Snowflake ADA-C01 Exam - Topic 4 Question 43 Discussion

Actual exam question for Snowflake's ADA-C01 exam

Question #: 43
Topic #: 4

A Snowflake account is configured with SCIM provisioning for user accounts and has bi-directional synchronization for user identities. An Administrator with access to SECURITYADMIN uses the Snowflake UI to create a user by issuing the following commands:

use role USERADMIN;

create or replace role DEVELOPER_ROLE;

create user PTORRES PASSWORD = 'hello world!' MUST_CHANGE_PASSWORD = FALSE

default_role = DEVELOPER_ROLE;

The new user named PTORRES successfully logs in, but sees a default role of PUBLIC in the web UI. When attempted, the following command fails:

use DEVELOPER_ROLE;

Why does this command fail?

AThe DEVELOPER_ROLE needs to be granted to SYSADMIN before user PTORRES will be able to use the role.

BThe new role can only take effect after USERADMIN has logged out.

CUSERADMIN needs to explicitly grant the DEVELOPER_ROLE to the new USER.

DThe new role will only take effect once the identity provider has synchronized by way of SCIM with the Snowflake account.

Show Suggested Answer

Suggested Answer: C

According to the Snowflake documentation1, creating a user with a default role does not automatically grant that role to the user. The user must be explicitly granted the role by the role owner or a higher-level role. Therefore, the USERADMIN role, which created the DEVELOPER_ROLE, needs to explicitly grant the DEVELOPER_ROLE to the new user PTORRES using the GRANT ROLE command. Otherwise, the user PTORRES will not be able to use the DEVELOPER_ROLE and will see the default role of PUBLIC in the web UI. Option A is incorrect because the DEVELOPER_ROLE does not need to be granted to SYSADMIN before user PTORRES can use the role. Option B is incorrect because the new role can take effect immediately after it is created and granted to the user, and does not depend on the USERADMIN role logging out. Option D is incorrect because the new role will not be affected by the identity provider synchronization, as it is created and managed in Snowflake.

by Eric at Nov 19, 2025, 02:15 PM

Limited Time Offer

25%

Off

Get Premium ADA-C01 Questions as Interactive Web-Based Practice Test or PDF

Contribute your Thoughts:

Submit Cancel

Ressie

1 month ago

C is definitely the best choice. Clear logic there.

upvoted 0 times

...

Vincent

2 months ago

B seems unlikely. USERADMIN is active, right?

upvoted 0 times

...

Bulah

2 months ago

I feel like D is a stretch. SCIM sync shouldn't matter here.

upvoted 0 times

...

Shonda

2 months ago

But what about A? SYSADMIN needs to be involved too.

upvoted 0 times

...

Alexis

2 months ago

Agreed, C makes sense. No grant, no access.

upvoted 0 times

...

Rosenda

2 months ago

I think it's C. USERADMIN must grant the role.

upvoted 0 times

...

Gene

2 months ago

D seems unlikely, SCIM sync shouldn't affect role assignment.

upvoted 0 times

...

Alana

3 months ago

Definitely not B, that's not how roles work.

upvoted 0 times

...

Glynda

3 months ago

The SCIM provisioning should have taken care of this, but I suppose the USERADMIN still needs to do the manual role grant. Tricky stuff!

upvoted 0 times

...

Reid

3 months ago

Haha, "hello world!" as the password? That's a classic. Gotta keep it simple, I guess.

upvoted 0 times

...

Julio

4 months ago

Hmm, I thought the role would automatically sync with the identity provider. Guess I was wrong!

upvoted 0 times

...

Margo

4 months ago

I agree with Amalia. The USERADMIN needs to grant the role to the user, otherwise it won't work.

upvoted 0 times

...

Amalia

4 months ago

The correct answer is C. The USERADMIN needs to explicitly grant the DEVELOPER_ROLE to the new user PTORRES.

upvoted 0 times

...

Socorro

4 months ago

I vaguely recall something about SCIM synchronization affecting role visibility, but I can't remember if that's relevant here. Maybe option D?

upvoted 0 times

...

Billye

4 months ago

I practiced a similar question where roles had to be granted before use, so I'm leaning towards option C as well.

upvoted 0 times

...

Percy

4 months ago

I'm not entirely sure, but I feel like the role might not take effect until the USERADMIN logs out, which could relate to option B.

upvoted 0 times

...

Roxane

5 months ago

I remember something about roles needing to be explicitly granted to users, so I think option C might be correct.

upvoted 0 times

...

Lera

5 months ago

Ah, I see. The question is asking why the "use DEVELOPER_ROLE" command is failing. Based on the options, it seems like the DEVELOPER_ROLE needs to be explicitly granted to the user.

upvoted 0 times

...

Kayleigh

5 months ago

Alright, let's break this down step-by-step. The user was created, but the default role is still PUBLIC. I'm thinking it might have something to do with the role permissions or the synchronization process.

upvoted 0 times

...

Tammara

5 months ago

I thought the role would just apply automatically.

upvoted 0 times

...

Ammie

6 months ago

C is the right answer. The role needs to be granted to the user.

upvoted 0 times

...

Gary

6 months ago

A bit surprised that the role doesn't take effect immediately.

upvoted 0 times

...

Cordie

6 months ago

Yep, I'm leaning towards option C. The USERADMIN needs to grant the DEVELOPER_ROLE to the new user, PTORRES, for it to take effect. The other options don't seem to fully explain the issue.

upvoted 0 times

...

Estrella

6 months ago

Okay, let me see here. The question mentions SCIM provisioning and bi-directional synchronization, so I'm guessing the identity provider might be the key to understanding what's going on.

upvoted 0 times

...

Jose

6 months ago

Hmm, this looks like a tricky one. I'll need to carefully read through the question and think about the different scenarios that could be causing the issue.

upvoted 0 times