Domain 2 covers how Snowflake controls who can access what, how identities are verified, how sensitive data is protected, and how compute costs are governed. At 20% of the exam, this domain rewards candidates who understand both security concepts and their practical SQL implementation.
What This Domain Covers
- Access Control: RBAC and DAC models, privilege grants, system-defined roles and their hierarchy
- Authentication: Username/password, MFA, SSO/SAML, OAuth, key-pair authentication, Tri-Secret Secure
- Network Security: Network policies, IP allowlists/blocklists, private connectivity options
- Data Governance: Dynamic Data Masking, Row Access Policies, Object Tagging, Data Classification, Data Lineage
- Cost Management: Credits, Resource Monitors, ACCOUNT_USAGE vs INFORMATION_SCHEMA, Query Profile
New & Emphasised in COF-C03
- Secondary Roles —
USE SECONDARY ROLES ALLallows combining multiple active roles in a session - Data Governance features — Row Access Policies, Object Tagging, and Data Classification receive heavier weighting
- Column-level security — both masking and projection policies enforced at query time
- EXTRACT_SEMANTIC_CATEGORIES() — automatic PII detection and classification suggestions
| Level | Privilege Needed | Example Grant |
|---|---|---|
| Database | USAGE | GRANT USAGE ON DATABASE mydb TO ROLE analyst; |
| Schema | USAGE | GRANT USAGE ON SCHEMA mydb.public TO ROLE analyst; |
| Table | SELECT | GRANT SELECT ON TABLE mydb.public.sales TO ROLE analyst; |
| Warehouse | USAGE + OPERATE | GRANT USAGE ON WAREHOUSE wh1 TO ROLE analyst; |
To query a table, a user's active role must hold all four layers of privilege simultaneously. Missing any one layer results in an access error.
ACCOUNTADMIN
├── SYSADMIN ← creates/manages warehouses, databases, objects
└── SECURITYADMIN
└── USERADMIN ← creates/manages users and roles only
PUBLIC ← auto-granted to everyoneCustom roles should sit under SYSADMIN in the hierarchy so object ownership is auditable and manageable.
Role-Based Access Control (RBAC)
- Privileges are granted to roles, and roles are granted to users
- All access in Snowflake flows through roles — users cannot hold object privileges directly
- Key verbs:
GRANT,REVOKE - Key privileges: SELECT, INSERT, UPDATE, DELETE, TRUNCATE, REFERENCES, USAGE, OPERATE, MONITOR, CREATE
GRANT PRIVILEGE ON OBJECT TO ROLE→GRANT ROLE TO USERGRANT OPTIONallows a grantee to further grant the privilege to other roles
Discretionary Access Control (DAC)
- Every Snowflake object has an owner (a role, not a user)
- The owner has all privileges on the object and can grant access to other roles
- Ownership can be transferred:
GRANT OWNERSHIP ON TABLE t1 TO ROLE new_owner; - RBAC and DAC work together — DAC defines who owns what; RBAC defines how privileges flow
| Role | Responsibilities | Contains |
|---|---|---|
| ACCOUNTADMIN | Account-level settings, billing, resource monitors. Use sparingly — never for day-to-day tasks. | SYSADMIN + SECURITYADMIN |
| SYSADMIN | Creates and manages databases, warehouses, schemas, and other objects. Best practice: all object ownership here. | — |
| SECURITYADMIN | Manages security objects — creates/manages roles and users, grants privileges across account. | USERADMIN |
| USERADMIN | Creates and manages users and roles only — cannot grant object privileges. | — |
| PUBLIC | Automatically granted to every user. Lowest privilege level. Can hold public-facing objects. | — |
Secondary Roles (COF-C03 New Emphasis)
- By default, only one primary role is active per session
USE SECONDARY ROLES ALL— activates all roles granted to the user for the session- Allows combining privileges from multiple roles without switching roles
- Useful for analysts who need read access from multiple domains simultaneously
| Method | Use Case | Notes |
|---|---|---|
| Username + Password | Basic interactive access | Least secure for production; MFA recommended on top |
| MFA (TOTP) | All users, required for ACCOUNTADMIN | Google Authenticator compatible; TOTP-based |
| SSO / SAML 2.0 | Enterprise IdP integration | Okta, Azure AD, ADFS; users log in via external IdP |
