Managing access control in modern data platforms is like conducting an orchestra-every user needs the right permissions at the right time, without compromising security or creating operational bottlenecks. For organizations running Snowflake at scale, granular access control isn’t just a security requirement-it’s essential for cost optimization and operational efficiency.
The Seemore Data Platform takes a unique approach to Role-Based Access Control (RBAC) and asset management, built specifically for data teams who need precision, flexibility, and security. Let’s break down how it works.
The Three Pillars of Access Control
Unlike traditional RBAC systems that rely solely on user roles, Seemore Data’s access control architecture is built on three interconnected components:
1. Teams: Organizing Your Users
Teams are logical groupings of users who share common access needs. When you create a team, you define:
- Team members: Which users belong to this team
- Asset Groups: Which accounts they can access
- Domains: Which filtered views of data they’ll work with
This team-centric approach mirrors how data organizations actually operate. Your FinOps team needs different access than your data engineering team, and your executives need a different lens on the data than your analysts.
2. Asset Groups: Physical Access Boundaries
Asset Groups represent physical access to different Snowflake accounts or data assets. This is where security meets reality-users cannot access data outside their assigned Asset Groups, period.
A user can belong to multiple Asset Groups, enabling cross-functional collaboration while maintaining strict data boundaries. For example:
- Your production engineering team might have access to production and staging Snowflake environments
- Your analytics team might only access production (read-only)
- Your infrastructure team might have access across all environments
This prevents the common problem of over-permissioned users who technically have access to everything but should only work with specific accounts.
3. Domains: Intelligent Filtering Layers
Domains are where Seemore Data’s approach gets sophisticated. A Domain is a collection of filters that automatically apply across the platform wherever relevant.
When you build a Domain, you:
- Select from all available Seemore’s filters (warehouse types, compute units, storage patterns, query types, etc.)
- Assign it to specific teams
- Let users switch between Domains as needed
Here’s the key insight: filters are context-aware. If you set a “Compute Units – Warehouse” filter in a Domain, it applies on warehouse analysis pages. But it won’t appear on storage analysis pages where it’s not relevant. The platform knows which filters matter for which views.
This means your teams see only the data they need to see-reducing noise, improving focus, and preventing costly mistakes from working with the wrong accounts or environments.
How These Pillars Work Together
The power of Seemore’s RBAC system comes from how these three elements interact:
Scenario 1: The FinOps Team
- Team: FinOps
- Asset Groups: All production accounts
- Domain: Cost-focused filters (high-spend warehouses, expensive queries, storage growth patterns)
- Result: The FinOps team sees cost data across all production environments, filtered to highlight optimization opportunities, without access to development accounts
Scenario 2: The Data Engineering Team
- Team: Data Engineering
- Asset Groups: Production, staging, and development environments
- Domain: Performance-focused filters (slow queries, warehouse utilization, pipeline efficiency)
- Result: Engineers can work across environments with views optimized for performance troubleshooting and optimization
Scenario 3: The Executive Dashboard
- Team: Executive
- Asset Groups: Production only
- Domain: High-level metrics (total spend, ROI indicators, key performance trends)
- Result: Leadership sees strategic insights without operational noise
Role Hierarchy: Four Levels of Permission
Within each team an implements a clear role hierarchy:
Owner
Full platform access with no restrictions. Owners can:
- See and modify everything across all teams, domains, and asset groups
- Manage RBAC settings and user permissions
- Access all features and data
Typically reserved for platform administrators and senior data leadership.
Admin
Complete administrative control within their assigned scope. Admins can:
- Modify all settings and configurations for their teams and asset groups
- Manage RBAC for their assigned areas
- Access all data within their boundaries
Perfect for team leads who need to manage their domain without platform-wide access.
Editor
Operational control without RBAC management. Editors can:
- Change configurations, settings, and optimization parameters
- Execute actions like warehouse right-sizing or query tuning
- Access all assigned data for analysis
Crucially, Editors cannot modify RBAC settings-they can’t grant or revoke access.
This is ideal for data engineers and analysts who need to act on insights but shouldn’t manage permissions.
