SnowPro Advanced: Administrator (ADA-C02) Guide (2026)

The SnowPro Advanced: Administrator Certification validates advanced knowledge of Snowflake account operations, security design, and cost optimization. It comprehensively tests features administrators use every day: network policies, RBAC, MFA/SSO, Resource Monitor, and ACCOUNT_USAGE views. This article walks through the exam overview, domains, and key study points for each topic.

Exam Overview

Item	Details
Questions	65 (single choice and multiple choice)
Duration	115 minutes
Passing score	750 / 1000
Exam fee	$375 USD
Prerequisite	Active SnowPro Core certification
Delivery	Pearson VUE (test center or online)
Validity	2 years
Recommended experience	2+ years of hands-on Snowflake administration

Exam Domains and Weights

Domain	Weight	Key Topics
1. Account & Security Management	30%	RBAC/DAC, network policies, MFA, SSO/SAML, SCIM, encryption
2. Performance & Monitoring	25%	Warehouse management, Resource Monitor, ACCOUNT_USAGE, Query Profile
3. Data Protection & Recovery	20%	Time Travel, Fail-safe, replication, failover
4. Cost Management	15%	Credit consumption analysis, storage cost, serverless cost, optimization strategies
5. Data Governance	10%	Tag-based masking, row access policies, object tags, data classification

Key Security Management Topics

RBAC (Role-Based Access Control)

Snowflake's access control combines RBAC (Role-Based Access Control) with DAC (Discretionary Access Control). The most important exam topics are role hierarchy design and how GRANT statements behave.

Default Role	Key Privileges	Manages
ACCOUNTADMIN	All privileges (SYSADMIN + SECURITYADMIN)	Entire account; creates Resource Monitors
SECURITYADMIN	MANAGE GRANTS privilege	Roles, users, and privilege management
SYSADMIN	CREATE DATABASE/WAREHOUSE	Databases, schemas, and warehouses
USERADMIN	CREATE USER/ROLE	Creating users and roles
PUBLIC	Basic access privileges	Automatically granted to every user

Best practice is to place custom roles under SYSADMIN. If a custom role is created outside of SYSADMIN's hierarchy, only ACCOUNTADMIN will be able to access objects owned by that role.

Network Policies

Composed of ALLOWED_IP_LIST (allowlist) and BLOCKED_IP_LIST (blocklist)
Can be applied at the account level or user level (user level takes precedence)
Use BLOCKED_IP_LIST to exclude specific IPs from within ALLOWED_IP_LIST
If a misconfigured network policy locks you out, you must contact Snowflake Support

MFA and SSO/SAML Integration

MFA is built on Duo Security and is enabled per user
Enabling MFA for every user holding the ACCOUNTADMIN role is strongly recommended
SSO/SAML can integrate with IdPs such as Azure AD, Okta, and PingFederate
SCIM automates user and role provisioning from the IdP

Resource Monitoring

Resource Monitor

Setting	Description
CREDIT_QUOTA	Maximum credit consumption within the monitoring period
FREQUENCY	DAILY / WEEKLY / MONTHLY / YEARLY / NEVER
START_TIMESTAMP	When monitoring begins
TRIGGERS (NOTIFY)	Notify account administrators when the threshold is reached
TRIGGERS (SUSPEND)	Suspend the warehouse after running queries finish when the threshold is reached
TRIGGERS (SUSPEND_IMMEDIATELY)	Cancel running queries and suspend the warehouse immediately when the threshold is reached

ACCOUNT_USAGE Schema

The snowflake.account_usage schema contains views for analyzing account usage.

WAREHOUSE_METERING_HISTORY: Per-warehouse credit consumption history
STORAGE_USAGE: Daily storage usage (tables, Time Travel, Fail-safe)
LOGIN_HISTORY: User login success/failure history
QUERY_HISTORY: Query execution history for the past 365 days
ACCESS_HISTORY: Object access history (Enterprise Edition or higher)

ACCOUNT_USAGE views have a data latency of up to 45 minutes to 3 hours. When you need near-real-time information, use INFORMATION_SCHEMA instead (note that its retention is only 14 days).