| OAuth | Tool/client integration | Snowflake OAuth (clients) and External OAuth (IdP tokens) |
| Key-Pair Auth | Service accounts, programmatic, SnowSQL | RSA public/private key; no password; most secure for automation |
| Tri-Secret Secure | Business Critical tier only | Customer-managed key + Snowflake key both required to decrypt |
IP-Based Access Restrictions
- Restrict access by IP address using allowlists and blocklists
- Properties:
ALLOWED_IP_LISTandBLOCKED_IP_LIST - Can be applied at account level or user level
- User-level policy overrides account-level policy for that user
ALTER ACCOUNT SET NETWORK_POLICY = my_policy;ALTER USER jsmith SET NETWORK_POLICY = jsmith_policy;
Private Connectivity (Business Critical+)
- AWS: AWS PrivateLink
- Azure: Azure Private Link
- GCP: Google Cloud Private Service Connect
- Traffic never traverses the public internet — stays on cloud provider backbone
Dynamic Data Masking
- Masking policies applied to columns — hides or transforms data based on querying role
- Different roles see different values (e.g., ANALYST sees
****, ADMIN sees actual value) - Enforced at query time, not at storage level
- Masked data does not appear in query results or query history for unauthorized users
- Create:
CREATE MASKING POLICY email_mask AS (val STRING) RETURNS STRING → CASE WHEN CURRENT_ROLE() IN ('ADMIN') THEN val ELSE '****' END; - Apply:
ALTER TABLE customers ALTER COLUMN email SET MASKING POLICY email_mask;
Row Access Policies
- Filter rows returned based on querying role or session context
- Applied to a table or view; invisible to the querying user
- Example: sales reps only see their own region's data
CREATE ROW ACCESS POLICY sales_rap AS (region VARCHAR) RETURNS BOOLEAN → CURRENT_ROLE() = 'ADMIN' OR region = CURRENT_USER();- Apply:
ALTER TABLE sales ADD ROW ACCESS POLICY sales_rap ON (region); - Key distinction: Masking = WHAT you see in a column. Row Access = WHICH rows you see.
Object Tagging & Data Classification
- Object Tagging: assign key-value metadata tags to objects and columns
CREATE TAG sensitivity_level;ALTER TABLE customers ALTER COLUMN ssn SET TAG sensitivity_level = 'PII';- Enables governance workflows, cost attribution, and data classification
- Data Classification: Snowflake scans columns and suggests tags (e.g., PII: email, SSN, phone)
EXTRACT_SEMANTIC_CATEGORIES()— returns classification suggestions for a table's columns
Data Lineage & Access History
- Track how data flows through Snowflake via Access History and Object Dependencies
SNOWFLAKE.ACCOUNT_USAGE.ACCESS_HISTORY— records all data access events- Shows which objects were read/written, by whom, and when
- Supports compliance auditing and data lineage analysis
Credits & Resource Monitors
- Credits: Snowflake's unit of compute. Virtual warehouses consume credits per hour by size (X-Small = 1 credit/hr, double per size tier)
- Resource Monitors: set credit quota limits on accounts or individual warehouses
CREATE RESOURCE MONITOR rm1 WITH CREDIT_QUOTA = 1000;- Actions triggered at threshold percentages:
- NOTIFY — send email alert to account admins
- SUSPEND — warehouse completes running queries, then suspends
- SUSPEND_IMMEDIATE — warehouse stops all queries immediately and suspends
- Only ACCOUNTADMIN can create and manage resource monitors
ACCOUNT_USAGE vs INFORMATION_SCHEMA
- ACCOUNT_USAGE (
SNOWFLAKE.ACCOUNT_USAGE):- ~45-minute data latency
- Up to 1-year historical data
- Account-wide; covers all databases
- Key views: WAREHOUSE_METERING_HISTORY, QUERY_HISTORY, STORAGE_USAGE, METERING_HISTORY
- INFORMATION_SCHEMA (
{DB}.INFORMATION_SCHEMA):- Real-time metadata (near-zero latency)
- 7-day historical data for usage functions
- Scoped to a single database
- Standard SQL-compliant; great for current object metadata
Query Profile & Snowsight
- Query Profile: visual execution plan tool in Snowsight UI
- Shows operator-level stats: rows processed, bytes scanned, execution time per node
- Helps identify performance bottlenecks (e.g., full table scans, data skew, insufficient pruning)
- Storage pricing: $23–$40/TB/month depending on region and cloud provider
These condensed mnemonics compress the most testable facts into memorable anchors. Review them daily.
