GLOBALORGADMIN and ORGADMIN role reference — when to use each role, how to set them up, how to check grants, how to enable or disable ORGADMIN in accounts. Use when the user asks about: GLOBALORGADMIN, ORGADMIN, organization administrator, org admin role, who has globalorgadmin, how to get globalorgadmin, enable orgadmin, disable orgadmin, organization admin setup, org admin permissions, what can globalorgadmin do, difference between orgadmin and globalorgadmin, organization account roles.
Authoritative reference for Snowflake globalorgadmin role.
Snowflake provides two roles for organization-level tasks:
| Role | Where It Runs | Status | Recommended |
|---|---|---|---|
| GLOBALORGADMIN | Organization account only | Active — preferred | ✅ Yes |
| ORGADMIN | Any ORGADMIN-enabled account | Being phased out | ⚠️ Legacy |
For multi-account organizations, always use GLOBALORGADMIN in the organization account. ORGADMIN in regular accounts is being phased out. Snowflake will send notification emails at least three months prior to phasing out the ORGADMIN role.
The GLOBALORGADMIN role is the preferred role for performing organization-level tasks. It is available in the only. A user with this role is also known as the .
USE ROLE GLOBALORGADMIN;
SELECT CURRENT_ROLE();
If CURRENT_ROLE() does not return GLOBALORGADMIN, the user does not have the role granted. Check grants:
SHOW GRANTS TO USER CURRENT_USER();
As GLOBALORGADMIN you have visibility into all spending across the entire organization.
| Capability | SQL / View | What You Can See |
|---|---|---|
| Total org spend | SNOWFLAKE.ORGANIZATION_USAGE.USAGE_IN_CURRENCY_DAILY | Daily spend by account, service type, currency |
| Compute credit consumption | SNOWFLAKE.ORGANIZATION_USAGE.METERING_DAILY_HISTORY | Credits used/billed by service type per day |
| Warehouse-level credits | SNOWFLAKE.ORGANIZATION_USAGE.WAREHOUSE_METERING_HISTORY | Credits per warehouse (compute + cloud services) |
| Contract and balance | SNOWFLAKE.ORGANIZATION_USAGE.CONTRACT_ITEMS | Contract terms, committed amounts |
| Remaining balance | SNOWFLAKE.ORGANIZATION_USAGE.REMAINING_BALANCE_DAILY | Daily remaining credit balance |
Key focus areas:
Full visibility into authentication patterns, admin sprawl, and trust center findings across every account.
| Capability | SQL / View | What You Can See |
|---|---|---|
| Trust Center findings | SNOWFLAKE.ORGANIZATION_USAGE.TRUST_CENTER_FINDINGS | Security violations by severity, scanner, account, state |
| Login history | SNOWFLAKE.ORGANIZATION_USAGE.LOGIN_HISTORY | Every login event: user, auth method, success/failure, client type |
| User inventory | SNOWFLAKE.ORGANIZATION_USAGE.USERS | All users across all accounts |
| Session history | SNOWFLAKE.ORGANIZATION_USAGE.SESSIONS | Active and historical sessions |
| Role grants | SNOWFLAKE.ORGANIZATION_USAGE.GRANTS_TO_USERS | Who has which roles in which accounts |
| Role definitions | SNOWFLAKE.ORGANIZATION_USAGE.GRANTS_TO_ROLES | Role hierarchy and privilege grants |
| Network policies | SNOWFLAKE.ORGANIZATION_USAGE.NETWORK_POLICIES | Network policy definitions across accounts |
Key focus areas:
Complete control over the organization's account inventory.
| Capability | SQL Command | What It Does |
|---|---|---|
| List all accounts | SHOW ACCOUNTS | All member accounts with name, region, status, creation date |
| Organization account metadata | SHOW ORGANIZATION ACCOUNTS | The organization account itself |
| Create account | CREATE ACCOUNT <name> ... | Provision new member accounts |
| Alter account | ALTER ACCOUNT <name> SET ... | Modify account parameters |
| Drop account | DROP ACCOUNT <name> | Remove accounts (high-risk) |
| Account history | SHOW ACCOUNTS HISTORY | Include dropped/deleted accounts |
| Enable ORGADMIN | ALTER ACCOUNT <name> SET IS_ORG_ADMIN = TRUE | Legacy — enable ORGADMIN in an account |
Key focus areas:
Manage identity at the organization level — users and groups that span accounts.
