How to grant permissions to an external role created by Okta

[jimmyzzxhlh]

I'm integrating Okta with Snowflake, and one of the functionalities that Okta provides is to push groups to Snowflake.
https://docs.snowflake.com/en/user-guide/scim-okta#features

Basically, say if I define a snowflake_data_user group in Okta, after pushing the group to Snowflake, I get a role with the same name in Snowflake as well.

How can I assign permission to this role? It seems that SnowDDL will automatically add suffixes such as __B_ROLE, so I'm not able to configure the permission for a known role created externally.

[jimmyzzxhlh]

Oh I think the global roles is something that I can try out.
https://docs.snowddl.com/basic/yaml-configs/business-role#schema

Nvm -- This looks like it is granting an external role to the business role, not the other way around.

[littleK0i]

In my view, this integration method is generally useless.

1. You most likely cannot customize CREATE USER statements.
2. You still have to grant individual permissions to roles created by Okta.
3. Okta wants to "own" users and roles it created.

---

You may consider using programmatic config instead.

1. Define business roles first.
2. Create a basic mapping of roles in Okta to business roles in SnowDDL config.
3. In Python code connect to Okta, download list of users with Okta roles, apply mapping to business roles and generate UserBlueprints dynamically.

With this approach you will have full control over creation of users / roles / grants, while keeping Okta a single point of truth and ultimate source of data about users.

If running full SnowDDL every time is too "heavy", you may using CLI option --include-object-types to update only roles and users.

Alternatively, you may check specific commands generated by SnowDDL when creating a new user and replicate just these commands. It is very simple in general:

1. Create user
2. Create user role
3. Assign user role to user
4. Assign business roles to user role

That's it.

[jimmyzzxhlh]

@littleK0i Thank you for the suggestion! I'm thinking about from onboarding/offboarding perspective what would be the best way to manage users overall. We just started using Okta/Snowflake so there is no legacy group/user/role.

If we are not using SCIM integration between Okta and Snowflake, and just using SnowDDL to define users/roles explicitly in configurations, and add/remove users whenever they onboard/offboard, would you say this is a better and more manageable approach than the programmatic config solution above?

[littleK0i]

It depends on number of users and frequency of change.

If you have 2-3 users to onboard per month, not a big deal. If you have a large org with 500+ people and changes on a daily basis, I would go with full automation.

[jimmyzzxhlh]

Got it, that makes sense. I'm keeping the SCIM integration and manually assign business roles to the Okta created roles from push groups for now, and at some point we can implement the integration to automate the process as you mentioned. Thanks again!