Resolve conflicts when importing organization users. Use when: import conflict, user already exists, link user to org user, x/y users imported, SYSTEM$LINK_ORGANIZATION_USER, resolve local user conflict, matching login_name error, cannot import user, drop local user, rename local user. Contains link/drop/rename conflict resolution strategies.
Resolve conflicts when organization users cannot import due to existing local users.
is_imported = FALSE for one or more usersAfter resolving conflicts (Drop or Rename), Snowflake automatically imports the organization user.
Do NOT run:
ALTER ACCOUNT REMOVE ORGANIZATION USER GROUP <name>; -- ❌ WRONG
ALTER ACCOUNT ADD ORGANIZATION USER GROUP <name>; -- ❌ WRONG
Instead:
SHOW ORGANIZATION USERS IN ORGANIZATION USER GROUPThe group is already imported - you're just resolving conflicts for specific users within it.
SHOW ORGANIZATION USERS IN ORGANIZATION USER GROUP <group_name>
->> SELECT * FROM $1 WHERE "is_imported" = 'false';
Output shows:
Why conflicts occur (Reference):
⚠️ Only name and login_name cause conflicts - email and other properties do NOT block import.
Decision tree:
Is local user the same person as org user?
├─ YES → Strategy 1: Link
│
└─ NO → Do you need to keep local user?
├─ NO → Strategy 2: Drop
└─ YES → Strategy 3: Rename
Use when: Local user represents the same person as the organization user.
SELECT SYSTEM$LINK_ORGANIZATION_USER('<local_user_name>', '<org_user_name>');
Example:
-- Local user 'ajohnson' is same person as org user 'alice_johnson'
SELECT SYSTEM$LINK_ORGANIZATION_USER('ajohnson', 'alice_johnson');
What happens:
⚠️ The linking is immediate. Do NOT run ALTER ACCOUNT REMOVE/ADD ORGANIZATION USER GROUP.
SELECT SYS_CONTEXT('SNOWFLAKE$ORGANIZATION', 'IS_USER_IMPORTED', 'alice_johnson');
-- Should return TRUE
SHOW ORGANIZATION USERS IN ORGANIZATION USER GROUP <group_name>
->> SELECT * FROM $1 WHERE name = 'alice_johnson';
-- is_imported should now be TRUE
Use when: Organization user should completely replace the local user.
Document grants:
SHOW GRANTS TO USER <local_user>;
-- Save these to reapply if needed
DROP USER <local_user>;
Example:
DROP USER old_employee;
What happens:
SHOW ORGANIZATION USERS IN ORGANIZATION USER GROUP <group_name>
->> SELECT * FROM $1 WHERE name = '<org_user_name>';
-- is_imported should now be TRUE
-- Reapply any account-specific grants
GRANT ROLE custom_account_role TO USER <org_user_name>;
Use when: Both users should exist independently.
ALTER USER <local_user>
SET LOGIN_NAME = '<new_login_name>';
Example:
-- Existing user 'charlie_lee' conflicts with org user 'charlie_lee'
-- Rename local user
ALTER USER charlie_lee SET LOGIN_NAME = 'charlie_lee_legacy';
What happens:
-- Check org user imported
SHOW ORGANIZATION USERS IN ORGANIZATION USER GROUP <group_name>
->> SELECT * FROM $1 WHERE name = 'charlie_lee';
-- is_imported should be TRUE
-- Check local user still exists with new name
SHOW USERS LIKE '%charlie%';
-- Should show both charlie_lee (org) and charlie_lee_legacy (local)
-- Step 1: Detect conflicts
SHOW ORGANIZATION USERS IN ORGANIZATION USER GROUP data_team
->> SELECT * FROM $1 WHERE "is_imported" = 'false';
-- Output shows:
-- alice_johnson - FALSE
-- bob_smith - FALSE
-- charlie_lee - FALSE
-- Step 2: Resolve each conflict
-- Alice: Link (same person)
SELECT SYSTEM$LINK_ORGANIZATION_USER('alice_local', 'alice_johnson');
-- Bob: Drop (old account, replace with org user)
SHOW GRANTS TO USER bob_local; -- Document first
DROP USER bob_local;
-- Charlie: Rename (keep both)
ALTER USER charlie_lee SET LOGIN_NAME = 'charlie_legacy';
-- Step 3: Verify all resolved
SHOW ORGANIZATION USERS IN ORGANIZATION USER GROUP data_team;
-- All should show is_imported = TRUE
After linking, user is managed by org user. To unlink:
SELECT SYSTEM$UNLINK_ORGANIZATION_USER('<user_name>');
User becomes fully local again (loses org management).
Dropping local user is irreversible. Make sure to:
-- ✅ CORRECT
SELECT SYSTEM$LINK_ORGANIZATION_USER('local_user', 'org_user');
-- ❌ WRONG
SELECT SYSTEM$LINK_ORGANIZATION_USER('org_user', 'local_user');
First parameter is local user, second is org user.
| Scenario | Strategy | Command |
|---|---|---|
| Same person as local user | Link | SYSTEM$LINK_ORGANIZATION_USER |
| Replace local user | Drop | DROP USER |
| Keep both separately | Rename | ALTER USER SET LOGIN_NAME |
| Test user / old account | Drop | DROP USER |
| Active user, wrong name | Link | SYSTEM$LINK_ORGANIZATION_USER |
After resolving conflicts:
SHOW ORGANIZATION USERS IN ORGANIZATION USER GROUP <name>⚠️ This skill handles CONFLICT RESOLUTION only. For new imports, load ../import/SKILL.md.
Provide:
ALTER ACCOUNT REMOVE ORGANIZATION USER GROUP or ALTER ACCOUNT ADD ORGANIZATION USER GROUP - these are NOT part of conflict resolutionIf an error occurs during execution, follow this guide. Maximum 2 retry attempts for SQL syntax errors, then halt and ask user for guidance.
| Error Type | Likely Cause | Resolution Steps |
|---|---|---|
Insufficient privileges | User lacks ACCOUNTADMIN | Halt. Ask user to switch to the ACCOUNTADMIN role. |
Link function failed | SYSTEM$LINK_ORGANIZATION_USER expects specific parameters | Verify you are passing (local_user_name, org_user_name) in the correct order. |
User cannot be dropped | Local user owns objects | Halt. Ask user to transfer ownership of objects (GRANT OWNERSHIP) before dropping. |
invalid identifier '...' | Quoting issue on SHOW command output | Ensure all columns in RESULT_SCAN are double-quoted in lowercase. |
The workflow is complete and you should stop processing when:
SHOW ORGANIZATION USERS... confirms is_imported = TRUE for all users in the group. Await further instructions.