Role pyramid top-down: ACCOUNTADMIN → SYSADMIN + SECURITYADMIN → USERADMIN → PUBLIC
Masking = WHAT you see in a column. Row Access = WHICH rows you see.
Key-pair auth = service accounts + programmatic access. No password needed.
Resource Monitor = budget alarm for credits. NOTIFY → SUSPEND → SUSPEND_IMMEDIATE.
ACCOUNT_USAGE = 45-min lag, 1-year history. INFORMATION_SCHEMA = real-time, 7-day history.
Secondary roles: USE SECONDARY ROLES ALL = combine all granted roles in one session.
Q1. Which system-defined role contains both SYSADMIN and SECURITYADMIN, and should be used sparingly?
Q2. A security engineer wants to apply a policy to a table column so that analysts see **** instead of actual email addresses, while admins see the real values. What should she create?
Q3. A company needs sales reps to only see rows in the SALES table that belong to their own region. Which Snowflake feature should be used?
Q4. A DevOps pipeline needs to authenticate to Snowflake programmatically without storing a password. Which authentication method is most appropriate?
Q5. An analyst has been granted three roles in Snowflake. She wants all three roles' privileges active simultaneously in her session. What command should she run?
Q6. A network policy is configured at the account level, and a different network policy is configured at the user level for user ALICE. When ALICE logs in, which policy applies?
Q7. A resource monitor is set with CREDIT_QUOTA = 500. Which of the following is NOT a valid action that a resource monitor can trigger?
Q8. A DBA needs 1 year of historical query data for cost analysis across all databases. Which Snowflake source should he query?
Q9. In Snowflake's access control model, which statement best describes Discretionary Access Control (DAC)?
Q10. At which point is column-level security (Dynamic Data Masking and Projection Policies) enforced in Snowflake?
Click any card to flip it. Master the back before your exam.
DAC: Each object has an owner (a role). The owner can grant access to other roles. Owners have full control over their objects.
SYSADMIN: Creates databases, warehouses, objects
SECURITYADMIN: Manages roles, users, grants
USERADMIN: Creates users/roles only
PUBLIC: Auto-granted to all users
****). Unauthorized users cannot see real values in results or query history.1. NOTIFY — sends email alert
2. SUSPEND — completes current queries, then suspends warehouse
3. SUSPEND_IMMEDIATE — kills all queries immediately and suspends
INFORMATION_SCHEMA: Real-time · 7-day history · single database scope · standard SQL compliant
Select a topic area to get targeted study guidance for the exam.
Official Exam Guide
SnowPro Core COF-C03 exam objectives, domain weights, and sample questions from Snowflake.
Snowflake Certification Page →Snowflake RBAC Docs
Official documentation on role-based access control, privilege types, and system roles.
Access Control Overview →Dynamic Data Masking
Official guide to creating and applying masking policies on sensitive columns.
Masking Policy Docs →Row Access Policies
Official documentation on creating row-level security with Row Access Policies.
Row Access Policy Docs →Object Tagging & Classification
Guide to tagging objects, running data classification, and using EXTRACT_SEMANTIC_CATEGORIES().
Object Tagging Docs →Resource Monitors
Official documentation on setting credit quotas and configuring monitor actions.
Resource Monitor Docs →Authentication Methods
All supported authentication options including key-pair, OAuth, SSO, and MFA configuration.
Auth Methods Docs →FlashGenius Practice Tests
Full-length COF-C03 practice exams with detailed explanations covering all 5 domains.
Start Practicing →