Analyze roles accessible to Snowflake users within a specified cost center.
Early Access: This API is provided in Early Access. Please contact our customer support team for more information and to enable this feature.
The Cohort Role Analysis API provides insights into role accessibility for Snowflake users within a specified cost center. It identifies which roles are accessible to users in that cost center and orders them by least privilege, helping to establish common access patterns and standardize role assignments. The response includes:
A list of roles accessible to users in the cost center
An indication of whether these roles are accessible to all users or only some users in the cost center
The API first attempts to find roles that are accessible to all principals (users) in the cost center. If no roles are accessible to all principals, it falls back to returning roles that are accessible by at least one principal, indicated by the accessibility_type field in the response.
This API can help organizations understand common access patterns within organizational units and can support role standardization efforts:
Role Standardization: Identify common roles used within organizational units
Access Pattern Analysis: Discover shared access patterns among users in the same cost center
Least Privilege Implementation: Find roles that provide necessary access with minimal permissions
Onboarding Planning: Determine appropriate roles for new hires based on their cost center
Role analysis is based on cost center information, which must be properly configured in your system.
The API accepts a request object with the following parameters:
cost_center
string
Yes
The identifier for the cost center whose roles should be analyzed
limit
uint32
No
The maximum number of roles to return (defaults to 5 if not specified)
The API uses the following protocol buffer message definitions:
The API returns a response object with the following fields:
grantee_ids
string[]
A list of role IDs that are accessible to users in the specified cost center
accessibility_type
GranteeAccessibility
Indicates whether roles were accessible to all principals or any principal
The accessibility_type field can have one of the following values:
ALL_PRINCIPALS
Roles accessible from all principals in the cost center
ANY_PRINCIPAL
Roles accessible from at least one principal in the cost center
Note: If no roles are accessible to all principals in the cost center, the API falls back to returning roles accessible by any principal, and the accessibility_type will be set to ANY_PRINCIPAL.
Request
Response
The response indicates these roles are accessible to all users in the cost center:
Request
Response
The response indicates no roles are accessible to all users, but these roles are accessible to at least one user in the cost center:
Documentation for Veza's private APIs for advanced access assessments
This section contains documentation for APIs in the private/ namespace for advanced access assessment capabilities. These APIs currently support advanced role analysis, entitlement comparisons, and access management for Snowflake environments.
These APIs enable several identity security use cases:
Role Rationalization: Identify and consolidate redundant roles to simplify access management
Least Privilege Implementation: Find roles that provide necessary access with minimal excess permissions
Access Governance: Maintain a minimal set of roles by identifying functionally equivalent roles
Access Pattern Analysis: Discover common access patterns among users in the same organizational unit
Privileged Access Management: Analyze what additional privileges different roles would provide to a user
Some APIs may have performance limitations with highly connected identities or complex permission structures.
Modify role permissions and find matching existing roles.
Early Access: This API is provided in Early Access. Please contact our customer support team for more information and to enable this feature.
The Role Maintenance API allows you to simulate modifications to an existing role's permissions and check if other roles with the resulting permission set already exist. This API is particularly useful for role rationalization and consolidation in Snowflake environments.
This API enables effective role maintenance and governance with several key capabilities:
Role Rationalization: Find existing roles that match a desired permission set after modifications
Role Consolidation: Identify opportunities to consolidate roles by checking for existing roles with similar permissions
Permission Planning: Plan permission changes and identify existing alternatives before implementation
Access Governance: Maintain a minimal set of roles by identifying functionally equivalent roles
The API accepts a request object with the following parameters:
Each GranteeModification object contains:
Note: You can specify either or both of these fields:
If only from_resource_permissions is set, those permissions will be removed
If only to_resource_permissions is set, those permissions will be added
If both are set, the permissions will be updated accordingly
This flexibility allows you to model different types of permission changes within a single API call. For example, you can simultaneously remove access to one resource while adding access to another, or modify permission levels on the same resource.
Each ResourcePermissions object contains:
The API uses the following protocol buffer message definitions:
The API returns a response object with the following field:
This example simulates removing database and schema permissions from one role while adding database permissions to another:
The response indicates that a role with the resulting permission set exists:
This example shows adding permissions to a role:
This example shows removing permissions from a role:
This feature is currently limited to the .
These features are currently limited to the .
