Skip to main content

Create a Custom Service User

If you need to use a different service user name or role name (to stay in compliance with your naming convention for example), create a custom service user and grant privileges. We have a specific recommended procedure to accomplish this task. If you need help along the way, contact ALTR Support.

Note

Creating a custom service user is not the routine path to create a service user. Learn more to create the recommended service user.

Warning

Do not modify PC_ALTR_ROLE, ALTR_SERVICE_ROLE, ALTR_SERVICE_USER, PC_ALTR_USER, PC_ALTR_WH or ALTR_SERVICE_WH.

To create a custom service user and grant privileges:

  1. Don’t change the stored procedure.

  2. Create a new service user with whatever name you’d like that will be the ALTR service user. Set the TYPE to LEGACY_SERVICE.

    Note

    The TYPE=LEGACY_SERVICE parameter is required in order for your service user to authenticate with ALTR.

    Starting 09/30/24, all new Snowflake accounts by default require multi-factor authorization (MFA) to log into Snowflake. Set the TYPE parameter to LEGACY_SERVICE on ALTR's service user to ensure ALTR can authenticate with Snowflake. Learn more. ALTR recommends setting a network policy on the service user to prevent unauthorized access. Learn more.

  3. Create a new role for your new service user.

  4. Grant your new role the role PC_ALTR_ROLE or ALTR_SERVICE_ROLE (as applicable) so all of the required privileges are extended to your new role.

    Note

    For the list of privileges required by the service role, refer to Service User Privilege Requirements.

  5. Grant your new role to the new service user so privileges required for ALTR are extended to your new service user.

Note

Whenever you run the stored procedure, even if it’s just during set up, ensure the IS_PARTNER_CONNECT parameter is correctly set because the role name is different depending on how the account was created.

  • If you used Snowflake Partner connect, the role name is PC_ALTR_ROLE; set the parameter to TRUE.

  • If ALTR Support created your account, the role name is ALTR_SERVICE_ROLE; set the parameter to FALSE.

In this section: