Get Access Relationship
Identify grantees (such as roles) providing specific access permissions to a given identity for a set of resources.
Last updated
Was this helpful?
Identify grantees (such as roles) providing specific access permissions to a given identity for a set of resources.
Last updated
Was this helpful?
Early Access: This API is provided in Early Access. Please contact our customer support team for more information and to enable this feature.
The GetAccessRelationship API takes an identity (user), a list of resources with permissions, and responds with potential grantees (roles) that can grant these access permissions to the user. The response includes detailed information about the additional access these grantees would provide. This API is particularly designed for role recommendations and permissions analysis in Snowflake environments.
This API returns potential grantees (i.e., Snowflake roles) that can provide specific permissions, with results ordered by the level of "extra access" they provide (access not already available to the user). The response includes comparisons between current access and potential access and supports filtering by grantee type and other criteria.
Role Recommendations: Find the most appropriate roles to grant a user for specific access needs
Privilege Analysis: Analyze what additional privileges different roles would provide to a user
Access Management: Compare different access options before making permission changes
Least Privilege Implementation: Identify roles that provide necessary access with minimal excess permissions
This feature is currently limited to the .
For highly connected identities (>10,000 accesses or accessible resources), the calculation of "extra access" can be performance-intensive. For a timely response, the API will return grantees with the least resources by themselves, instead of those providing the least extra resources. In such cases, is_identity_highly_connected will be set to true in response.
The API accepts a GetAccessRelationshipRequest object with the following parameters:
identity_id
string
Yes
ID for the principal (user) in Veza node ID format
identity_type
string
Yes
Veza node type for the principal (currently must be SnowflakeUser)
resource_id
string
No
ID of the resource to analyze
resource_type
string
No
Type of the resource to analyze (used to calculate impact)
raw_permissions
RawPermissionCollection
No
Collection of raw permissions to analyze
effective_permissions
EffectivePermissionCollection
No
Collection of effective permissions to analyze
grantee_type
string
No
Veza node type for the grantee (currently must be SnowflakeRole)
grantee_filter
AssessmentQuerySpecFilter
No
Filter to apply on potential grantees
saved_query_id_for_grantee_ids
string
No
ID of a saved query, source nodes in its result will be used as a filter
max_grantee_count
int32
No
Maximum number of grantees to return
resource_types_to_display
string[]
No
Resource types to include in the result (in addition to resource_type above)
max_resource_count
int32
No
Grantees with access to more resources will be excluded from the results. 0 (unset) uses the default value of 100,000. Setting a higher value will include grantees with more resources.
no_extra_stats
boolean
No
Show less stats to makes the API respond faster: when True, the response will not contain permission summaries and resource access changes, but the grantee IDs are still returned in the correct order.
resource_permissions
ResourcePermissions[]
No
Only valid when result order is LEAST_PRIVILEGED. Returned grantees will be able to access all resources with the permissions in resource_permissions.
result_order
RoleRecommendationResultOrder
No
Ordering method for results (default is by minimal access count)
direct_grantee_to_resource_only
boolean
No
When true, only return roles with direct access to the input resources
Important: Either
resource_permissionsor the combination of (resource_id,resource_type,raw_permissions,effective_permissions) must be provided in the request, but not both.
The API provides two options for ordering the returned grantees:
Default Order (Minimal Access Count): By default, the API returns grantees ordered by their access count, prioritizing roles with fewest total accesses.
Least Privileged: When setting "result_order": "LEAST_PRIVILEGED", the API orders grantees by least privilege principle (minimum necessary permissions) and enables several advanced features:
No system-defined admin roles will be returned in the results
The resource_permissions parameter can be used, which allows input of multiple resources
When max_resource_count is reached for an identity, the API will return grantees with the least resources by themselves, instead of those providing the least extra resources.
The no_extra_stats parameter improves performance when detailed statistics aren't needed. This parameter will:
Skip saved query lookup for grantee IDs
Only include basic resource count information in the response
Ignore the saved_query_id_for_grantee_ids parameter
Only return old_accessible_resource_count and new_accessible_resource_count for the input resource_type
This parameter is not effective when result_order is set to LEAST_PRIVILEGED
The resource_permissions parameter is only usable when result_order is set to LEAST_PRIVILEGED
The API returns a GetAccessRelationshipResponse object with the following fields:
ordered_node_access_changes
NodeAccessChange[]
List of grantees and their access statistics, ordered according to the input result_order
is_identity_highly_connected
boolean
Indicates if the identity has access to many resources (>10,000 accesses for a single resource type)
result_time
Timestamp
Time when the cache was refreshed (if cache was used)
identity_already_has_all_access
boolean
Indicates if the principal already has all the requested access
Note: There are deprecated fields in the response (
role_id,resource_type,new_accessible_resource_count) that should not be used. Use theordered_node_access_changesfield instead.
Each NodeAccessChange object contains:
node_type
string
The node type of the grantee
id
string
The node ID of the grantee
name
string
The name of the grantee
resource_access_changes
ResourceAccessChange[]
Access changes per resource type
Each ResourceAccessChange object contains:
resource_type
string
Type of the resource
old_accessible_resource_count
int32
Count of resources accessible before granting
new_accessible_resource_count
int32
Count of resources accessible after granting
old_raw_permissions
string[]
List of raw permissions before granting
new_raw_permissions
string[]
List of raw permissions after granting
old_effective_permissions
string[]
List of effective permissions before granting
new_effective_permissions
string[]
List of effective permissions after granting
This example shows how to use the API to find roles that would give a specific Snowflake user access to certain resources using the resource_permissions parameter.
Request
This example shows how to use the API with the resource ID and permissions approach.
This example uses LEAST_PRIVILEGED result ordering. The response will prioritize grantees that provide the minimum necessary permissions to meet the requested access requirements.
Request
only one of resource_permissions or (resource_id, resource_type, raw_permissions, effective_permissions) can be set in the input
When result_type=DEFAULT, setting no_extra_stats to true will also skip these queries:
result_order is by default minimal access count, but can be set to LEAST_PRIVILEGED and enable new features including resource_permissions and faster response