| Capability | SQL Command | What It Does |
|---|---|---|
| List org users | SHOW ORGANIZATION USERS | All organization-level users |
| List org user groups | SHOW ORGANIZATION USER GROUPS | All organization-level user groups |
| Create org user | CREATE ORGANIZATION USER <name> ... | Create a user at the org level |
| Alter org user | ALTER ORGANIZATION USER <name> ... | Modify org user properties |
| Drop org user | DROP ORGANIZATION USER <name> | Remove an org user |
| Create org user group | CREATE ORGANIZATION USER GROUP <name> | Create a group at the org level |
| Alter org user group | ALTER ORGANIZATION USER GROUP <name> ... | Modify group membership/properties |
| Drop org user group | DROP ORGANIZATION USER GROUP <name> | Remove an org user group |
Note: Organization users and user groups require Enterprise Edition or higher.
Visibility into data access patterns, privilege changes, and policy enforcement across the organization.
| Capability | SQL / View | What You Can See |
|---|---|---|
| Trust Center findings | SNOWFLAKE.ORGANIZATION_USAGE.TRUST_CENTER_FINDINGS | Security recommendations and violations (CIS benchmarks, MFA, strong auth) |
| Access history | SNOWFLAKE.ORGANIZATION_USAGE.ACCESS_HISTORY | Who accessed what data, when |
| Grant changes | SNOWFLAKE.ORGANIZATION_USAGE.GRANTS_TO_USERS | Current role assignments; track privilege changes over time |
| Login anomalies | SNOWFLAKE.ORGANIZATION_USAGE.LOGIN_HISTORY | Failed logins, unusual patterns, auth method distribution |
| Masking policies | SNOWFLAKE.ORGANIZATION_USAGE.MASKING_POLICIES | Data masking policy definitions across accounts |
| Row access policies | SNOWFLAKE.ORGANIZATION_USAGE.ROW_ACCESS_POLICIES | Row-level security policies across accounts |
| Policy references | SNOWFLAKE.ORGANIZATION_USAGE.POLICY_REFERENCES | Where policies are applied |
Key focus areas:
Monitor compute, storage, and operational health across the organization.
| Capability | SQL / View | What You Can See |
|---|---|---|
| Storage trends | SNOWFLAKE.ORGANIZATION_USAGE.STORAGE_DAILY_HISTORY | Daily storage by account (columns: USAGE_DATE, ACCOUNT_NAME, AVERAGE_BYTES) |
| Database storage | SNOWFLAKE.ORGANIZATION_USAGE.DATABASE_STORAGE_USAGE_HISTORY | Per-database storage across accounts |
| Warehouse load | SNOWFLAKE.ORGANIZATION_USAGE.WAREHOUSE_LOAD_HISTORY | Running and queued load per warehouse |
| Query history | SNOWFLAKE.ORGANIZATION_USAGE.QUERY_HISTORY | All queries across org (very large — 3-day max window) |
| Task history | SNOWFLAKE.ORGANIZATION_USAGE.TASK_HISTORY | Snowflake Task execution history |
| Replication | SNOWFLAKE.ORGANIZATION_USAGE.REPLICATION_GROUP_USAGE_HISTORY | Replication group credit and data transfer usage |
| Data transfer | SNOWFLAKE.ORGANIZATION_USAGE.DATA_TRANSFER_HISTORY | Cross-region and cross-cloud data transfer |
| Pipe usage | SNOWFLAKE.ORGANIZATION_USAGE.PIPE_USAGE_HISTORY | Snowpipe ingestion credits |
| Materialized views | SNOWFLAKE.ORGANIZATION_USAGE.MATERIALIZED_VIEW_REFRESH_HISTORY | MV refresh credit usage |
| Search optimization | SNOWFLAKE.ORGANIZATION_USAGE.SEARCH_OPTIMIZATION_HISTORY | Search optimization service credits |
| Query acceleration | SNOWFLAKE.ORGANIZATION_USAGE.QUERY_ACCELERATION_HISTORY | QAS credit usage |
| Auto-clustering | SNOWFLAKE.ORGANIZATION_USAGE.AUTOMATIC_CLUSTERING_HISTORY | Automatic clustering credit usage |
Key focus areas:
Visibility into databases, tables, views, and governance objects across all accounts.
