USER TYPES in SNOWFLAKE "Securing is better than sorry" 



It's always wiser to take precautions and secure something properly, even if it seems unnecessary, rather than risk potential problems or regret later by not being careful enough; 

Snowflake have TYPE property for the USER object. This is one of the long-awaited no-brainer features we all wanted! Make sure to secure your data by securing your user first.





Key things to remember

 Never rely on one factor authentication(Always enroll at least in 2nd factor authentication)

Old-fashioned password logins are vulnerable in today's digital world, so configure strong authentication, such as OAuth, Key pair, and federated authentications.

In snowflake there are 4 properties of the user that can be set PERSON | SERVICE | LEGACY_SERVICE | NULL


PERSON: Users do not have restrictions when the TYPE property is set to PERSON, NULL, or when TYPE is unset.

NULL: See PERSON.

SERVICE: To improve the security posture of non-interactive use cases, users with the TYPE property set to SERVICE have the following characteristics:

They cannot log in using a password.

They cannot log in using SAML SSO.

They cannot enroll in MFA.

They are not subject to authentication policy MFA enforcement.

They cannot have the following properties:

FIRST_NAME, MIDDLE_NAME, LAST_NAME,PASSWORD,MUST_CHANGE_PASSWORD,MINS_TO_BYPASS_MFA


The following commands cannot be used:


ALTER USER RESET PASSWORD

ALTER USER SET DISABLE_MFA = TRUE


LEGACY_SERVICE: A user with their TYPE property set to LEGACY_SERVICE represents a non-interactive integration. LEGACY_SERVICE users let services or applications that cannot easily use more secure authentication methods authenticate using password or SAML authentication.


LEGACY_SERVICE users have the following characteristics:


They can log in using password or SAML authentication, unlike SERVICE: users.

They do not have the properties of a SERVICE user, but have the PASSWORD and MUST_CHANGE_PASSWORD properties available.

They have the command restrictions of a SERVICE user but can use the ALTER USER RESET PASSWORD command.

They are not affected by authentication policy multi-factor authentication (MFA) enforcement. This property lets administrators set account-level authentication policies that require MFA for password authentication without needing to set a user-level authentication policy to prevent LEGACY_SERVICE users from requiring MFA for password authentication.


So choose your user type wisely to build a robust secure applications from the day first.





Comments

  1. Rohit Dubey19 February 2025 at 12:17

    Great article! I loved the insights and perspectives you shared.

    ReplyDelete
  2. Anonymous19 February 2025 at 14:44

    Insightful

    ReplyDelete
  3. Pranab Pandey19 February 2025 at 16:51

    Thank you for sharing this insightful post! Your expertise in database administration really shines through, and I’ve learned a lot from this.

    ReplyDelete
  4. Anonymous20 February 2025 at 08:36

    Awesome article to securing the data cloud

    ReplyDelete
  5. Akash21 February 2025 at 22:01

    Great article!
    This is useful.

    ReplyDelete
  6. Anonymous22 February 2025 at 13:08

    Well explained…Nice article….

    ReplyDelete
  7. Anonymous13 April 2025 at 08:03

    Thank you for sharing such valuable article. I'm thrilled with the quality of your knowledge.

    ReplyDelete
  8. Anonymous3 January 2026 at 03:56

    Very Informative

    ReplyDelete

Post a Comment

Popular posts from this blog

DATA MOVEMENT: CHALLENGE OR STRENGTH ?

  Organizations in highly regulated industries go through many business events that trigger the need for a data migration. The typical “lift and shift” approach to data migration, however, results in a considerable amount of time and resource allocation—without any concrete business value to show for it. Adlib goes beyond just automating the process of moving your data between repositories. We add value to your content before, during, and after migration, for enriched content that’s easier to find and easier to use. Oracle Data Pump  is a newer, faster and more flexible alternative to the "exp" and "imp" utilities used in previous Oracle versions. In addition to basic import and export functionality data pump provides a PL/SQL API and support for external tables. In order to use Data Pump, the database administrator must create a directory object and grant privileges to the user on that directory object. You would login to SQL*Plus as system and enter the following ...
Read more

Oracle RAC Split Brain/ Node Eviction

Many people asks this question why and how nodes are evicted from cluster... Here is the simple answer.. It occurs when the instance members in a RAC fail to ping/connect to each other via this private interconnect, but the servers are all pysically up and running and the database instance on each of these servers is also running. These individual nodes are running fine and can conceptually accept user connections and work independently. So basically due to lack of commincation the instance thinks that the other instance that it is not able to connect is down and it needs to do something about the situation. The problem is if we leave these instance running, the sane block might get read, updated in these individual instances and there would be data integrity issue, as the blocks changed in one instance, will not be locked and could be over-written by another instance. Oracle has efficiently implemented check for the split brain syndrome. In RAC if any node becomes inactive, or if ot...
Read more