Cohort Role Analysis

Early Access: This API is provided in Early Access. Please contact our customer support team for more information and to enable this feature.

Overview

The Cohort Role Analysis API provides insights into role accessibility for Snowflake users within a specified cost center. It identifies which roles are accessible to users in that cost center and orders them by least privilege, helping to establish common access patterns and standardize role assignments. The response includes:

• A list of roles accessible to users in the cost center

• An indication of whether these roles are accessible to all users or only some users in the cost center

The API first attempts to find roles that are accessible to all principals (users) in the cost center. If no roles are accessible to all principals, it falls back to returning roles that are accessible by at least one principal, indicated by the accessibility_type field in the response.

Use cases and features

This API can help organizations understand common access patterns within organizational units and can support role standardization efforts:

1. Role Standardization: Identify common roles used within organizational units

2. Access Pattern Analysis: Discover shared access patterns among users in the same cost center

3. Least Privilege Implementation: Find roles that provide necessary access with minimal permissions

4. Onboarding Planning: Determine appropriate roles for new hires based on their cost center

Limitations

• This feature is currently limited to the Snowflake integration.

• Role analysis is based on cost center information, which must be properly configured in your system.

Cohort Role Analysis API

Request Parameters

The API accepts a request object with the following parameters:

Protocol Definition

Proto Message Definitions

The API uses the following protocol buffer message definitions:

message CohortRoleAnalysisRequest {
  string cost_center = 1;
  uint32 limit = 2;
}

enum GranteeAccessibility {
  ALL_PRINCIPALS = 0; // Grantees accessible from all principals
  ANY_PRINCIPAL = 1;  // Grantees accessible from at least one principal
}

message CohortRoleAnalysisResponse {
  repeated string grantee_ids = 1;
  GranteeAccessibility accessibility_type = 2;
}

Response Structure

The API returns a response object with the following fields:

Accessibility Types

The accessibility_type field can have one of the following values:

Note: If no roles are accessible to all principals in the cost center, the API falls back to returning roles accessible by any principal, and the accessibility_type will be set to ANY_PRINCIPAL.

Usage Example

Example 1: Roles Accessible to All Principals

Request

{
  "cost_center": "CC-SALES",
  "limit": 5
}

Response

The response indicates these roles are accessible to all users in the cost center:

{
  "grantee_ids": [
    "example-snowflake.com/role/WORKSPACE_LOGS_ROLE",
    "example-snowflake.com/role/DATA_LINEAGE_READONLY_ROLE",
    "example-snowflake.com/role/WAREHOUSE_USER_ROLE"
  ],
  "accessibility_type": "ALL_PRINCIPALS"
}

Example 2: Roles Accessible to Any Principal

Request

{
  "cost_center": "CC-MARKETING"
}

Response

The response indicates no roles are accessible to all users, but these roles are accessible to at least one user in the cost center:

{
  "grantee_ids": [
    "example-snowflake.com/role/MARKETING_PARTNER_READONLY_ROLE",
    "example-snowflake.com/role/MARKETING_ENTERPRISE_READONLY_ROLE",
    "example-snowflake.com/role/WORKSPACE_LOGS_ROLE",
    "example-snowflake.com/role/MARKETING_PRODUCT_READONLY_ROLE",
    "example-snowflake.com/role/MARKETING_UTILS_READONLY_ROLE"
  ],
  "accessibility_type": "ANY_PRINCIPAL"
}

Related APIs

• Get Access Relationship API

• Role Existence API

• Role Maintenance API