π Snowflake User Default Role is ACCOUNTADMIN π’
- Contextual name: π Default Role is ACCOUNTADMIN π’
- ID:
/ce/ca/snowflake/user/account-admin-default-role - Located in: π Snowflake User
Flagsβ
- π’ Policy with categories
- π’ Policy with type
- π’ Production policy
Our Metadataβ
- Policy Type:
COMPLIANCE_POLICY - Policy Category:
SECURITY
Logicβ
- π§ prod.logic.yaml π’
- π Snowflake User
- π Snowflake User - object.extracts.yaml
- π§ͺ test-data.json
Descriptionβ
Descriptionβ
Ensure that the
ACCOUNTADMINrole is not set as the default role for Snowflake Users.Rationaleβ
The
ACCOUNTADMINrole grants full control over account parameters, billing data, user/role definitions, warehouses, and all metadata objects. Defaulting to this role for routine queries or development tasks exposes critical controls and sensitive information unnecessarily.Forcing users to explicitly switch into
ACCOUNTADMINfor high-impact tasks ensures that every use of the role is a deliberate action, improving incident investigations and reducing accidental misuse.Snowflakeβs RBAC model provides specialized system roles (e.g.,
SYSADMIN,SECURITYADMIN,USERADMIN) that should serve as default roles for administrators of specific functions.Auditβ
This policy marks a Snowflake User as
INCOMPLIANTifDefault Role Namefield is set to ACCOUNTADMIN.
Remediationβ
Remediationβ
Using SQLβ
The executing role must hold the OWNERSHIP privilege on the target user account to modify its properties via SQL.
Execute the following SQL command for each user found to have
ACCOUNTADMINas their default role:ALTER USER {{username}}
SET DEFAULT_ROLE = {{non_accountadmin_role}};Replace
{{non_accountadmin_role}}with an appropriate, lower-privileged role that aligns with the userβs operational needs (e.g.,SYSADMIN,SECURITYADMIN, or a custom business role).
If the user legitimately requires elevated privileges, retain access to
ACCOUNTADMIN, but require them to explicitly activate it via theUSE ROLE ACCOUNTADMIN;command when necessary.Revoke or reassign this role where it is no longer justified, following your organizationβs access control and change management policies.
policy.yamlβ
Linked Framework Sectionsβ
| Section | Sub Sections | Internal Rules | Policies | Flags |
|---|---|---|---|---|
| πΌ Cloudaware Framework β πΌ User Account Management | 16 |