This feature is currently limited to the .
grantee_type
string
Yes
The type of grantee (currently only supports SnowflakeRole)
grantee_id
string
Yes
Veza node ID of the grantee (role) to be modified
modifications
GranteeModification[]
Yes
A list of resource permission modifications to apply to the role
from_resource_permissions
ResourcePermissions
No
Permissions to remove from the role
to_resource_permissions
ResourcePermissions
No
Permissions to add to the role
node_type
string
Yes
The type of resource node (supported types are SnowflakeDatabase, SnowflakeTable, SnowflakeView, and SnowflakeSchema)
node_id
string
Yes
Veza node ID of the resource (ID property in graph and query builder)
raw_permissions
string[]
Yes
A list of permissions (e.g., USAGE, SELECT, etc.)
grantee_ids
string[]
A list of existing role IDs that match the permission set after the requested modifications
Identifies grantees (such as roles) that provide specific access permissions to a given identity for a set of resources
Checks whether a role with specific resource permissions already exists
Simulates modifications to an existing role's permissions and checks if other roles with the resulting permission set already exist
Provides insights into role accessibility for users within a specified cost center
Identify grantees (such as roles) providing specific access permissions to a given identity for a set of resources.
Early Access: This API is provided in Early Access. Please contact our customer support team for more information and to enable this feature.
The GetAccessRelationship API takes an identity (user), a list of resources with permissions, and responds with potential grantees (roles) that can grant these access permissions to the user. The response includes detailed information about the additional access these grantees would provide. This API is particularly designed for role recommendations and permissions analysis in Snowflake environments.
This API returns potential grantees (i.e., Snowflake roles) that can provide specific permissions, with results ordered by the level of "extra access" they provide (access not already available to the user). The response includes comparisons between current access and potential access and supports filtering by grantee type and other criteria.
Role Recommendations: Find the most appropriate roles to grant a user for specific access needs
Privilege Analysis: Analyze what additional privileges different roles would provide to a user
Access Management: Compare different access options before making permission changes
Least Privilege Implementation: Identify roles that provide necessary access with minimal excess permissions
For highly connected identities (>10,000 accesses or accessible resources), the calculation of "extra access" can be performance-intensive. For a timely response, the API will return grantees with the least resources by themselves, instead of those providing the least extra resources. In such cases, is_identity_highly_connected will be set to true in response.
The API accepts a GetAccessRelationshipRequest object with the following parameters:
identity_id
string
Yes
ID for the principal (user) in Veza node ID format
identity_type
string
Yes
Veza node type for the principal (currently must be SnowflakeUser)
resource_id
string
No
ID of the resource to analyze
resource_type
string
No
Type of the resource to analyze (used to calculate impact)
raw_permissions
RawPermissionCollection
No
Collection of raw permissions to analyze
effective_permissions
EffectivePermissionCollection
No
Collection of effective permissions to analyze
grantee_type
string
No
Veza node type for the grantee (currently must be SnowflakeRole)
grantee_filter
AssessmentQuerySpecFilter
No
Filter to apply on potential grantees
saved_query_id_for_grantee_ids
string
No
ID of a saved query, source nodes in its result will be used as a filter
max_grantee_count
int32
No
Maximum number of grantees to return
resource_types_to_display
string[]
No
Resource types to include in the result (in addition to resource_type above)
max_resource_count
int32
No
Grantees with access to more resources will be excluded from the results. 0 (unset) uses the default value of 100,000. Setting a higher value will include grantees with more resources.
no_extra_stats
boolean
No
Show less stats to makes the API respond faster: when True, the response will not contain permission summaries and resource access changes, but the grantee IDs are still returned in the correct order.
resource_permissions
ResourcePermissions[]
No
Only valid when result order is LEAST_PRIVILEGED. Returned grantees will be able to access all resources with the permissions in resource_permissions.
result_order
RoleRecommendationResultOrder
No
Ordering method for results (default is by minimal access count)
direct_grantee_to_resource_only
boolean
No
When true, only return roles with direct access to the input resources
Important: Either
resource_permissionsor the combination of (resource_id,resource_type,raw_permissions,effective_permissions) must be provided in the request, but not both.
The API provides two options for ordering the returned grantees:
Default Order (Minimal Access Count): By default, the API returns grantees ordered by their access count, prioritizing roles with fewest total accesses.
Least Privileged: When setting "result_order": "LEAST_PRIVILEGED", the API orders grantees by least privilege principle (minimum necessary permissions) and enables several advanced features:
No system-defined admin roles will be returned in the results
The resource_permissions parameter can be used, which allows input of multiple resources
When max_resource_count is reached for an identity, the API will return grantees with the least resources by themselves, instead of those providing the least extra resources.
