ADA-C01 SnowPro Advanced Administrator Questions and Answers

The MINS_TO_BYPASS_MFA property allows the account administrator to temporarily disable MFA for a user who has lost their phone or changed their phone number1. The user can log in without MFA for the specified number of minutes, and then re-enroll in MFA using their new phone1. This does not revoke their MFA enrollment, unlike the DISABLE_MFA property, which cancels their enrollment and requires them to re-enroll from scratch1. The other options are not valid ways to bypass MFA, as SnowSQL does support MFA authentication2, and there is no such URL parameter as /?mode=mfa_bypass&code= for Snowflake3

When future grants are defined on the same object type for a database and a schema in the same database, the schema-level grants take precedence over the database level grants, and the database level grants are ignored4. This behavior applies to privileges on future objects granted to one role or different roles4. Future grants allow defining an initial set of privileges to grant on new (i.e. future) objects of a certain type in a database or a schema3. As soon as the new objects are created inside the database or schema, the predefined set of privileges are assigned to the object automatically without any manual intervention3.

Option B is the correct answer because it follows the steps described in the Snowflake documentation for sharing data from multiple databases using secure views. The data provider needs to grant the REFERENCE_USAGE privilege on each database that contains objects referenced by the secure view, and the USAGE privilege only on the database where the secure view is created. Option A is incorrect because it grants the USAGE privilege instead of the REFERENCE_USAGE privilege. Option C is incorrect because it grants the REFERENCE_USAGE privilege to a database role, which is not supported. Option D is incorrect because it grants the REFERENCE_USAGE privilege on the wrong database.

According to the Snowflake documentation1, a standard listing is a type of listing that provides free access to the full data product, with no payment required. A standard listing can be added and queried immediately by the consumer, as long as they accept the terms and conditions of the listing. A monetized listing is a type of listing that charges for access to the data product, using the pricing models offered by Snowflake. A monetized listing requires the consumer to provide payment information and agree to the billing terms before accessing the data product. A regional listing is not a type of listing, but a way to specify the regions where the listing is available. A personalized listing is a type of listing that provides limited trial access to the data product, with unlimited access to the full data product available upon request. A personalized listing requires the consumer to request access from the provider and wait for the provider to grant access before accessing the data product. Therefore, the only type of listing that can be added and queried immediately is the standard listing.

According to the Snowflake documentation1, the ORGADMIN role is a special system role that is responsible for managing operations at the organization level, such as creating and viewing accounts, enabling database replication, and setting global account parameters. The ACCOUNTADMIN role is a system role that is responsible for managing operations at the account level, such as creating and managing users, roles, warehouses, databases, and shares. Therefore, the commands that can be performed by the ORGADMIN role but not the ACCOUNTADMIN role are:

•SHOW ORGANIZATION ACCOUNTS: This command lists all the accounts in the organization and their properties, such as region, edition, and status2. The ACCOUNTADMIN role can only show the current account and its properties using the SHOW ACCOUNTS command3.

•SELECT SYSTEM$GLOBAL_ACCOUNT_SET_PARAMETER: This function sets a global account parameter for an account in the organization, such as enabling account database replication4. The ACCOUNTADMIN role can only set local account parameters using the ALTER ACCOUNT command.

Option A is incorrect because the SHOW REGIONS command can be executed by any role, not just the ORGADMIN role. Option B is incorrect because the SHOW USERS command can be executed by the ACCOUNTADMIN role, as well as any role that has been granted the MONITOR privilege on the account. Option D is incorrect because the GRANT ROLE ORGADMIN TO USER command can be executed by the ACCOUNTADMIN role, as well as any role that has been granted the ORGADMIN role1.

According to the Snowflake documentation1, creating a user with a default role does not automatically grant that role to the user. The user must be explicitly granted the role by the role owner or a higher-level role. Therefore, the USERADMIN role, which created the DEVELOPER_ROLE, needs to explicitly grant the DEVELOPER_ROLE to the new user PTORRES using the GRANT ROLE command. Otherwise, the user PTORRES will not be able to use the DEVELOPER_ROLE and will see the default role of PUBLIC in the web UI. Option A is incorrect because the DEVELOPER_ROLE does not need to be granted to SYSADMIN before user PTORRES can use the role. Option B is incorrect because the new role can take effect immediately after it is created and granted to the user, and does not depend on the USERADMIN role logging out. Option D is incorrect because the new role will not be affected by the identity provider synchronization, as it is created and managed in Snowflake.

According to the Snowflake documentation1, when an object in a schema is cloned, any future grants defined for this object type in the schema are applied to the cloned object unless the COPY GRANTS option is specified in the CREATE statement for the clone operation. However, some objects may still reference the source object or external objects after cloning, which may cause issues with access or functionality. These objects include:

•Sequences: If a table column references a sequence that generates default values, the cloned table may reference the source or cloned sequence, depending on where the sequence is defined. To avoid conflicts, the sequence reference should be re-pointed to the desired sequence using the ALTER TABLE command2.

•Storage integrations: If a stage or a table references a storage integration, the cloned object may still reference the source storage integration, which may not be accessible or valid in the new environment. To avoid errors, the storage integration reference should be re-pointed to the desired storage integration using the ALTER STAGE or ALTER TABLE command34.

•Views, secure views, and materialized views: If a view references another view or table, the cloned view may still reference the source object, which may not be accessible or valid in the new environment. To avoid errors, the view reference should be re-pointed to the desired object using the CREATE OR REPLACE VIEW command5.

