Brainforge Internal Snowflake: Actual State vs. Governance Scripts
Date: 2026-02-13
Source: Snowflake CLI (snow sql -c brainforge-internal), key-pair auth
Governance reference: snowflake
This document compares what exists in the Brainforge Internal Snowflake account with what the governance scripts (infrastructure-setup.sql, rbac-setup.sql) expect. Use it to plan reconciliation.
Scripts we ran (internal cleanup): internal-cleanup-2026-02 – folder containing the drop-users and set-default-warehouse scripts run for the Feb 2026 user/role cleanup, plus a README with run order and CLI examples.
1. Roles
Exists today (from SHOW ROLES)
| Role | Notes |
|---|---|
| ACCOUNTADMIN | System |
| SYSADMIN | System |
| SECURITYADMIN | System |
| USERADMIN | System |
| ORGADMIN | System |
| PUBLIC | System |
| ROLE_DEV_READ | Access role |
| ROLE_DEV_WRITE | Access role |
| ROLE_STAGING_READ | Access role |
| ROLE_STAGING_WRITE | Access role |
| ROLE_PROD_READ | Access role |
| ROLE_PROD_WRITE | Access role |
| ROLE_INGEST | Service functional |
| ROLE_TRANSFORM | Service functional |
| ROLE_REPORT | Service functional |
| ROLE_DEVELOPER | Human aggregate (dev + staging + prod read) |
| ROLE_ABC_DEVELOPER | ABC-specific |
| RILL_SERVICE_ROLE | Rill |
| ABC_SERVICE_USER_READER_ROLE | ABC |
| AUTOFILLMENT_EXECUTOR | System |
| SNOWFLAKE_LEARNING_ROLE | System |
Governance expects
| Role | In Internal? | Gap |
|---|---|---|
| role_dev_read | Yes | Pass (use works) |
| role_dev_write | Yes | Pass |
| role_staging_read | Yes | Pass |
| role_staging_write | Yes | Pass |
| role_prod_read | Yes | Pass |
| role_prod_write | Yes | Pass |
| role_prod_marts_read | No | Missing – role access test FAIL |
| role_raw_write | No | Missing – role access test FAIL |
| role_ingest | Yes | Pass |
| role_transform | Yes | Pass |
| role_report | Yes | Pass |
| role_developer | No | Missing – role access test FAIL |
| role_data_modeler | No | Missing – role access test FAIL |
| role_data_analyst | No | Missing – role access test FAIL |
| role_streamlit_creator | No | Missing – role access test FAIL |
Summary – roles: After reconciliation (2026-02-13), all 15 governance roles exist and pass access tests.
2. Warehouses
Exists today (from SHOW WAREHOUSES IN ACCOUNT)
Session used WAREHOUSE_TRANSFORM; full list was truncated in CLI output. At least WAREHOUSE_TRANSFORM exists and is in use.
Governance expects
| Warehouse | Purpose |
|---|---|
| warehouse_ingest | ETL loads |
| warehouse_transform | dbt jobs (scheduled / CI) |
| warehouse_report | BI queries |
| warehouse_developer | Default for all human users (ad-hoc, Snowsight, local dbt) |
Summary – warehouses: WAREHOUSE_TRANSFORM confirmed. Verify warehouse_ingest, warehouse_report, and warehouse_developer via Snowsight (Admin → Warehouses). All human users should use warehouse_developer as default.
