Strategy One

Grant Billing Access in Databricks and Snowflakes Best Practices

Databricks

Usage & Billing Access

Databricks system tables are account-scoped. A single Databricks service principal covers all workspaces within the account.

Prerequisites

  1. Enable system tables: system.billing.usage and system.query.history are disabled by default. Enable them in the Databricks Account Console under Settings and System tables before any grants take effect.

  2. Account-level Service Principal: The service principal must be created in the Databricks Account Console (not just the workspace) and then assigned to the target workspace.

Grants

Unity Catalog requires USE CATALOG permissions before USE SCHEMA privileges can be applied. All three hierarchical levels must be explicitly granted.

Copy 
-- Catalog access (required before schema grants will work)
GRANT USE CATALOG ON CATALOG system TO mosaic_sentinel_svc;

-- Billing tables
GRANT USE SCHEMA ON SCHEMA system.billing TO mosaic_sentinel_svc;
GRANT SELECT ON TABLE system.billing.usage TO mosaic_sentinel_svc;

-- Query history tables
GRANT USE SCHEMA ON SCHEMA system.query TO mosaic_sentinel_svc;
GRANT SELECT ON TABLE system.query.history TO mosaic_sentinel_svc;

system.query.history is a Public Preview feature and must be enabled per workspace in addition to the account-level system table toggle.

Snowflake

Usage and Billing Access

Snowflake metadata views are account-scoped. A single service user can be used to cover all databases and warehouses within the account.

Prerequisites

  1. Edition Requirement: Enterprise Edition or higher is required. The QUERY_ATTRIBUTION_HISTORY view is only available on Enterprise and above. Verify the Snowflake edition before onboarding.

  2. Role Setup: A dedicated custom role (for example, sentinel_cost_role) must exist and be assigned to your Snowflake service user (mosaic_sentinel_svc) before proceeding with grants.

Grants

Snowflake-managed database roles allow for the least-privilege access to specific subsets of the ACCOUNT_USAGE schema, offering a more narrow blast radius than granting full database-level privileges.

Copy 
-- Grant fine-grained database roles (Snowflake-managed, least-privilege)
-- USAGE_VIEWER: Covers QUERY_ATTRIBUTION_HISTORY and billing views
GRANT DATABASE ROLE SNOWFLAKE.USAGE_VIEWER TO ROLE sentinel_cost_role;

-- GOVERNANCE_VIEWER: Covers QUERY_HISTORY and governance views
GRANT DATABASE ROLE SNOWFLAKE.GOVERNANCE_VIEWER TO ROLE sentinel_cost_role;

-- Assign the custom role to the service user
GRANT ROLE sentinel_cost_role TO USER mosaic_sentinel_svc;

-- Grant warehouse usage for query execution
GRANT USAGE ON WAREHOUSE <sentinel_warehouse> TO ROLE sentinel_cost_role;

The Snowflake-managed database roles are highly restricted. They are significantly safer than granting IMPORTED PRIVILEGES ON DATABASE SNOWFLAKE, which exposes all account views. This targeted approach is preferred for new onboardings.