Separate privileges and users and roles

.github/workflows/ci.yaml

@@ -40,6 +40,14 @@ jobs:
           curl -O https://sfc-repo.snowflakecomputing.com/snowsql/bootstrap/1.2/linux_x86_64/snowsql-1.2.9-linux_x86_64.bash
           SNOWSQL_DEST=~/bin SNOWSQL_LOGIN_SHELL=~/.profile bash snowsql-1.2.9-linux_x86_64.bash
 
+      - name: Create users
+        run: |
+          ~/bin/snowsql -f users_and_roles/users.sql
+
+      - name: Create roles
+        run: |
+          ~/bin/snowsql -f users_and_roles/roles.sql
+
       - name: Create warehouses
         run: |
           ~/bin/snowsql -f admin/warehouses.sql
@@ -48,10 +56,6 @@ jobs:
         run: |
           ~/bin/snowsql -f admin/databases.sql
 
-      - name: Create users
-        run: |
-          ~/bin/snowsql -f admin/users.sql
-
       - name: Create integration
         run: |
           ~/bin/snowsql -f admin/integrations.sql --variable saml2_issuer=$saml2_issuer --variable saml2_sso_url=$saml2_sso_url --variable saml2_x509_cert=$saml2_x509_cert
@@ -60,6 +64,6 @@ jobs:
       #   run: |
       #     ~/bin/snowsql -f admin/policies.sql
 
-      - name: Roles and granting policies
+      - name: Grant privileges
         run: |
-          ~/bin/snowsql -f admin/roles.sql
+          ~/bin/snowsql -f privileges/grants.sql

admin/roles.sql → privileges/grants.sql

@@ -1,17 +1,16 @@
 USE WAREHOUSE COMPUTE_ORG;
 USE ROLE SECURITYADMIN;
+-- ACCOUNTADMIN privileges
+GRANT ROLE ACCOUNTADMIN
+TO USER "[email protected]";
 
-// Grant system roles to users
+-- SYSADMIN privileges
 GRANT ROLE SYSADMIN
 TO USER "[email protected]";
-
 GRANT ROLE SYSADMIN
 TO USER "[email protected]";
 
-// GENIE
-USE ROLE USERADMIN;
-CREATE ROLE IF NOT EXISTS GENIE_ADMIN;
-USE ROLE SECURITYADMIN;
+-- GENIE privileges
 GRANT ROLE GENIE_ADMIN
 TO ROLE USERADMIN;
 GRANT ROLE GENIE_ADMIN
@@ -21,12 +20,7 @@ TO USER "[email protected]";
 GRANT ROLE GENIE_ADMIN
 TO USER "[email protected]";
 
-// RECOVER
-USE ROLE USERADMIN;
-CREATE ROLE IF NOT EXISTS RECOVER_DATA_ENGINEER;
-CREATE ROLE IF NOT EXISTS RECOVER_DATA_ANALYTICS;
-
-USE ROLE SECURITYADMIN;
+-- RECOVER privileges
 GRANT ROLE RECOVER_DATA_ENGINEER
 TO ROLE USERADMIN;
 GRANT ROLE RECOVER_DATA_ANALYTICS
@@ -38,29 +32,15 @@ TO USER "[email protected]";
 GRANT ROLE RECOVER_DATA_ENGINEER
 TO USER "[email protected]";
 
-// AD
-USE ROLE USERADMIN;
-CREATE ROLE IF NOT EXISTS AD;
-USE ROLE SECURITYADMIN;
+-- AD privileges
 GRANT ROLE AD
 TO ROLE USERADMIN;
 GRANT ROLE AD
 TO USER "[email protected]";
 
-USE ROLE USERADMIN;
-CREATE ROLE IF NOT EXISTS MASKING_ADMIN;
-GRANT ROLE MASKING_ADMIN
-TO USER "[email protected]";
-USE ROLE ACCOUNTADMIN;
-GRANT APPLY MASKING POLICY ON ACCOUNT
-TO ROLE MASKING_ADMIN;
-
-USE ROLE USERADMIN;
-CREATE ROLE IF NOT EXISTS DATA_ENGINEER;
-USE ROLE SECURITYADMIN;
+-- Data engineer privileges
 GRANT ROLE DATA_ENGINEER
 TO ROLE USERADMIN;
-
 GRANT ROLE DATA_ENGINEER
 TO USER "[email protected]";
 GRANT ROLE DATA_ENGINEER
@@ -71,3 +51,10 @@ GRANT ROLE DATA_ENGINEER
 TO USER "[email protected]";
 GRANT ROLE DATA_ENGINEER
 TO USER "[email protected]";
+
+-- Create governance privileges
+GRANT ROLE MASKING_ADMIN
+TO USER "[email protected]";
+USE ROLE ACCOUNTADMIN;
+GRANT APPLY MASKING POLICY ON ACCOUNT
+TO ROLE MASKING_ADMIN;

users_and_roles/roles.sql

@@ -0,0 +1,16 @@
+USE WAREHOUSE COMPUTE_ORG;
+USE ROLE USERADMIN;
+
+-- system wide roles
+CREATE ROLE IF NOT EXISTS MASKING_ADMIN;
+CREATE ROLE IF NOT EXISTS DATA_ENGINEER;
+
+-- GENIE roles
+CREATE ROLE IF NOT EXISTS GENIE_ADMIN;
+
+-- RECOVER roles
+CREATE ROLE IF NOT EXISTS RECOVER_DATA_ENGINEER;
+CREATE ROLE IF NOT EXISTS RECOVER_DATA_ANALYTICS;
+
+-- AD
+CREATE ROLE IF NOT EXISTS AD;