3. Databases
Exists today (from SHOW DATABASES IN ACCOUNT)
| Database | Purpose |
|---|---|
| RAW | Landing pad; includes SOURCE_DB, SLACK_DB, SEC, DLT as schemas |
| DEV_INTERMEDIATE | Dev intermediate |
| DEV_MARTS | Dev marts |
| STG_INTERMEDIATE | Staging intermediate |
| STG_MARTS | Staging marts |
| PROD_INTERMEDIATE | Prod intermediate |
| PROD_MARTS | Prod marts; includes BRAINFORGE_RILL, BRAINFORGE_RILL_MANUFACTURING, BRAINFORGE_RILL_SALES |
| SOURCE_DB, SEC | Still exist (cloned to RAW); cannot drop while in outbound shares |
| ABC_LOGS, AI_AGENT_TRACKING, etc. | Other |
Governance expects
| Database | Purpose |
|---|---|
| raw | Landing pad for extracted data |
| DEV_intermediate | Development intermediate layer |
| STG_intermediate | Staging intermediate layer |
| PROD_intermediate | Production intermediate layer |
| DEV_marts | Development marts |
| STG_marts | Staging marts |
| PROD_marts | Production marts |
Summary – databases: All seven governance databases exist (raw, DEV/STG/PROD intermediate and marts). Naming matches.
4. Service Users
Exists today (from SHOW USERS)
Output truncated in CLI. Verify in Snowsight (Admin → Users) for service_user_ingest, service_user_transform, service_user_report.
Governance expects
| User | Default Role | Purpose |
|---|---|---|
| service_user_ingest | role_ingest | ETL |
| service_user_transform | role_transform | dbt |
| service_user_report | role_report | BI tools |
Summary – service users: Not fully captured in this run; confirm in UI.
5. Current Session (at audit time)
- Account: MY64480
- User: UTTAM
- Warehouse: WAREHOUSE_TRANSFORM
- Role: ACCOUNTADMIN
- Database: None
6. Users and roles
Source: snowflake.account_usage.users and snowflake.account_usage.grants_to_users (role grants to users).
Note: grants_to_users can lag; run SHOW GRANTS TO USER <name> for live state before applying changes.
6.1 Policy (internal)
- Account admins (ACCOUNTADMIN): UTTAM, SAMROBERTS, AWAISHKUMAR, RICOREJOSO. Default warehouse = warehouse_developer; default role stays ACCOUNTADMIN.
- Everyone else (human): CASIEAVILES, DEMILADEAGBOOLA, MUSTAFARAJA, AMBERSIRULIN. Default warehouse = warehouse_developer; default role = role_developer (grant role_developer, set default_role and default_warehouse).
- Dropped users (removed): HENRYZHAO, MIGUELDEVEYRA, PATRIKDEVLIN, BRIANGONZALES, EXAMPLE_USER, RILL_SERVICE_USER. Run
drop-users-internal.sqlto remove them. If any own objects, transfer ownership first then re-run. - Service users: SERVICE_USER_INGEST, SERVICE_USER_REPORT, ABC_SERVICE_USER_READER, INTERNAL_SERVICE_USER_READER (and SERVICE_USER_TRANSFORM if present) keep their existing role/warehouse; no change in this pass. PRANAVNARAHARI remains for now (no role/warehouse change unless you add one later).
6.2 Current state (after applying scripts)
| User | Default warehouse | Default role | Notes |
|---|---|---|---|
| UTTAM | warehouse_developer | ACCOUNTADMIN | Account admin |
| SAMROBERTS | warehouse_developer | ACCOUNTADMIN | Account admin |
| AWAISHKUMAR | warehouse_developer | ACCOUNTADMIN | Account admin |
| RICOREJOSO | warehouse_developer | ACCOUNTADMIN | Account admin |
| CASIEAVILES | warehouse_developer | role_developer | Human |
| DEMILADEAGBOOLA | warehouse_developer | role_developer | Human |
| MUSTAFARAJA | warehouse_developer | role_developer | Human |
| AMBERSIRULIN | warehouse_developer | role_developer | Human |
| SERVICE_USER_INGEST | warehouse_ingest | role_ingest | Service |
| SERVICE_USER_REPORT | warehouse_report | role_report or ROLE_PROD_READ | Service |
| ABC_SERVICE_USER_READER | (as needed) | role_prod_marts_read | Service |
| INTERNAL_SERVICE_USER_READER | warehouse_transform | ROLE_PROD_WRITE | Service (consider revoking ACCOUNTADMIN separately) |
| PRANAVNARAHARI | — | — | Unchanged for now |
| SNOWFLAKE | — | — | System |
6.3 Scripts to apply
-
drop-users-internal.sql
Drops: henryzhao, migueldeveyra, patrikdevlin, briangonzales, example_user, rill_service_user. If a user owns objects, transfer ownership to an admin (e.g. uttam) or SYSADMIN first, then re-run. -
set-default-warehouse-users.sql
- Account admins (uttam, samroberts, awaishkumar, ricorejoso):
ALTER USER ... SET DEFAULT_WAREHOUSE = warehouse_developeronly. - Everyone else (casieaviles, demiladeagboola, mustafaraja, ambersirulin):
GRANT ROLE role_developer TO USER ...thenALTER USER ... SET DEFAULT_WAREHOUSE = warehouse_developerandSET DEFAULT_ROLE = role_developer.
