Role Existence

Check whether a role with specific resource permissions already exists.

Early Access: This API is provided in Early Access. Please contact our customer support team for more information and to enable this feature.

Overview

The Role Existence API allows users to check whether a role with specific resource permissions already exists in the system. This API is particularly useful for role management and access governance in Snowflake environments.

Use cases and features

This API enables efficient role management by identifying existing roles that already have the permissions you're looking for. Key use cases include:

Role Discovery: Find existing roles that match specific permission requirements
Prevent Role Proliferation: Avoid creating duplicate roles with the same permissions
Permission Auditing: Verify which roles have specific permissions to resources
Role Standardization: Identify standard roles that can be reused for similar access requirements

Limitations

This feature is currently limited to the Snowflake integration.

Role Existence API

post

Authorizations

AuthorizationstringRequired

Veza API key for authentication. Generate keys in Administration > API Keys.

Body

grantee_typestringOptional

Responses

200

application/json

grantee_idsstring[]Optional

default

Default error response

application/json

post

/api/private/assessments/role_recommendations_role_exists

POST /api/private/assessments/role_recommendations_role_exists HTTP/1.1
Host: your-tenant.vezacloud.com
Authorization: Bearer YOUR_SECRET_TOKEN
Content-Type: application/json
Accept: */*
Content-Length: 113

{
  "grantee_type": "text",
  "resource_permissions": [
    {
      "raw_permissions": [
        "text"
      ],
      "node_type": "text",
      "node_id": "text"
    }
  ]
}

{
  "grantee_ids": [
    "text"
  ]
}

Request Parameters

The API accepts a request object with the following parameters:

Parameter

Type

Required

Description

grantee_type

string

Yes

The type of grantee for which the role existence is checked (currently supports only SnowflakeRole)

resource_permissions

ResourcePermissions[]

Yes

A list of resource permissions to match against existing roles

ResourcePermissions Structure

Each ResourcePermissions object contains:

Field

Type

Required

Description

node_type

string

Yes

The type of resource node (supported types are SnowflakeDatabase, SnowflakeTable, SnowflakeView, and SnowflakeSchema)

node_id

string

Yes

Veza node ID of the resource (i.e., ID property in graph and query builder)

raw_permissions

string[]

Yes

A list of permissions to check (e.g., USAGE, SELECT, etc.)

Protocol Definition

Proto Message Definitions

The API uses the following protocol buffer message definitions:

message RoleExistsRequest {
  string grantee_type = 1;
  repeated GetRoleMatchingRequest.ResourcePermissions resource_permissions = 2;
}

message RoleExistsResponse {
  repeated string grantee_ids = 1;
}

Response Structure

The API returns a response object with the following field:

Field

Type

Description

grantee_ids

string[]

A list of existing role IDs that match the given permissions

Usage Example

Request

This example checks if there's an existing role with USAGE permission on a specific Snowflake database:

{
  "grantee_type": "SnowflakeRole",
  "resource_permissions": [
    {
      "node_type": "SnowflakeDatabase",
      "node_id": "example-snowflake.com/database/SECURITY_DB",
      "raw_permissions": ["USAGE"]
    }
  ]
}

Response

The response indicates that a matching role exists:

{
  "grantee_ids": [
    "example-snowflake.com/role/SECURITY_READER_ROLE"
  ]
}

Example: Multiple Resource Permissions

You can check for roles that have permissions across multiple resources:

Request

{
  "grantee_type": "SnowflakeRole",
  "resource_permissions": [
    {
      "node_type": "SnowflakeDatabase",
      "node_id": "example-snowflake.com/database/ANALYTICS",
      "raw_permissions": ["USAGE"]
    },
    {
      "node_type": "SnowflakeSchema",
      "node_id": "example-snowflake.com/database/ANALYTICS/schema/PUBLIC",
      "raw_permissions": ["USAGE", "SELECT"]
    }
  ]
}

Response

{
  "grantee_ids": [
    "example-snowflake.com/role/ANALYTICS_READER_ROLE",
    "example-snowflake.com/role/REPORTING_USER_ROLE"
  ]
}

Example: No Matching Roles

In this example, the request is checking for roles with specific permissions, but no matching roles are found:

Request

{
  "grantee_type": "SnowflakeRole",
  "resource_permissions": [
    {
      "node_type": "SnowflakeDatabase",
      "node_id": "snowhouse.snowflakecomputing.com/database/RESEARCH_DATA",
      "raw_permissions": ["OWNERSHIP"]
    },
    {
      "node_type": "SnowflakeSchema",
      "node_id": "snowhouse.snowflakecomputing.com/database/RESEARCH_DATA/schema/EXPERIMENTS",
      "raw_permissions": ["CREATE TABLE", "CREATE VIEW", "MODIFY"]
    }
  ]
}

Response

The response indicates that no matching roles with the specified permission combination exist:

{
  "grantee_ids": []
}

When you receive an empty response like this, it suggests that a new role might need to be created to satisfy these specific permission requirements, as no existing role has the exact permission set requested.

PreviousGet Access Relationship NextRole Maintenance

Last updated 1 month ago

Was this helpful?

hashtagOverview

hashtagUse cases and features

hashtagLimitations

hashtagRole Existence API

hashtagRequest Parameters

hashtagResourcePermissions Structure

hashtagProtocol Definition

hashtagProto Message Definitions

hashtagResponse Structure

hashtagUsage Example

hashtagRequest

hashtagResponse

hashtagExample: Multiple Resource Permissions

hashtagRequest

hashtagResponse

hashtagExample: No Matching Roles

hashtagRequest

hashtagResponse

hashtagRelated APIs

Overview

Use cases and features

Limitations

Role Existence API

Request Parameters

ResourcePermissions Structure

Protocol Definition

Proto Message Definitions

Response Structure

Usage Example

Request

Response

Example: Multiple Resource Permissions

Request

Response

Example: No Matching Roles

Request

Response

Related APIs