Snowflake

Snowflake Organizations & Accounts Design: Multi-Account Strategy Guide

2026-03-26
更新: 2026-03-27
NicheeLab Editorial Team

A Snowflake Organization is the top-level management unit that logically groups multiple Accounts. By placing accounts under a single Organization, separated by use case, environment, or region, you achieve unified governance and billing management. The ORGADMIN role is responsible for Organization-level administrative operations.

Organization / Account Hierarchy

The Snowflake resource hierarchy, from top to bottom, is Organization → Account → Database → Schema → Table / View / UDF / .... The Organization is the unit for billing and governance, and each Account has its own independent compute, storage, users, and role system.

  • Organization: The unit for billing, contracts, and account management. Administered by the ORGADMIN role
  • Account: An independent Snowflake environment. ACCOUNTADMIN is the top-level role. Edition / Cloud / Region can be configured per account
  • Data sharing between accounts is achieved with Secure Data Sharing or Database Replication

The ORGADMIN Role and Its Privileges

ORGADMIN is the Organization-level administrative role and can perform the following operations:

  • CREATE ACCOUNT: create new accounts
  • SHOW ORGANIZATION ACCOUNTS: list all accounts
  • ALTER ACCOUNT: modify accounts (rename, drop)
  • Query the ORGANIZATION_USAGE schema (cost monitoring)
  • Global settings for Database Replication
-- Use the ORGADMIN role
USE ROLE ORGADMIN;

-- List all accounts in the Organization
SHOW ORGANIZATION ACCOUNTS;

-- Details for specific accounts
SHOW ORGANIZATION ACCOUNTS LIKE 'PROD_%';

CREATE ACCOUNT Syntax

Run CREATE ACCOUNT under the ORGADMIN role to create a new account. You specify the admin user, edition, and region.

-- Create a production account
USE ROLE ORGADMIN;
CREATE ACCOUNT prod_analytics
  ADMIN_NAME = 'admin_user'
  ADMIN_PASSWORD = '********'
  ADMIN_RSA_PUBLIC_KEY = 'MIIBIjANBgkqh...'
  EMAIL = '[email protected]'
  EDITION = 'ENTERPRISE'
  REGION = 'AWS_AP_NORTHEAST_1'
  COMMENT = 'Analytics team production environment';

-- Create a dev account (Standard Edition to control cost)
CREATE ACCOUNT dev_sandbox
  ADMIN_NAME = 'dev_admin'
  ADMIN_PASSWORD = '********'
  EMAIL = '[email protected]'
  EDITION = 'STANDARD'
  REGION = 'AWS_AP_NORTHEAST_1'
  COMMENT = 'Sandbox for development and validation';

-- Rename an account
ALTER ACCOUNT dev_sandbox RENAME TO dev_analytics;

-- Drop an account (non-recoverable; 25-day grace period applies)
ALTER ACCOUNT dev_analytics DROP;

Multi-Account Design Patterns

Design the granularity of account separation based on the size and requirements of the organization.

PatternSeparation CriterionExample AccountsBenefitsDrawbacks
Environment separationDev / Staging / Proddev, staging, prodPrevents accidental access to production data. Pairs well with CI/CD pipelinesRequires Replication or Data Sharing to move data between environments
Business unit separationDivision / Teammarketing, engineering, financeClear cost allocation per business unit; independent permission managementRequires deliberate Data Sharing design for cross-unit data exchange
Region separationGeographic regionus_east, eu_west, ap_northeastMeets data residency requirements (e.g., GDPR); optimizes latencyDatabase Replication costs are incurred for cross-region synchronization
HybridCombination of environment x business unitprod_marketing, dev_engineeringThe finest-grained isolation and controlThe number of accounts grows quickly, increasing operational overhead

Account-Level Parameter Settings

-- Initial configuration after account creation (run as each account's ACCOUNTADMIN)
USE ROLE ACCOUNTADMIN;

-- Configure a network policy (IP restrictions)
CREATE NETWORK POLICY corp_network_policy
  ALLOWED_IP_LIST = ('203.0.113.0/24', '198.51.100.0/24')
  BLOCKED_IP_LIST = ()
  COMMENT = 'Allow access only from the corporate network';
ALTER ACCOUNT SET NETWORK_POLICY = corp_network_policy;

-- Configure session timeouts
ALTER ACCOUNT SET
  STATEMENT_TIMEOUT_IN_SECONDS = 3600
  STATEMENT_QUEUED_TIMEOUT_IN_SECONDS = 600;

-- Create a Resource Monitor
CREATE RESOURCE MONITOR monthly_monitor
  WITH CREDIT_QUOTA = 5000
  FREQUENCY = MONTHLY
  START_TIMESTAMP = IMMEDIATELY
  TRIGGERS
    ON 80 PERCENT DO NOTIFY
    ON 100 PERCENT DO SUSPEND;
ALTER ACCOUNT SET RESOURCE_MONITOR = monthly_monitor;

