Manage Direct Data Access Users

To manage users and assign roles for Direct Data Access (DDA), a user must have the USERADMIN role. This role is automatically assigned to the first user in a Snowflake account.

To access and view shared analytics data, the user also needs the SHARE_USER role.

Create a new user

  1. Log into your Snowflake account using an account provided by N-Able.

  2. Navigate to Project > Worksheets and open or create an SQL worksheet.

  3. Switch to the USERADMIN role using the role selector in the bottom-left panel.

  4. Paste and run the SQL commands to create the user, updating any placeholder values (e.g. USERNAME, PASSWORD, LOGIN_NAME, EMAIL).

    CREATE USER IF NOT EXISTS "USERNAME"

    PASSWORD = 'PASSWORD'

    LOGIN_NAME = 'LOGIN_NAME' -- optional

    EMAIL = 'EMAIL'

    MUST_CHANGE_PASSWORD = TRUE

    TYPE = PERSON;

    Key Properties:

    • PASSWORD: Must be enclosed in single or double quotes. If omitted, the user cannot log in until a password is set.

    • LOGIN_NAME: (optional) Must be unique across the account and is case-sensitive.

    • EMAIL: Email address for the user.

    • MUST_CHANGE_PASSWORD: If TRUE, the user must change their password on first login.

    • TYPE: Defines the user type:

      • PERSON: Human user.

      • SERVICE: Non-human service or application.

      • LEGACY_SERVICE: Non-interactive integration with support for password/SAML.

      • NULL: Default; behaves like PERSON.

Once complete, share the credentials with the user, including their temporary password and the URL to access their account - ensuring they connect using an IP address from the allow list.

Assigning roles for user management and data access

If a newly created user requires user management privileges, you can grant the USERADMIN role using:

GRANT ROLE USERADMIN TO USER <username>;

However, if the user only needs access to shared analytics data, assign the SHARE_USER role:

GRANT ROLE SHARE_USER TO USER <username>;

Temporarily locking or disabling a user

As circumstances change, it may be necessary to temporarily restrict a user's access to Direct Data Access. Disabling or locking a user immediately aborts any active queries, prevents new ones from being initiated, and blocks future logins. This is the recommended approach for temporarily suspending a user without deleting their account, as it preserves existing role grants and user metadata.

ALTER USER "USERNAME" SET DISABLED = TRUE;

Permanently deleting or dropping a User

When you're certain the account is no longer needed, you may choose to permanently delete a user. This action is irreversible and may result in loss of access to associated worksheets, dashboards, and other user-owned assets.

Before proceeding, review the last login entry in the Users view to help determine whether the account is still in use.

DROP USER IF EXISTS "USERNAME";