DEA-C02 · Question #121
A Data Engineer has created two custom roles, MARKETING_ROLE and FINANCE_ROLE, to be granted to the users of an application. According to best practices, what action should be taken next?
The correct answer is D. Assign the custom roles to the SYSADMIN role.. Assigning custom roles to SYSADMIN (option D) follows Snowflake's role hierarchy best practice: all custom roles should be assigned to SYSADMIN so that SYSADMIN can manage any object owned by those roles, preventing orphaned objects and maintaining a clean privilege hierarchy. Wh
Question
A Data Engineer has created two custom roles, MARKETING_ROLE and FINANCE_ROLE, to be granted to the users of an application. According to best practices, what action should be taken next?
Options
- AUse the USERADMIN role to give all the required grants to the users.
- BUse the SECURITYADMIN role to configure the required parameters for the users at the account
- CUse the ACCOUNTADMIN role to create the new users that will be granted the new roles.
- DAssign the custom roles to the SYSADMIN role.
How the community answered
(41 responses)- A5% (2)
- B2% (1)
- C2% (1)
- D90% (37)
Explanation
Assigning custom roles to SYSADMIN (option D) follows Snowflake's role hierarchy best practice: all custom roles should be assigned to SYSADMIN so that SYSADMIN can manage any object owned by those roles, preventing orphaned objects and maintaining a clean privilege hierarchy.
Why the distractors are wrong:
- A (USERADMIN): USERADMIN is responsible for creating and managing users and assigning roles to users - not for granting object-level privileges. It's the wrong tool for this step.
- B (SECURITYADMIN): SECURITYADMIN manages role creation and role grants broadly, but configuring "account-level parameters for users" is not the relevant next step after creating custom roles.
- C (ACCOUNTADMIN): While ACCOUNTADMIN has the highest privileges, using it to create users violates the principle of least privilege. User creation belongs to USERADMIN.
Memory tip: Think of SYSADMIN as the "top of the object pyramid." Any custom role that owns database objects must roll up to SYSADMIN, or those objects become invisible/unmanageable to SYSADMIN. The phrase "custom roles → SYSADMIN" is a core Snowflake governance rule worth memorizing verbatim.
Topics
Community Discussion
No community discussion yet for this question.