- Account admins (uttam, samroberts, awaishkumar, ricorejoso):
-
Order
Run drop-users-internal.sql first, then set-default-warehouse-users.sql. -
Verification
SHOW GRANTS TO USER <name>and confirm default_warehouse / default_role in Snowsight orsnowflake.account_usage.users.
7. Recommendations (post-reconciliation)
- Roles: Done via reconciliation; all 15 roles exist.
- Databases: Governance DBs present. SOURCE_DB, SLACK_DB, SEC, DLT content cloned into RAW; BRAINFORGE_RILL cloned into PROD_MARTS. SLACK_DB, DLT, BRAINFORGE_RILL dropped.
- Warehouses: warehouse_developer, warehouse_ingest, warehouse_transform, warehouse_report in use.
- Service users: Create via
create-service-users.sqlwhen RSA keys are ready.
8. Suggested cleanups (optional)
| Item | Action |
|---|---|
| SOURCE_DB, SEC | Still exist (cloned to RAW). Blocked: FEMA_SHARE is primary in a replication relationship. See README-drop-source-db-sec.md. Resolve replication, then run drop-source-db-sec-internal.sql. |
| MFA authentication policy | Done (2026-03-02): enforce-mfa-internal.sql created PROD_intermediate.SECURITY.mfa_required, applied to account. Service users get mfa_optional. |
| Rill access | Documented: Rill uses service_user_report with role_report per governance.md. role_report has role_prod_marts_read → PROD_MARTS.BRAINFORGE_RILL*. |
| ABC_LOGS, AI_AGENT_TRACKING | Decide: keep as standalone DBs or move into RAW as schemas for consistency. |
| Legacy roles | Dropped via drop-non-governance-roles.sql: RILL_SERVICE_ROLE, ABC_SERVICE_USER_READER_ROLE, ROLE_ABC_DEVELOPER, ROLE_DEVELOPER, SNOWFLAKE_LEARNING_ROLE. Affected users granted role_prod_marts_read or role_developer. |
| Dropped users | drop-users-internal.sql removes: HENRYZHAO, MIGUELDEVEYRA, PATRIKDEVLIN, BRIANGONZALES, EXAMPLE_USER, RILL_SERVICE_USER. Account admins: UTTAM, SAMROBERTS, AWAISHKUMAR, RICOREJOSO; everyone else (human): warehouse_developer + role_developer via set-default-warehouse-users.sql. |
| Audit doc | Re-run audit-snowflake-internal.sh --audit-only periodically and refresh “Exists today” tables. |
9. How this was verified
- CLI:
snow sql -c brainforge-internalorsnow sqlwith env vars - Script:
knowledge/engineering/data-platform/scripts/audit-snowflake-internal.sh - Queries used:
SHOW ROLES;SHOW WAREHOUSES IN ACCOUNT;SHOW DATABASES IN ACCOUNT;SHOW USERS;SELECT CURRENT_WAREHOUSE(), CURRENT_ROLE(), CURRENT_DATABASE();
- Limitation: Run as ACCOUNTADMIN or SECURITYADMIN for complete visibility.