Pass the Snowflake SnowPro Advanced: Administrator ADA-C01 Questions and answers with ValidTests

The MINS_TO_BYPASS_MFA property allows the account administrator to temporarily disable MFA for a user who has lost their phone or changed their phone number1. The user can log in without MFA for the specified number of minutes, and then re-enroll in MFA using their new phone1. This does not revoke their MFA enrollment, unlike the DISABLE_MFA property, which cancels their enrollment and requires them to re-enroll from scratch1. The other options are not valid ways to bypass MFA, as SnowSQL does support MFA authentication2, and there is no such URL parameter as /?mode=mfa_bypass&code= for Snowflake3

To enablefederated authentication(akaSSO via SAML 2.0) in Snowflake, the integration with anIdentity Provider (IdP)must be configured. This setup involves configuringexternal authentication via SAML, and Snowflake needs specific information from the IdP.

????Required Information from IdP:

URL Endpoint for SAML Requests (B)

This is often referred to as theSSO URLorSAML 2.0 Endpoint (HTTP).

It's the URL that Snowflake redirects users to for authentication.

In Snowflake's SAML configuration, this is required as the SAML2_ISSUER or SAML2_SSO_URL.

Authentication Certificate (D)

This is theX.509 certificateissued by the IdP.

It's used by Snowflake tovalidate the digital signatureof the SAML assertions sent by the IdP.

It ensures that the SAML response is authentic and not tampered with.

❌Why Other Options Are Incorrect:

A. IdP account details

Not needed. Snowflake doesn’t require credentials or internal details from the IdP. It relies onassertionssent via SAML, not stored accounts.

C. SAML response format

Snowflake adheres toSAML 2.0 standard, and expects a compliant format. There's no need to specify format explicitly — it’s part of the standard protocol.

E. IdP encryption key

Not required by Snowflake. Snowflake verifies SAML assertions viasignature validation, not encryption using the IdP’s private key.

????SnowPro Administrator References:

Snowflake Documentation — Federated Authentication Setup

https://docs.snowflake.com/en/user-guide/security-fed-auth-use

https://docs.snowflake.com/en/user-guide/security-fed-auth-config

Required IdP Metadata for Snowflake SAML Configuration:

SAML2_SSO_URL: SAML 2.0 POST binding endpoint

SAML2_X509_CERT: Public cert used to validate IdP signatures

Option B is the correct answer because it follows the steps described in the Snowflake documentation for sharing data from multiple databases using secure views. The data provider needs to grant the REFERENCE_USAGE privilege on each database that contains objects referenced by the secure view, and the USAGE privilege only on the database where the secure view is created. Option A is incorrect because it grants the USAGE privilege instead of the REFERENCE_USAGE privilege. Option C is incorrect because it grants the REFERENCE_USAGE privilege to a database role, which is not supported. Option D is incorrectbecause it grants the REFERENCE_USAGE privilege on the wrong database.

Option C creates a network policy that allows only the IP address 192.168.1.100 and blocks all other IP addresses using the CIDR notation 0.0.0.0/01. It then applies the network policy to the user ABC, who has the ACCOUNTADMIN role. This ensures that only this user can access the Snowflake account from the specified IP address, while blocking their access from anywhere else. Option A does not block any other IP addresses, option B applies the network policy to the role instead of the user, and option D uses an invalid CIDR notation.

According to the CREATE ACCOUNT documentation, the account name must be specified when the account is created, and it must be unique within an organization, regardless of which Snowflake Region the account is in. The other options are incorrect because:

•The account does not require at least one ORGADMIN role within one of the organization’s accounts. The account can be created by an organization administrator (i.e. a user with the ORGADMIN role) through the web interface or using SQL, but the new account does not inherit the ORGADMIN role from the existing account. The new account will have its own set of users, roles, databases, and warehouses.

•The account name is not immutable and can be changed. The account name can be modified by contacting Snowflake Support and requesting a name change. However, changing the account name may affect some features that depend on the account name, such as SSO or SCIM.

•The account name does not need to be unique among all Snowflake customers. The account name only needs to be unique within the organization, as the account URL also includes the region and cloud platform information. For example, two accounts with the same name can exist in different regions or cloud platforms, such as myaccount.us-east-1.snowflakecomputing.com and myaccount.eu-west-1.aws.snowflakecomputing.com.

According to the Replication considerations documentation, the Time Travel retention period for a secondary database can be different from the primary database. The retention period can be set at the database, schema, or table level using the DATA_RETENTION_TIME_IN_DAYS parameter. Therefore, to extend the Time Travel retention policy to 60 days on the secondary database only, the best option is to set the data retention policy on the secondary database to 60 days using the ALTER DATABASE command. The other options are incorrect because:

•B. Setting the data retention policy on the schemas in the secondary database to 60 days will not affect the database-level retention period, which will remain at 30 days. The most specific setting overrides the more general ones, so the schema-level setting will apply to the tables in the schema, but not to the database itself.

•C. Setting the data retention policy on the primary database to 30 days and the schemas to 60 days will not affect the secondary database, which will have its own retention period. The replication process does not copy the retention period settings from the primary to the secondary database, so they can be configured independently.

•D. Setting the data retention policy on the primary database to 60 days will not affect the secondary database, which will have its own retention period. The replication process does not copy the retention period settings from the primary to the secondary database, so they can be configured independently.

According to the Snowflake documentation1, breaking changes are changes that affect the schema or structure of the shared data, such as dropping or renaming a column or a table. These changes may cause errors or unexpected results for the consumers who query the shared data. Deleting data from a table, unpublishing the data listing, or adding region availability to the listing are not breaking changes, as they do not alter the schema or structure of the shared data.

1: Managing Data Listings in Snowflake Data Marketplace | Snowflake Documentation

According to the Snowflake documentation1, Snowflake uses a multi-version concurrency control (MVCC) model, which means that each transaction operates on a consistent snapshot of the database at a point in time. This allows queries and DML statements to run concurrently without blocking each other, as they do not modify the same data. Therefore, a deadlock, which occurs when concurrent transactions are waiting on resources that are locked by each other, cannot happen in Snowflake. Option B is incorrect because queries and DML statements do not block each other in Snowflake, unless they are explicitly started transactions and multiple statements in each transaction2. Option C is incorrect because transaction locking in Snowflake is enforced at the partition level, not the row or table level3. Option D is incorrect because queries executed within a given transaction do not see that transaction’s uncommitted changes, but only the committed changes that occurred before the transaction started1.

According to the Network Policies documentation, a network policy can be applied to an account, a security integration, or a user. If there are network policies applied to more than one of these, the most specific network policy overrides more general network policies. The following summarizes the order of precedence:

•Account: Network policies applied to an account are the most general network policies. They are overridden by network policies applied to a security integration or user.

•Security Integration: Network policies applied to a security integration override network policies applied to the account, but are overridden by a network policy applied to a user.

•User: Network policies applied to a user are the most specific network policies. They override both accounts and security integrations.

Therefore, if both the account_level and user_level network policies are defined, the user_level policy will take effect and the account_level policy will be ignored. The other options are incorrect because:

•The account_level policy will not override the user_level policy, as explained above.

•The user_level network policies will be supported, as they are part of the network policy feature.

•A network policy error will not be generated, as there is no conflict between the account_level and user_level network policies.