@@ -364,13 +364,17 @@ To get access to snowflake support portal, please follow the below steps.
### Warehouse Access
To gain access to Snowflake:
To gain access to Snowflake, utilize a [Lumos Access Request](/handbook/security/corporate/systems/lumos/ar/). There are 3 options:
In order to be granted access to a default `snowflake_analyst` role, utilize a [Lumos Access Request](/handbook/security/corporate/systems/lumos/ar/). A new user will be created with access to query the `PROD` database.
There are 2 levels of default data access:
1. Analyst
1. Analyst SAFE
1. Customer User (include requirements in your request)
* General data --> Lumos adds the Snowflake `snowflake_analyst` role to their account.
* SAFE data (you must be or will become a designated insider) --> Lumos adds the Snowflake `snowflake_analyst_safe` to their account. See the [SAFE Guide](/handbook/enterprise-data/platform/safe-data/#snowflake) for the needed approvals.
When approved by your manager, the request is routed to the Data Team. For Analyst and Analyst SAFE, Okta SCIM provisions your Snowflake account and assigns the appropriate wrapper role. For Customer User, the Data Team provisions access manually via the Snowflake-permissions [repository](https://gitlab.com/gitlab-data/snowflake-permissions).
For SAFE access, see the [SAFE Guide](/handbook/enterprise-data/platform/safe-data/#snowflake) for the required approvals.
> **Note:** If your Snowflake account was created before the Lumos/Okta SCIM integration, or if you need access beyond Analyst and Analyst SAFE, use the [Additional Access](#additional-access) path below. See the [Snowflake Guide](/handbook/enterprise-data/platform/snowflake/#current-access-model) for a full explanation of the access architecture.
All users will have standard access to `dev_xs` warehouse. Warehouses are provisioned at the user role level, which enables finer-grained warehouse assignment. This approach allows to optimize resource allocation and cost management by assigning appropriate warehouse sizes to GitLab Team Members. Larger size warehouses could be requested via regular Access Request proces.
-[AI Function Guide](/handbook/enterprise-data/platform/snowflake/snowflake-ai-function/snowflake-ai-function.md)
## Current access model
Snowflake access operates on a hybrid model depending on your account history and the level of access required.
### Current access architecture
Snowflake access at GitLab is split across multiple systems working together:
-**Lumos** serves as the request and approval solution for Snowflake access.
-**Okta SCIM** creates or updates Snowflake users when Lumos requests are approved, assigning (wrapper) roles:
-`SNOWFLAKE_ANALYST_OKTA` (which inherits the underlying `SNOWFLAKE_ANALYST` role)
-`SNOWFLAKE_ANALYST_SAFE_OKTA` (which inherits the underlying `SNOWFLAKE_ANALYST_SAFE` role)
-**Permifrost** remains the source of truth for all custom, team-specific, and extended Snowflake authorization beyond the baseline analyst roles. This includes functional roles (e.g., `analyst_marketing`) and dev database access. This can be requested either via Lumos (`Customer User`) or via an [Access Request](https://gitlab.com/gitlab-com/team-member-epics/access-requests/).
-**Snowflake SSO**: provides the login tile and SSO access.
The Okta SCIM path is intended **only for the two access levels**: Analyst and Analyst SAFE. Anything beyond these two roles is managed through the [Permifrost](/handbook/enterprise-data/platform/permifrost/) process.
### Where Okta SCIM stops
The Okta SCIM provisioning path is designed for the two baseline access levels only: **Analyst** and **Analyst SAFE**.
1.**Pre-SCIM users**: If your Snowflake account existed before Okta SCIM was implemented, Okta SCIM will not provision your account.
2.**Custom or extended roles**: If you need team-specific roles (e.g., `analyst_marketing`), functional roles (e.g., `analyst_core`), or dev database access, those are managed separately through the Permifrost process.
3.**Mixed-role users**: Users who have both Lumos-managed baseline roles and Permifrost-managed custom roles exist in both systems. Lumos and Permifrost are separate layers and do not automatically mirror each other.
