Documentation

Snowflake User Provisioning

Suggest Edits

By default, users must exist in Snowflake before they can be added to any roles or resources in Opal, and attempting to grant access to a non-existent user results in a propagation error.

Opal supports the provisioning of users into Snowflake automatically via SCIM, which requires additional setup. After following the steps below, users that are not found in Snowflake when granting access will be automatically provisioned to Snowflake beforehand.

Note that users are only provisioned into Snowflake, not anywhere else. If your Snowflake instance is set up to require SSO for logins, users must also request access to the SSO app to log in.

1. Create a SCIM integration in Snowflake

Follow the Snowflake documentation for creating custom SCIM integrations.

USE ROLE ACCOUNTADMIN;
CREATE OR REPLACE SECURITY INTEGRATION OPAL_SCIM_PROVISIONING
    type=scim
    scim_client='generic'
    run_as_role='OPALSERVICE';
    
-- Allow Opal to create users.
GRANT CREATE USER ON ACCOUNT TO ROLE OPALSERVICE;
  
-- Allow Opal to create API tokens through the SCIM integration.
GRANT OWNERSHIP ON INTEGRATION 'OPAL_SCIM_PROVISIONING' TO ROLE 'OPALSERVICE' REVOKE CURRENT GRANTS;

2. Enable provisioning In Opal

Edit the Snowflake app in Opal, and toggle on Push Snowflake user to connection.

Updated 1 day ago