If you’re managing access in Snowflake and want to keep things clean, secure, and easy to reason about, it helps to understand what the built-in roles are actually for. Here’s a breakdown of the standard roles Snowflake provides, what they can do, and how I typically see them used in practice.
ACCOUNTADMIN
The most powerful role in Snowflake. It has complete control over every object and setting in the account—including security, billing, user management, and object access.
Use case: Reserved for a small number of senior administrators. Think of it as the fire extinguisher behind glass—only for emergencies or top-level changes.
SECURITYADMIN
This role is designed to manage user and role access. It can:
– Create, modify, and delete users
– Assign and revoke roles
– Grant privileges on roles
Use case: Assign this to whoever manages identity and access. It’s ideal for enforcing security policies without giving access to warehouses or data.
SYSADMIN
The workhorse role for Snowflake resource management. It can:
– Create and manage warehouses
– Build and manage databases, schemas, tables, views, etc.
– Grant object privileges to custom roles
Use case: Great for DBAs and data engineers. This is where most of the day-to-day work with data structures happens.
USERADMIN
A more limited user management role than SECURITYADMIN. It can:
– Create and manage users and custom roles
– Cannot assign or manage SYSTEM roles (like SYSADMIN or ACCOUNTADMIN)
Use case: Perfect for department-level admins or DevOps engineers who need to create users but don’t need broader access.
PUBLIC
Every user automatically gets the PUBLIC role. It’s meant for globally accessible objects.
Use case: Use this for shared UDFs, utility views, or reference tables that everyone in the account should be able to use. Be cautious—it’s visible to all users.
Role Hierarchy (Standard)
ACCOUNTADMIN
├── SECURITYADMIN
│ └── USERADMIN
└── SYSADMIN
└── PUBLIC
Quick Reference Table
| Role | Key Responsibility | Who Should Have It |
| ACCOUNTADMIN | Full account control | Very few senior admins |
| SECURITYADMIN | Role/user management | Identity and access managers |
| SYSADMIN | Manage data objects and warehouses | DBAs, data engineers |
| USERADMIN | Create/manage users and custom roles | Department/DevOps leads |
| PUBLIC | Default role for shared resources | Everyone (default) |
Final Thoughts
The standard roles in Snowflake give you a solid starting point. But as your organization grows, consider creating custom roles tailored to team needs and least-privilege principles. That’s where Snowflake really starts to shine from a security and scalability standpoint.