Access roles
Last updated
Last updated
Access roles are the building blocks of functional roles. Access roles grant privileges based on an access template. These templates allow you to apply consistent SQL commands across all of your functional roles, so that rules are standardized and repeatable.
Spyglass provides default templates for accessing your databases, schemas, and other objects.'
Here are three common access templates:
Admin: provides all privileges to all objects within a database or schema.
Reader: provides read access to all current (and future) tables and views within a database or schema.
Editor: Provides write access to all current (and future) tables and views within a database or schema.
For a full list of access templates, see the Settings page in the Spyglass app.
Spyglass standard templates are designed to cover most major use cases of data access, by both human and service users. However, you can extend any access role to create your own custom template with any privileges:
To create your own custom template, visit the Settings -> Templates page and click "New template" to create an access template from scratch or based off of an existing template.
We are phasing out Spyglass virtual access roles described above in favor of concrete access roles that are native to Snowflake (with an easy migration path).
So, when granting an access role in Spyglass via the Explorer's Role Editor, you'll notice it is actually created as a database role. This makes access roles more useful, explicit, and customizable.
Access roles can only be granted to roles that have been imported as a Spyglass functional role.
Access roles don't really exist and are managed completely by Spyglass.
Access roles are static and limited.
Access is hard to understand without Spyglass access.
Access roles can be granted to any role.
Access roles are created as database roles, so rules are more explicit.
Access roles can be customized with your own types!
Users can understand role hierarchy even if they don't have Spyglass access.
This change is being made gradually, and support for virtual roles will exist for the foreseeable future. But in the long term, native access roles will provide users with more flexibility and stability.