Data Exchange Between Accounts

-- Secure Data Sharing (provider side)
USE ROLE ACCOUNTADMIN;
CREATE SHARE analytics_share;
GRANT USAGE ON DATABASE analytics TO SHARE analytics_share;
GRANT USAGE ON SCHEMA analytics.public TO SHARE analytics_share;
GRANT SELECT ON TABLE analytics.public.kpi_summary
  TO SHARE analytics_share;
ALTER SHARE analytics_share ADD ACCOUNTS = prod_marketing;

-- Data Sharing (consumer side)
USE ROLE ACCOUNTADMIN;
CREATE DATABASE shared_analytics
  FROM SHARE provider_org.prod_analytics.analytics_share;
GRANT IMPORTED PRIVILEGES ON DATABASE shared_analytics
  TO ROLE analyst_role;

-- Database Replication (cross-region synchronization)
-- Primary side
ALTER DATABASE analytics ENABLE REPLICATION
  TO ACCOUNTS prod_eu_west;
-- Secondary side (run on prod_eu_west)
CREATE DATABASE analytics AS REPLICA OF
  prod_analytics.analytics;

Cross-Organization Governance

  • Listings (Marketplace): Use private listings across accounts within an Organization to catalog data
  • SCIM integration: Configure SCIM Integration (Azure AD / Okta) in each account to auto-provision users and groups
  • Connection: Manage Client Redirect connection URLs at the Organization level and switch the connection target automatically during failover

Key Points for the Exam

  • CREATE ACCOUNT can only be executed by the ORGADMIN role
  • Each account can have an independent Edition / Cloud / Region
  • Secure Data Sharing is the most efficient way to share data between accounts in the same Organization
  • ORGADMIN is purely an Organization-administration role; it cannot directly access data inside an account
  • Benefits and drawbacks of the environment, business-unit, and region separation patterns

Check Your Understanding with a Question

SnowPro

問題 1

A global company must keep EU data inside the EU region to comply with GDPR, while still providing aggregated results to an analyst team in Japan. Which architecture is most appropriate?

  1. Create a single account in the EU region and let Japanese analysts access it over VPN
  2. Create separate accounts in the EU region and the Tokyo region, and synchronize only the aggregated tables via Database Replication
  3. Create a single account in the Tokyo region and periodically transfer EU data with COPY INTO
  4. Use Secure Data Sharing from the EU account to share data with the Tokyo account (cross-region sharing)

正解: B

GDPR requires raw EU data to remain inside the EU region. The best fit is to use Database Replication to synchronize only aggregated results (containing no personal data) to the Tokyo account. Moving data with COPY INTO transfers raw data and risks GDPR violation. Cross-region Secure Data Sharing is also an option, but Replication gives finer control when you only need to synchronize selected aggregated tables.

Frequently Asked Questions

Does the ORGADMIN role exist in an account by default?

No. The ORGADMIN role is disabled when an account is created. An ACCOUNTADMIN in one of the accounts within the Organization must either request Snowflake Support or enable ORGADMIN via the Snowsight admin UI. Once enabled, you can run USE ROLE ORGADMIN in that account to perform Organization-level operations such as CREATE ACCOUNT and SHOW ORGANIZATION ACCOUNTS.

How is billing handled for accounts created with CREATE ACCOUNT?

Accounts created with CREATE ACCOUNT automatically belong to the Organization, and billing is tied to the Organization's contract. With a Capacity contract, usage is drawn from the same credit pool; with an On-Demand contract, all charges are consolidated under the same billing entity. You can specify the Edition (Standard / Enterprise / Business Critical) per account, but unit prices vary by Edition.

How do you share data between accounts in a multi-account setup?

Between accounts in the same Organization, Secure Data Sharing (direct share) is the most efficient option. Create a share with SHARE TO ACCOUNTS, then mount it on the consumer side with CREATE DATABASE FROM SHARE. Across different Organizations, use Snowflake Marketplace private listings or a data exchange. Within the same region and same Organization, no data transfer cost is incurred.

Check what you learned with practice questions

Practice with certification-focused question sets

無料で問題を解いてみる
Author

NicheeLab Editorial Team

NicheeLab editorial team focused on data engineering and cloud certification learning. Content is structured around practical study needs and official exam domains.


Related articles
Snowflake

Snowflake Certifications: All 11 Exams Explained (2026)

Every SnowPro certification — Associate, Core, Specialty, Ad...

Snowflake

Snowflake Exam Difficulty Ranking: All 11 Certs Compared (2026)

All 11 SnowPro exams ranked by difficulty with study-time es...

Snowflake

Snowflake Study Guide: Fastest Pass Route by Exam (2026)

How to pass SnowPro certifications efficiently — official ma...

Snowflake

SnowPro Core (COF-C03): Complete Exam Guide (2026)

Pass the SnowPro Core exam — six domains, scope, sample ques...

Snowflake

SnowPro Associate Platform (SOL-C01): Complete Guide (2026)

The entry-level SnowPro Associate exam — scope, weighting, s...

Browse all Snowflake articles (103)
© 2026 NicheeLab All rights reserved.