The no_extra_stats parameter improves performance when detailed statistics aren't needed. This parameter will:
Skip saved query lookup for grantee IDs
Only include basic resource count information in the response
Ignore the saved_query_id_for_grantee_ids parameter
Only return old_accessible_resource_count and new_accessible_resource_count for the input resource_type
This parameter is not effective when result_order is set to LEAST_PRIVILEGED
The resource_permissions parameter is only usable when result_order is set to LEAST_PRIVILEGED
The API returns a GetAccessRelationshipResponse object with the following fields:
ordered_node_access_changes
NodeAccessChange[]
List of grantees and their access statistics, ordered according to the input result_order
is_identity_highly_connected
boolean
Indicates if the identity has access to many resources (>10,000 accesses for a single resource type)
result_time
Timestamp
Time when the cache was refreshed (if cache was used)
identity_already_has_all_access
boolean
Indicates if the principal already has all the requested access
Note: There are deprecated fields in the response (
role_id,resource_type,new_accessible_resource_count) that should not be used. Use theordered_node_access_changesfield instead.
Each NodeAccessChange object contains:
node_type
string
The node type of the grantee
id
string
The node ID of the grantee
name
string
The name of the grantee
resource_access_changes
ResourceAccessChange[]
Access changes per resource type
Each ResourceAccessChange object contains:
resource_type
string
Type of the resource
old_accessible_resource_count
int32
Count of resources accessible before granting
new_accessible_resource_count
int32
Count of resources accessible after granting
old_raw_permissions
string[]
List of raw permissions before granting
new_raw_permissions
string[]
List of raw permissions after granting
old_effective_permissions
string[]
List of effective permissions before granting
new_effective_permissions
string[]
List of effective permissions after granting
This example shows how to use the API to find roles that would give a specific Snowflake user access to certain resources using the resource_permissions parameter.
Request
This example shows how to use the API with the resource ID and permissions approach.
This example uses LEAST_PRIVILEGED result ordering. The response will prioritize grantees that provide the minimum necessary permissions to meet the requested access requirements.
Request
Check whether a role with specific resource permissions already exists.
Early Access: This API is provided in Early Access. Please contact our customer support team for more information and to enable this feature.
The Role Existence API allows users to check whether a role with specific resource permissions already exists in the system. This API is particularly useful for role management and access governance in Snowflake environments.
This API enables efficient role management by identifying existing roles that already have the permissions you're looking for. Key use cases include:
Role Discovery: Find existing roles that match specific permission requirements
Prevent Role Proliferation: Avoid creating duplicate roles with the same permissions
Permission Auditing: Verify which roles have specific permissions to resources
Role Standardization: Identify standard roles that can be reused for similar access requirements
The API accepts a request object with the following parameters:
grantee_type
string
Yes
The type of grantee for which the role existence is checked (currently supports only SnowflakeRole)
resource_permissions
ResourcePermissions[]
Yes
A list of resource permissions to match against existing roles
Each ResourcePermissions object contains:
node_type
string
Yes
The type of resource node (supported types are SnowflakeDatabase, SnowflakeTable, SnowflakeView, and SnowflakeSchema)
node_id
string
Yes
Veza node ID of the resource (i.e., ID property in graph and query builder)
raw_permissions
string[]
Yes
A list of permissions to check (e.g., USAGE, SELECT, etc.)
The API uses the following protocol buffer message definitions:
The API returns a response object with the following field:
grantee_ids
string[]
A list of existing role IDs that match the given permissions
This example checks if there's an existing role with USAGE permission on a specific Snowflake database:
The response indicates that a matching role exists:
You can check for roles that have permissions across multiple resources:
In this example, the request is checking for roles with specific permissions, but no matching roles are found:
The response indicates that no matching roles with the specified permission combination exist:
When you receive an empty response like this, it suggests that a new role might need to be created to satisfy these specific permission requirements, as no existing role has the exact permission set requested.
This feature is currently limited to the .
This feature is currently limited to the .
only one of resource_permissions or (resource_id, resource_type, raw_permissions, effective_permissions) can be set in the input
When result_type=DEFAULT, setting no_extra_stats to true will also skip these queries:
result_order is by default minimal access count, but can be set to LEAST_PRIVILEGED and enable new features including resource_permissions and faster response