1: Cloning Considerations | Snowflake Documentation 2: [ALTER TABLE | Snowflake Documentation] 3: [ALTER STAGE | Snowflake Documentation] 4: [ALTER TABLE | Snowflake Documentation] 5: [CREATE VIEW | Snowflake Documentation]

According to the GRANT OWNERSHIP documentation, the ownership privilege grants full control over the table and can only be held by one role at a time. However, the current owner can also grant the ownership privilege to another role, which transfers the ownership to the new role. In this case, the SECURITYADMIN role granted the ownership privilege on future tables in the PROD.WORKING schema to the PROD_WORKING_OWNER role. This means that any table created in that schema after the grant statement will be owned by the PROD_WORKING_OWNER role. Therefore, the PROD_WORKING_OWNER role can alter or drop table XYZ, which was created by the ACCOUNTADMIN role in the PROD.WORKING schema. Additionally, the ACCOUNTADMIN role can also alter or drop table XYZ, because it is the top-level role that has all privileges on all objects in the account. Furthermore, the SYSADMIN role can also alter or drop table XYZ, because it was granted the PROD_WORKING_OWNER role by the SECURITYADMIN role. The SYSADMIN role can activate the PROD_WORKING_OWNER role and inherit its privileges, including the ownership privilege on table XYZ. The SECURITYADMIN role cannot alter or drop table XYZ, because it does not have the ownership privilege on the table, nor does it have the PROD_WORKING_OWNER role.

According to the Snowflake documentation1, a multi-cluster warehouse is a virtual warehouse that consists of multiple clusters of compute resources that can scale up or down automatically to handle the concurrency and performance needs of the queries submitted to the warehouse. A multi-cluster warehouse has a minimum and maximum number of clusters that can be specified by the administrator. Option B is the most efficient way to support the group of users, as it allows the administrator to create a multi-cluster warehouse with MIN_CLUSTERS set to 2, which means that the warehouse will always have two clusters running to handle the standard workload. The warehouse can also auto-scale up to the maximum number of clusters (which can be set according to the peak workload) when there is a spike in demand, and then scale down when the demand decreases. The warehouse can also auto-resume and auto-suspend, which means that the warehouse will automatically start when a query is submitted and automatically stop after a period of inactivity. The administrator can also give USAGE privileges to the ANALYST role, which means that the users can use the warehouse to execute queries and load data, but not modify or operate the warehouse. Option A is not efficient, as it requires the users to manually start and stop the warehouse, and increase the number of clusters as needed, which can be time-consuming and error-prone. Option C is not efficient, as it creates a standard X-Large warehouse, which is equivalent to four small clusters, which may be more than needed for the standard workload, and may not be enough for the peak workload. Option D is not efficient, as it creates four virtual warehouses of different sizes, which can be confusing and cumbersome for the users to select the appropriate warehouse based on how many queries are being run, and may also result in wasted resources and costs.

According to the Snowflake documentation1, breaking changes are changes that affect the schema or structure of the shared data, such as dropping or renaming a column or a table. These changes may cause errors or unexpected results for the consumers who query the shared data. Deleting data from a table, unpublishing the data listing, or adding region availability to the listing are not breaking changes, as they do not alter the schema or structure of the shared data.

1: Managing Data Listings in Snowflake Data Marketplace | Snowflake Documentation

Option B is the correct SQL command to create a resource monitor that meets the requirements. It sets the credit quota to 3000, the frequency to yearly, the start timestamp to January 1, 2022, and the triggers to notify and suspend the warehouse at the specified thresholds. Option A is incorrect because it does not specify the frequency. Option C is incorrect because it does not specify the frequency and it uses notify and suspend instead of suspend and suspend_immediate. Option D is incorrect because it does not specify the start timestamp. For more information about resource monitors, see Working with Resource Monitors and CREATE RESOURCE MONITOR.

This code snippet will create a row access policy that returns true if the current role is ALL_ACCESS_ROLE or if the current role matches the region value in the entitlement_table. This means that the ALL_ACCESS_ROLE can see all rows regardless of region, while the other roles can only see rows for their own regions. According to the Snowflake documentation, the CURRENT_ROLE context function returns the name of the current role for the session. The EXISTS function returns true if the subquery returns any rows. The OR operator returns true if either operand is true. Therefore, this code snippet satisfies the requirements of the question.

Snowflake charges for database replication based on two categories: data transfer and compute resources1. Data transfer costs depend on the amount of data that is transferred from the primary database to the secondary database across regions and/or cloud service providers2. Compute resource costs depend on the use of Snowflake-provided compute resources to copy data between accounts across regions1. Both data transfer and compute resource costs are proportional to the frequency and amount of changes to the primary database as a result of data loading or DML operations3. Therefore, the answer is A and B. The other options are not directly related to the replication billing, as the frequency of secondary database refreshes does not affect the amount of data transferred or copied4, and the number and size of warehouses defined in the primary account do not affect the replication process5.

The REFRESH DATABASE command is used to refresh a secondary database with the latest data and metadata from the primary database1. The command must be executed in the target account where the secondary database resides2. Therefore, the answer is A, as the location is AWS_WEST and the command is REFRESH DATABASE PROD_AWS_WEST REFRESH. The other options are incorrect because they either use the wrong location, the wrong command, or the wrong database name.