SOL-C01 · Question #37
A security auditor has identified that several users have been granted the role directly. Your company's security policy mandates that 'ACCOUNTADMIN' should only be used in emergency scenarios and acc
The correct answer is A. Create a new custom role (e.g., 'ADMIN ROLE) and grant it the 'ACCOUNTADMIN' role. Then D. Create a new custom role (e.g., 'ADMIN_ROLE) and grant ` ACCOUNTADMIN' to this role. Then. Options A and D together implement the correct Snowflake security pattern: creating an intermediary custom role (e.g., ADMIN_ROLE) and granting ACCOUNTADMIN to it, then assigning users to this custom role instead of directly to ACCOUNTADMIN. This preserves the role hierarchy Snow
Question
A security auditor has identified that several users have been granted the role directly. Your company's security policy mandates that 'ACCOUNTADMIN' should only be used in emergency scenarios and access should be granted temporarily through a subordinate role. Which of the following steps should you take to remediate this situation while minimizing disruption to existing user workflows? (Choose two)
Options
- ACreate a new custom role (e.g., 'ADMIN ROLE) and grant it the 'ACCOUNTADMIN' role. Then
- BCreate a new custom role (e.g., 'ADMIN ROLE) and grant it all the privileges currently held by the
- CRevoke the 'ACCOUNTADMIN' role from all users and inform them that they should not be using
- DCreate a new custom role (e.g., 'ADMIN_ROLE) and grant ` ACCOUNTADMIN' to this role. Then
- ECreate a new custom role (e.g., 'ADMIN ROLE') and grant it 'OWNERSHIP on the account. Grant
How the community answered
(32 responses)- A72% (23)
- B3% (1)
- C16% (5)
- E9% (3)
Explanation
Options A and D together implement the correct Snowflake security pattern: creating an intermediary custom role (e.g., ADMIN_ROLE) and granting ACCOUNTADMIN to it, then assigning users to this custom role instead of directly to ACCOUNTADMIN. This preserves the role hierarchy Snowflake recommends - users get ACCOUNTADMIN-level access through a subordinate role, enabling temporary grants and revocations without touching ACCOUNTADMIN directly, which minimizes workflow disruption.
Why the distractors are wrong:
- B attempts to replicate
ACCOUNTADMIN's individual privileges onto a new role, which is fragile (misses future privileges, breaks the intended hierarchy, and is operationally complex to maintain). - C simply revokes
ACCOUNTADMINfrom all users with no alternative access path - this violates the "minimize disruption" requirement and leaves users unable to perform their work. - E granting
OWNERSHIP ON ACCOUNTto the custom role is not a valid or recognized Snowflake security pattern; ownership is managed at the object level, not at the account level this way, and it doesn't align with theACCOUNTADMINsubordinate-role requirement.
Memory tip: Think of it as building a "drawbridge" to ACCOUNTADMIN - you never let users walk directly onto the castle (direct role grant); instead they cross a custom bridge (subordinate role) that can be raised or lowered (granted/revoked temporarily) as needed.
Topics
Community Discussion
No community discussion yet for this question.