[Feature]: Add Support For `DISABLE_USER_PRIVILEGE_GRANTS` Account Parameter As Part Of The UBAC Feature Addition

by ADMIN 114 views

Overview

As part of the 2025_02 Bundle, Snowflake is introducing User-Based Access Control (UBAC) as a feature addition (BCR-1924). However, this feature has the potential to create complexity in environments that rely heavily on Role-Based Access Control (RBAC) and Infrastructure as Code (IaC) management. To mitigate this, the DISABLE_USER_PRIVILEGE_GRANTS account parameter has been introduced, allowing administrators to disable UBAC in their environment. This article proposes the addition of this parameter to be set via Terraform, ensuring that all configuration remains in code.

Background

Snowflake's UBAC feature aims to provide a more granular access control mechanism, allowing users to manage their own permissions and access to resources. While this feature offers enhanced flexibility, it may not be suitable for all environments, particularly those that rely heavily on RBAC and IaC management. In such cases, the introduction of UBAC can lead to "spaghetti" code, making it challenging to manage and maintain.

The DISABLE_USER_PRIVILEGE_GRANTS Parameter

To address this concern, Snowflake has introduced the DISABLE_USER_PRIVILEGE_GRANTS account parameter. This parameter can be set using the query ALTER ACCOUNT <name> SET DISABLE_USER_PRIVILEGE_GRANTS = TRUE;. By disabling UBAC, administrators can maintain their existing RBAC and IaC management practices, ensuring that their environment remains manageable and scalable.

Proposal: Adding DISABLE_USER_PRIVILEGE_GRANTS to Terraform

To ensure that all configuration remains in code, it is proposed that the DISABLE_USER_PRIVILEGE_GRANTS parameter be added to Terraform. This will enable administrators to manage this parameter alongside other account settings, ensuring consistency and ease of management.

Benefits

The addition of the DISABLE_USER_PRIVILEGE_GRANTS parameter to Terraform will provide several benefits, including:

  • Consistency: All configuration will remain in code, ensuring that the environment remains manageable and scalable.
  • Ease of management: Administrators will be able to manage this parameter alongside other account settings, reducing the risk of errors and inconsistencies.
  • Improved security: By disabling UBAC, administrators can maintain their existing RBAC and IaC management practices, ensuring that their environment remains secure and compliant.

Implementation

To implement this proposal, the following steps will be taken:

  1. Add DISABLE_USER_PRIVILEGE_GRANTS parameter to Terraform: The DISABLE_USER_PRIVILEGE_GRANTS parameter will be added to Terraform, allowing administrators to manage this parameter alongside other account settings.
  2. Update Terraform configuration: The Terraform configuration will be updated to include the DISABLE_USER_PRIVILEGE_GRANTS parameter, ensuring that all remains in code.
  3. Test and validate: The updated Terraform configuration will be tested and validated to ensure that it functions as expected.

Conclusion

The addition of the DISABLE_USER_PRIVILEGE_GRANTS parameter to Terraform will provide several benefits, including consistency, ease of management, and improved security. By disabling UBAC, administrators can maintain their existing RBAC and IaC management practices, ensuring that their environment remains manageable and scalable. This proposal aims to ensure that all configuration remains in code, reducing the risk of errors and inconsistencies.

Recommendations

Based on this proposal, the following recommendations are made:

  • Add DISABLE_USER_PRIVILEGE_GRANTS parameter to Terraform: The DISABLE_USER_PRIVILEGE_GRANTS parameter should be added to Terraform, allowing administrators to manage this parameter alongside other account settings.
  • Update Terraform configuration: The Terraform configuration should be updated to include the DISABLE_USER_PRIVILEGE_GRANTS parameter, ensuring that all configuration remains in code.
  • Test and validate: The updated Terraform configuration should be tested and validated to ensure that it functions as expected.

Frequently Asked Questions

As part of the 2025_02 Bundle, Snowflake is introducing User-Based Access Control (UBAC) as a feature addition (BCR-1924). However, this feature has the potential to create complexity in environments that rely heavily on Role-Based Access Control (RBAC) and Infrastructure as Code (IaC) management. To mitigate this, the DISABLE_USER_PRIVILEGE_GRANTS account parameter has been introduced, allowing administrators to disable UBAC in their environment. Below are some frequently asked questions and answers related to this feature.

Q: What is the purpose of the DISABLE_USER_PRIVILEGE_GRANTS account parameter?

A: The DISABLE_USER_PRIVILEGE_GRANTS account parameter is used to disable User-Based Access Control (UBAC) in an environment. This parameter allows administrators to maintain their existing RBAC and IaC management practices, ensuring that their environment remains manageable and scalable.

Q: How do I set the DISABLE_USER_PRIVILEGE_GRANTS account parameter?

A: To set the DISABLE_USER_PRIVILEGE_GRANTS account parameter, you can use the query ALTER ACCOUNT <name> SET DISABLE_USER_PRIVILEGE_GRANTS = TRUE;. This will disable UBAC in the specified account.

Q: Can I set the DISABLE_USER_PRIVILEGE_GRANTS account parameter using Terraform?

A: Yes, you can set the DISABLE_USER_PRIVILEGE_GRANTS account parameter using Terraform. This will allow you to manage this parameter alongside other account settings, ensuring consistency and ease of management.

Q: What are the benefits of disabling UBAC using the DISABLE_USER_PRIVILEGE_GRANTS account parameter?

A: Disabling UBAC using the DISABLE_USER_PRIVILEGE_GRANTS account parameter provides several benefits, including:

  • Consistency: All configuration will remain in code, ensuring that the environment remains manageable and scalable.
  • Ease of management: Administrators will be able to manage this parameter alongside other account settings, reducing the risk of errors and inconsistencies.
  • Improved security: By disabling UBAC, administrators can maintain their existing RBAC and IaC management practices, ensuring that their environment remains secure and compliant.

Q: How do I implement the DISABLE_USER_PRIVILEGE_GRANTS account parameter in my environment?

A: To implement the DISABLE_USER_PRIVILEGE_GRANTS account parameter in your environment, follow these steps:

  1. Add DISABLE_USER_PRIVILEGE_GRANTS parameter to Terraform: The DISABLE_USER_PRIVILEGE_GRANTS parameter will be added to Terraform, allowing administrators to manage this parameter alongside other account settings.
  2. Update Terraform configuration: Theform configuration will be updated to include the DISABLE_USER_PRIVILEGE_GRANTS parameter, ensuring that all configuration remains in code.
  3. Test and validate: The updated Terraform configuration will be tested and validated to ensure that it functions as expected.

Q: What are the next steps after implementing the DISABLE_USER_PRIVILEGE_GRANTS account parameter?

A: After implementing the DISABLE_USER_PRIVILEGE_GRANTS account parameter, you should:

  • Monitor and test: Monitor and test your environment to ensure that the DISABLE_USER_PRIVILEGE_GRANTS account parameter is functioning as expected.
  • Update documentation: Update your documentation to reflect the changes made to your environment.
  • Communicate with stakeholders: Communicate with stakeholders to ensure that they are aware of the changes made to your environment.

By following these steps and answering these frequently asked questions, you can ensure that your environment remains manageable, scalable, and secure, while also maintaining your existing RBAC and IaC management practices.