| Capability | SQL / View | What You Can See |
|---|---|---|
| Databases | SNOWFLAKE.ORGANIZATION_USAGE.DATABASES | All databases across accounts |
| Tables | SNOWFLAKE.ORGANIZATION_USAGE.TABLES | All tables across accounts |
| Views | SNOWFLAKE.ORGANIZATION_USAGE.VIEWS | All views across accounts |
| Roles | SNOWFLAKE.ORGANIZATION_USAGE.ROLES | All roles across accounts |
| Tags | SNOWFLAKE.ORGANIZATION_USAGE.TAGS | Tag definitions |
| Tag references | SNOWFLAKE.ORGANIZATION_USAGE.TAG_REFERENCES | Where tags are applied |
Managing the GLOBALORGADMIN role itself and ORGADMIN legacy role.
| Capability | SQL Command | What It Does |
|---|---|---|
| See who has GLOBALORGADMIN | SHOW GRANTS OF ROLE GLOBALORGADMIN | List all grantees |
| Grant GLOBALORGADMIN | GRANT ROLE GLOBALORGADMIN TO USER <name> | Give org admin access |
| Revoke GLOBALORGADMIN | REVOKE ROLE GLOBALORGADMIN FROM USER <name> | Remove org admin access |
| Enable ORGADMIN in account | ALTER ACCOUNT <name> SET IS_ORG_ADMIN = TRUE | Legacy — max 8 accounts |
| Disable ORGADMIN in account | ALTER ACCOUNT <name> SET IS_ORG_ADMIN = FALSE | Must run from a different ORGADMIN account |
| Check ORGADMIN status | SHOW ACCOUNTS → "is_org_admin" column | See which accounts have ORGADMIN |
The ORGADMIN role allows organization-level tasks from any ORGADMIN-enabled account, not just the organization account. It is being phased out for multi-account organizations.
USE ROLE ORGADMIN;
SELECT CURRENT_ROLE();
The first account in an organization has ORGADMIN enabled by default. To enable it in other accounts:
USE ROLE ORGADMIN;
ALTER ACCOUNT <account_name> SET IS_ORG_ADMIN = TRUE;
Rules:
ALTER ACCOUNT syntax only accepts the account name format of the account identifier — you cannot use the account locator.To prevent an account from performing organization-level tasks:
USE ROLE ORGADMIN;
ALTER ACCOUNT <account_name> SET IS_ORG_ADMIN = FALSE;
Rules:
ALTER ACCOUNT syntax only accepts the account name format — not the account locator.| Aspect | ORGADMIN | GLOBALORGADMIN |
|---|---|---|
| Level | Account-level role | Organization-level principal |
| Scope | Operates within an ORGADMIN-enabled account | Operates in the organization account |
| Where it exists | Inside a Snowflake account | The organization account |
| Granted via | GRANT ROLE ORGADMIN TO USER <name> within account | GRANT ROLE GLOBALORGADMIN TO USER <name> in org account |
| Can create accounts | ✅ Yes | ✅ Yes |
| Can view ORGANIZATION_USAGE | ✅ Yes (from ORGADMIN-enabled account) | ✅ Yes |
| Can manage org users/groups | ❌ No | ✅ Yes |
| Status | Being phased out | Preferred |
When user asks "which role should I use?" or "how do I perform org-level tasks?":
| Scenario | Recommended Role |
|---|---|
| Multi-account organization, any org-level task | GLOBALORGADMIN in the organization account |
| Need to view ORGANIZATION_USAGE data | GLOBALORGADMIN (required) |
| Need to manage organization users/groups | GLOBALORGADMIN in the organization account |
| Legacy setup, single-account org operations | ORGADMIN (but recommend migrating to GLOBALORGADMIN) |
| User asks about ORGADMIN specifically | Acknowledge it exists, note it is being phased out, suggest GLOBALORGADMIN |
SHOW GRANTS TO USER CURRENT_USER();USE ROLE GLOBALORGADMIN; first.ALTER ACCOUNT command requires the account name format, not the account locator.ALTER ACCOUNT my_account_name SET ...ALTER ACCOUNT AB12345 SET ...