Skip to content

Commit

Permalink
Add in policies
Browse files Browse the repository at this point in the history
  • Loading branch information
thomasyu888 committed Oct 20, 2024
1 parent 83b3ff7 commit 7c5956a
Showing 1 changed file with 43 additions and 4 deletions.
47 changes: 43 additions & 4 deletions admin/policies.sql
Original file line number Diff line number Diff line change
Expand Up @@ -14,6 +14,12 @@
-- ELSE '*****'
-- END;

USE ROLE SYSADMIN;
-- Add all policies into policy_db in case other database is blown away
CREATE DATABASE IF NOT EXISTS POLICY_DB;
USE DATABASE POLICY_DB;
USE ROLE ACCOUNTADMIN;

CREATE PASSWORD POLICY password_policy
PASSWORD_MIN_LENGTH = 14
PASSWORD_MAX_AGE_DAYS = 0;
Expand All @@ -24,17 +30,50 @@ CREATE SESSION POLICY admin_timeout_policy
SESSION_IDLE_TIMEOUT_MINS = 15,
SESSION_UI_IDLE_TIMEOUT_MINS = 15;

ALTER USER x.schildwachter@sagebase.org
ALTER USER "[email protected]"
SET SESSION POLICY admin_timeout_policy;
ALTER USER khai.do@sagebase.org
ALTER USER "[email protected]"
SET SESSION POLICY admin_timeout_policy;
ALTER USER THOMASYU888
SET SESSION POLICY admin_timeout_policy;
ALTER USER thomas.yu@sagebase.org
ALTER USER "[email protected]"
SET SESSION POLICY admin_timeout_policy;
CREATE TAG ACCOUNT_TYPE;

-- tag service accounts with account type service to not trigger security warning
CREATE TAG ACCOUNT_TYPE;
ALTER USER AD_SERVICE SET TAG ACCOUNT_TYPE = 'service';
ALTER USER DPE_SERVICE SET TAG ACCOUNT_TYPE = 'service';
ALTER USER SNOWFLAKE SET TAG ACCOUNT_TYPE = 'service';
ALTER USER thomasyu888 SET TAG ACCOUNT_TYPE = 'service';

-- Set up authentication policies
-- SHOW PARAMETERS LIKE 'ENABLE_IDENTIFIER_FIRST_LOGIN' IN ACCOUNT;
ALTER ACCOUNT SET ENABLE_IDENTIFIER_FIRST_LOGIN = TRUE;

-- SHOW PASSWORD POLICIES IN ACCOUNT;
-- SHOW SESSION POLICIES IN ACCOUNT;
-- SHOW AUTHENTICATION POLICIES IN ACCOUNT;
-- SHOW MASKING POLICIES IN ACCOUNT;
-- SHOW NETWORK RULES IN ACCOUNT;

-- Not including CLIENT_TYPES will enable all types for each auth policy
CREATE AUTHENTICATION POLICY IF NOT EXISTS service_account_authentication_policy
AUTHENTICATION_METHODS = ('PASSWORD');

CREATE AUTHENTICATION POLICY IF NOT EXISTS admin_authentication_policy
AUTHENTICATION_METHODS = ('SAML', 'PASSWORD')
SECURITY_INTEGRATIONS = ('GOOGLE_SSO', 'JUMPCLOUD');

CREATE AUTHENTICATION POLICY IF NOT EXISTS user_authentication_policy
AUTHENTICATION_METHODS = ('SAML')
// CLIENT_TYPES = ('SNOWFLAKE_UI', 'SNOWSQL', 'DRIVERS')
SECURITY_INTEGRATIONS = ('GOOGLE_SSO');

ALTER ACCOUNT SET AUTHENTICATION POLICY user_authentication_policy;
ALTER USER "[email protected]" SET AUTHENTICATION POLICY admin_authentication_policy;
ALTER USER "[email protected]" SET AUTHENTICATION POLICY admin_authentication_policy;

ALTER USER RECOVER_SERVICE SET AUTHENTICATION POLICY service_account_authentication_policy;
ALTER USER DPE_SERVICE SET AUTHENTICATION POLICY service_account_authentication_policy;
ALTER USER AD_SERVICE SET AUTHENTICATION POLICY service_account_authentication_policy;
ALTER USER THOMASYU888 SET AUTHENTICATION POLICY service_account_authentication_policy;

0 comments on commit 7c5956a

Please sign in to comment.