is created when Spyglass finds data that has been tagged as sensitive but is not yet protected by any masking policies. In the future, Spyglass will support finding any data (whether tagged as sensitive or not), that could be sensitive and require masking.
Expired temporary role
This alert is created whenever a temporary role expires. A role is considered temporary if it has an expiration date defined in Spyglass. To remediate this, you can either revoke all user grants or extend the expiration date.
Last updated