We don't use Snowflake default roles - ACCOUNTADMIN, SECURITYADMIN, SYSADMIN or USERADMIN. No one gets these roles except one or two in our team.

We also use a custom automated SCIM to handle all our RBAC security.

Database Objects - we created a custom role just same as SYSADMIN and granted this role to all users who need privileges to create DB objects. All database objects are created using this role.

Users - we created another role similar to USERADMIN. This role is only granted to a resource or batch account, this is responsible to create all users in Snowflake and also any roles. No one creates a role manually including few on the team with SECURITYADMIN role.

User Roles - Azure AD groups are created as User Roles. All users under those user groups are revoked/granted daily. These roles are created by custom USERADMIN role by batch user.

Object Roles - READ/WRITE roles created again by custom USERADMIN role as their name tells. This is at schema level.

SCIM - we have an in-house custom SCIM written in Python. Our daily batch logs in as the resource account 1. creates/updates users as in Azure AD.

1. revoke/grant users to user roles.

2. create/update object roles.

3. The same resource account also has custom DB admin role, it revokes/grants DB objects as object roles.

4. There's another table we maintain which has relationship of user roles and object roles. The same resource account maps user roles with object roles.

Everyday we revoke all access and grant them back again. Anything changed or updated.p