rolegrants non functioning

[jon-parodi]

on line #221 you have flattened the rolegrants to only contain users on line #288 you attempt to read from $CurrentSnowflakeGrants where granted_to -eq ROLE

With this configuration, $currentRoleGranteeRoles = $currentSnowflakeRoleGrants | Where-Object {$_.role -eq $roleName -and $_.granted_to -eq 'ROLE'} | %{$_.grantee_name} will always return empty

[FredericoCoelhoNunes]

I haven't tested the script yet but it seems you are right @jparodi . Although it seems like this has been used in production for a long time by several people. Any chance you remember if you came to any conclusion about this?

[jamesweakley]

sorry all, for some reason I didn't notice this issue appear back in 2020.

Looking over the code, @jparodi is correct - there's a whole section of ineffective code.

I think the impact here would be that for nested AD groups, the script would continue to grant roles to other roles even if they already exist (not a problem), and if a nested group were removed in AD it wouldn't reflect correctly in Snowflake (this is a problem).

My guess as to why this has never been noticed, is I doubt many people use a lot of nested groups.

I also wonder now that Microsoft have come to the party with User Provisioning for Azure AD, this script may finally not be needed?

Currently I don't belong to an AD environment, so it's tricky for me to fix the issue and comment on the new Microsoft feature.

[FredericoCoelhoNunes]

^a comment about the User Provisioning for Azure AD: it's mentioned here that nested groups still aren't supported. I've already opened a feature request on Azure's forum here.