Day 3: Security, Sharing & New Features — Quick Recall Guide
Must rememberKey conceptCommon trapMemory MapOne-liner
🧠 MASTER MEMORY MAP — Day 3
🧠 SECURITY = "RARM" (Role, Access, Row, Mask)
SECURITY"RARM" (Role, Access, Row, Mask)
RRBAC (Role-Based Access Control — roles, not users)
AACCOUNTADMIN hierarchy (5 system roles)
RRow Access Policies (filter rows per role)
MMasking Policies (hide column values per role)
5 SYSTEM ROLES = "ASUSP" (think: A Snowflake User Should Pick roles)
AACCOUNTADMIN (most powerful, use RARELY)
SSECURITYADMIN (manage roles + grants)
UUSERADMIN (create users + roles only)
SSYSADMIN (create DB/schema/table/warehouse)
PPUBLIC (everyone, minimum access)
COST CONTROL"WSCRA"
WWarehouses (right-size + auto-suspend)
SStorage (transient tables, reduce time travel)
CCredit monitoring (resource monitors)
RResource Monitors (hard spend limits)
AArchitecture (serverless where possible)
NEW 2025-2026 = "GCIHP"
GGen 2 Warehouses (2.1x faster, same price)
CCortex AI (LLMs in SQL, Cortex Search GA March 2026)
IIceberg + Polaris (open format, cross-engine)
HHybrid Tables (OLTP + OLAP = Unistore)
PPostgres (managed Postgres inside Snowflake, GA Feb 2026)
SECTION 1: RBAC
🧠 Memory Map: Role Hierarchy
📐 Architecture Diagram
ACCOUNTADMIN ← Top of pyramid, reserved for 2-3 people
│
┌──────┴──────┐
SECURITYADMIN SYSADMIN ← Most important admin roles
│ │
USERADMIN Custom Role Hierarchy:
SYSADMIN
└── team_role (e.g., data_engineering)
└── functional_role (e.g., bookings_reader)
└── privileges on objects
RULE: Custom roles float UP to SYSADMIN
So SYSADMIN (and ACCOUNTADMIN above it) always has overs