Viewer
Read-only access. Viewers can:
- See all dashboards, reports, and insights within their scope
- Export data and generate reports
- Monitor performance and costs
Cannot make any changes to configurations or settings.
Perfect for stakeholders who need visibility without operational responsibility.
Custom Views: Personalization at Scale
Beyond the team-domain structure, Seemore Data offers two layers of view customization:
Team Views
Created at the team level, these are shared configurations that all team members can access. Team leads can create standardized views for:
- Weekly cost reviews
- Performance monitoring dashboards
- Optimization opportunity tracking
Team views sit under the Domain filters-they refine the Domain’s filtered data further for specific use cases.
Personal Views
Individual users can create their own custom views for convenience. These are private configurations that help users focus on their specific responsibilities.
Personal views sit under Team views in the hierarchy, providing the finest level of filtering.
The Hierarchy:
Domain (broadest filter) → Team View → Personal View (most specific)
This cascading structure means users benefit from organizational guardrails while maintaining personal productivity tools. Learn more about navigating Seemore’s dashboard views.
Enterprise-Grade Integration: SCIM and Okta
For organizations using Okta or other identity providers, Seemore Data supports Attribute-Based Role Mapping through SCIM (System for Cross-domain Identity Management).
This means:
- User provisioning happens automatically from your IdP
- Role assignments can be based on user attributes from Okta
- De-provisioning removes access instantly when employees leave
- No manual user management overhead
For Snowflake environments where security and compliance are critical, this integration ensures your access control stays synchronized with your organization’s identity management system.
Why This Matters for Snowflake Optimization
Effective RBAC isn’t just about security-it’s fundamental to cost optimization and performance management in Snowflake. Clear observability into your Snowflake environment requires the right access boundaries.
- Focused Optimization
When teams see only their relevant data, they can identify optimization opportunities faster. Your warehouse optimization efforts improve when engineers aren’t distracted by accounts they don’t manage. - Cost Accountability
Asset Groups and Domains enable chargeback and showback models at the data product level. Teams can see their costs without accessing other departments’ data, driving accountability. - Safe Autonomous Actions
With proper boundaries, you can enable autonomous optimization like Smart Pulse’s warehouse right-sizing within controlled scopes. The platform can act on behalf of users without risk of touching the wrong accounts. - Compliance and Governance
Strict asset boundaries and audit trails meet compliance requirements while enabling operational flexibility.
Best Practices for Implementation
Start with Asset Groups –
Define your account boundaries first. Separate production from non-production, and consider business unit segmentation.
Build Domains Around Use Cases – Don’t try to create one perfect Domain. Build specific Domains for:
- Cost optimization
- Performance troubleshooting
- Capacity planning
- Executive reporting
Leverage Team Views for Workflows-
Create Team Views for recurring activities like weekly cost reviews or sprint planning.
Use the Principle of Least Privilege-
Start with Viewer access and elevate to Editor or Admin only as needed.
Integrate with Your IdP Early-
Set up SCIM integration from the start to avoid manual user management overhead.
Related Resources
- Mastering Anomaly Detection for Cloud Data Warehouse Performance
- Snowflake Query Insights: More Signal, Less Guesswork
- The Truth About Snowflake Query Costs, And How to Lower Them
Conclusion: Security Meets Efficiency
The Seemore Data Platform’s approach to RBAC and asset management proves that security and efficiency aren’t opposing forces. By combining Teams, Asset Groups, and Domains with intelligent filtering and custom views, data teams get:
- Security: Strict boundaries that prevent unauthorized access
- Efficiency: Filtered views that surface only relevant data
- Flexibility: Multi-dimensional access control that matches how teams actually work
- Scalability: Enterprise integration that grows with your organization
In a world where Snowflake costs can spiral quickly and data governance is non-negotiable, sophisticated access control isn’t optional-it’s the foundation for turning your data infrastructure from a cost center into a strategic asset.
Ready to see how granular access control enables autonomous optimization? Smart Pulse uses these boundaries to safely right-size warehouses and optimize queries within your defined scope-cutting costs by up to 50% while maintaining complete security and control.
Book a demo to see how Seemore Data’s RBAC system can transform your Snowflake governance.
