1 of 1

Role Maintenance

Modify role permissions and find matching existing roles.

Early Access: This API is provided in Early Access. Please contact our customer support team for more information and to enable this feature.

Overview

The Role Maintenance API allows you to simulate modifications to an existing role's permissions and check if other roles with the resulting permission set already exist. This API is particularly useful for role rationalization and consolidation in Snowflake environments.

Use cases and features

This API enables effective role maintenance and governance with several key capabilities:

Role Rationalization: Find existing roles that match a desired permission set after modifications
Role Consolidation: Identify opportunities to consolidate roles by checking for existing roles with similar permissions
Permission Planning: Plan permission changes and identify existing alternatives before implementation
Access Governance: Maintain a minimal set of roles by identifying functionally equivalent roles

This feature is currently limited to the .

The API accepts a request object with the following parameters:

Parameter

Type

Required

Description

Each GranteeModification object contains:

Field

Type

Required

Description

Note: You can specify either or both of these fields:

If only from_resource_permissions is set, those permissions will be removed
If only to_resource_permissions is set, those permissions will be added
If both are set, the permissions will be updated accordingly

This flexibility allows you to model different types of permission changes within a single API call. For example, you can simultaneously remove access to one resource while adding access to another, or modify permission levels on the same resource.

Each ResourcePermissions object contains:

Field

Type

Required

Description

The API uses the following protocol buffer message definitions:

The API returns a response object with the following field:

Field

Type

Description

This example simulates removing database and schema permissions from one role while adding database permissions to another:

The response indicates that a role with the resulting permission set exists:

This example shows adding permissions to a role:

This example shows removing permissions from a role:

Role Maintenance

Modify role permissions and find matching existing roles.

Early Access: This API is provided in Early Access. Please contact our customer support team for more information and to enable this feature.

Overview

Use cases and features

This API enables effective role maintenance and governance with several key capabilities:

Role Rationalization: Find existing roles that match a desired permission set after modifications
Role Consolidation: Identify opportunities to consolidate roles by checking for existing roles with similar permissions
Permission Planning: Plan permission changes and identify existing alternatives before implementation
Access Governance: Maintain a minimal set of roles by identifying functionally equivalent roles

This feature is currently limited to the .

The API accepts a request object with the following parameters:

Parameter

Type

Required

Description

Each GranteeModification object contains:

Field

Type

Required

Description

Note: You can specify either or both of these fields:

If only from_resource_permissions is set, those permissions will be removed
If only to_resource_permissions is set, those permissions will be added
If both are set, the permissions will be updated accordingly

Each ResourcePermissions object contains:

Field

Type

Required

Description

The API uses the following protocol buffer message definitions:

The API returns a response object with the following field:

Field

Type

Description

This example simulates removing database and schema permissions from one role while adding database permissions to another:

The response indicates that a role with the resulting permission set exists:

This example shows adding permissions to a role:

This example shows removing permissions from a role:

{
  "grantee_type": "SnowflakeRole",
  "grantee_id": "example-snowflake.com/role/DATA_INGEST_ROLE",
  "modifications": [
    {
      "from_resource_permissions": {
        "node_type": "SnowflakeDatabase",
        "node_id": "example-snowflake.com/database/ANALYTICS_DB",
        "raw_permissions": ["USAGE"]
      }
    },
    {
      "from_resource_permissions": {
        "node_type": "SnowflakeSchema",
        "node_id": "example-snowflake.com/database/ANALYTICS_DB/schema/RAW_DATA",
        "raw_permissions": ["CREATE FUNCTION", "CREATE PIPE", "CREATE STREAM", "CREATE TABLE", "CREATE TASK", "USAGE"]
      }
    },
    {
      "to_resource_permissions": {
        "node_type": "SnowflakeDatabase",
        "node_id": "example-snowflake.com/database/CLOUD_DB",
        "raw_permissions": ["USAGE"]
      }
    }
  ]
}

post

Authorizations

AuthorizationstringRequired

Veza API key for authentication. Generate keys in Administration > API Keys.

Body

grantee_typestringOptional

grantee_idstringOptional

raw_permissionsstring[]Optional

node_typestringOptional

node_idstringOptional

raw_permissionsstring[]Optional

node_typestringOptional

node_idstringOptional

Responses

200

application/json

grantee_idsstring[]Optional

default

Default error response

application/json

The Status type defines a logical error model that is suitable for different programming environments, including REST APIs and RPC APIs. It is used by gRPC. Each Status message contains three pieces of data: error code, error message, and error details. You can find out more about this error model and how to work with it in the API Design Guide.

codeinteger · int32Optional

The status code, which should be an enum value of [google.rpc.Code][google.rpc.Code].

messagestringOptional

A developer-facing error message, which should be in English. Any user-facing error message should be localized and sent in the [google.rpc.Status.details][google.rpc.Status.details] field, or localized by the client.

@typestringOptional

The type of the serialized message.

Other propertiesanyOptional

post

/api/private/assessments/role_recommendations_role_maintenance

Role Maintenance

Overview

Use cases and features

Role Maintenance

Overview

Use cases and features

Limitations