Browse SnowPro Certification Guides

COF-C03 Security Principles, Roles, and Access Design Guide

April 14, 2026

Study COF-C03 Security Principles, Roles, and Access Design: key concepts, common traps, and exam decision cues.

On this page

Snowflake security questions usually become easy once you separate who is signing in, what privileges they have, and what object those privileges apply to. The distractors get stronger when those three blur together.

Role-based access control: Snowflake access model in which privileges are granted to roles and roles are assigned to users.

Security split

If the stem is really about… Think first about
proving identity with an IdP or Snowflake login authentication
deciding what a user may read or modify authorization and roles
restricting where connections come from network policy
deciding which table or schema is affected object hierarchy

Role and object cues

Question clue Better reading
“the user can sign in but cannot query the table” authentication succeeded; authorization or grants are missing
“this role should read one schema but not another” role design and object-level grants
“limit connections from trusted network locations” network policy or access control boundary
“separate admin responsibility from ordinary analyst access” role separation and least privilege

Decision order that usually wins

  1. Ask whether the problem is authentication, authorization, network restriction, or object scope.
  2. If the user cannot sign in, stay in authentication.
  3. If the user can sign in but cannot act, move to roles and grants.
  4. If the stem mentions trusted locations or connection boundaries, think network policy.
  5. Keep role hierarchy separate from object hierarchy while you reason.

Most wrong answers in this area mix identity proof, privilege design, and object scope into one bucket. Snowflake wants you to classify the failure lane first and then choose the control that actually owns it.

Scenario triage

Scenario Better first move
user signs in but cannot query one table inspect grants and role scope
company wants SSO treat it as authentication, not table privilege design
login should only come from trusted locations think network policy
admin and analyst duties are blurred redesign roles with least privilege

Common traps

Trap Better rule
SSO automatically solves table access SSO solves authentication, not object privileges
warehouse settings solve data-access problems warehouses provide compute, not authorization
direct one-off access ideas are always best Snowflake wants clean role design and grant structure

What strong answers usually do

  • classify the problem as authentication, authorization, or connectivity before picking the answer
  • keep role hierarchy and object hierarchy separate
  • apply least privilege through roles rather than through ad hoc mental models

Quiz

Loading quiz…
Revised on Sunday, May 10, 2026
2.2 Governance & Monitoring