Cohort Role Analysis
Analyze roles accessible to Snowflake users within a specified cost center.
Early Access: This API is provided in Early Access. Please contact our customer support team for more information and to enable this feature.
Overview
The Cohort Role Analysis API provides insights into role accessibility for Snowflake users within a specified cost center. It identifies which roles are accessible to users in that cost center and orders them by least privilege, helping to establish common access patterns and standardize role assignments. The response includes:
A list of roles accessible to users in the cost center
An indication of whether these roles are accessible to all users or only some users in the cost center
The API first attempts to find roles that are accessible to all principals (users) in the cost center. If no roles are accessible to all principals, it falls back to returning roles that are accessible by at least one principal, indicated by the accessibility_type
field in the response.
Use cases and features
This API can help organizations understand common access patterns within organizational units and can support role standardization efforts:
Role Standardization: Identify common roles used within organizational units
Access Pattern Analysis: Discover shared access patterns among users in the same cost center
Least Privilege Implementation: Find roles that provide necessary access with minimal permissions
Onboarding Planning: Determine appropriate roles for new hires based on their cost center
Limitations
This feature is currently limited to the Snowflake integration.
Role analysis is based on cost center information, which must be properly configured in your system.
Cohort Role Analysis API
Request Parameters
The API accepts a request object with the following parameters:
cost_center
string
Yes
The identifier for the cost center whose roles should be analyzed
limit
uint32
No
The maximum number of roles to return (defaults to 5 if not specified)
Protocol Definition
Proto Message Definitions
The API uses the following protocol buffer message definitions:
Response Structure
The API returns a response object with the following fields:
grantee_ids
string[]
A list of role IDs that are accessible to users in the specified cost center
accessibility_type
GranteeAccessibility
Indicates whether roles were accessible to all principals or any principal
Accessibility Types
The accessibility_type
field can have one of the following values:
ALL_PRINCIPALS
Roles accessible from all principals in the cost center
ANY_PRINCIPAL
Roles accessible from at least one principal in the cost center
Note: If no roles are accessible to all principals in the cost center, the API falls back to returning roles accessible by any principal, and the accessibility_type
will be set to ANY_PRINCIPAL
.
Usage Example
Example 1: Roles Accessible to All Principals
Request
Response
The response indicates these roles are accessible to all users in the cost center:
Example 2: Roles Accessible to Any Principal
Request
Response
The response indicates no roles are accessible to all users, but these roles are accessible to at least one user in the cost center:
Related APIs
Last updated
Was this helpful?