Cost Management

Cost Component	Billing Unit	Optimization
Compute	Credits (warehouse size x runtime)	Shorten auto-suspend; right-size warehouses
Storage	TB/month (On-Demand or Capacity contract)	Tune Time Travel retention; remove unused data
Data transfer	Cross-region / cross-cloud transfer volume	Process within the same region; optimize replication
Serverless	Snowpipe, tasks, materialized views, etc.	Tune Snowpipe ingestion frequency
Cloud Services	Billed only above the 10% threshold	Avoid excessive SHOW/DESCRIBE calls

Data Governance

Dynamic Data Masking: Mask column values based on role (Enterprise Edition or higher)
Row Access Policies: Filter returned rows based on role and conditions
Object Tags: Attach tags to columns or tables and apply masking policies based on tags
Data Classification: Automatically detect PII (personal information) with the EXTRACT_SEMANTIC_CATEGORIES function

Study Strategy

The Administrator exam rewards real operations experience. Focus on these hands-on exercises:

Create a network policy and verify how IP restrictions behave
Apply a Resource Monitor to a warehouse and verify NOTIFY / SUSPEND action behavior
Write queries against ACCOUNT_USAGE views to analyze credit usage, login history, and query history
Design a custom role hierarchy and practice the best practice of placing it under SYSADMIN
Create a dynamic data masking policy and confirm how the displayed value differs by role

Check Your Understanding

SnowPro Advanced: Administrator

問題 1

In Snowflake, you want to allow access only from a specific IP range while excluding some IPs within that range. How should the network policy be configured?

Set the allowed CIDR range in ALLOWED_IP_LIST and the IPs to exclude in BLOCKED_IP_LIST
Setting the IPs to exclude only in BLOCKED_IP_LIST automatically allows every other IP
ALLOWED_IP_LIST and BLOCKED_IP_LIST cannot be used together, so create two separate policies
Network policies cannot exclude IPs, so handle it at the firewall

正解: A

Define the allowed range with ALLOWED_IP_LIST and specify the IPs to exclude with BLOCKED_IP_LIST. BLOCKED_IP_LIST functions as a subset of ALLOWED_IP_LIST. When only ALLOWED_IP_LIST is set, every IP not in the list is blocked.

Frequently Asked Questions

Are SQL operation questions on the SnowPro Advanced Administrator exam?

Yes, administrative SQL commands are tested. Specifically, role and privilege management with GRANT/REVOKE, CREATE NETWORK POLICY, ALTER ACCOUNT, CREATE RESOURCE MONITOR, SHOW PARAMETERS, and ALTER USER SET/UNSET are all in scope. SELECT-based analytical queries are rare; most scenarios involve querying ACCOUNT_USAGE/INFORMATION_SCHEMA views to inspect resource consumption or login history.

How does the security domain differ between the Administrator and Core exams?

Core focuses on role hierarchies and basic GRANT behavior, while Administrator goes deeper into real operations: network policy design (CIDR ranges and policy precedence), SSO/SAML setup procedures, SCIM provisioning, column-level and row-level security, Tri-Secret Secure, and key rotation policies.

At what granularity can Resource Monitors be set, and how are they tested?

Resource Monitors can be configured at the account level or for individual warehouses. You combine a credit quota, a frequency (DAILY/WEEKLY/MONTHLY/YEARLY/NEVER), and threshold actions (NOTIFY/SUSPEND/SUSPEND_IMMEDIATELY). Typical exam scenarios are like "suspend the warehouse if monthly usage exceeds 100 credits" — you pick the correct configuration. The fact that only the ACCOUNTADMIN role can create Resource Monitors comes up frequently.

Check what you learned with practice questions

Practice with certification-focused question sets

無料で問題を解いてみる

Author

NicheeLab Editorial Team

NicheeLab editorial team focused on data engineering and cloud certification learning. Content is structured around practical study needs and official exam domains.

SnowPro Advanced: Administrator Complete Guide — Operations & Security