# Admin Guide

The governance surface: the small group of domain admins who create users, assign roles, and grant privileges. Because the warehouse holds PHI, every grant is auditable and reproducible — managed as code through the `ndp-account-request` repo.

## Current domain admins

Five human users hold `NDP_RWD_DOMAIN_ADMIN_ROLE` in PROD: Matthew Porter, Rob Borkowski, David Lieman, Andrew Mundy, and Matt Welsh.

> **Access stewards**
>
> Rob Borkowski and Matthew Porter are the documented access stewards, responsible for governance and drift detection. Rosters drift — the RBAC YAML is the source of truth for current membership.

## Two systems manage access

Snowflake access is split across two configuration layers, both stored in the `ndp-account-request` GitLab repo:

| Layer | Purpose | Source path |
| --- | --- | --- |
| Terraform (infrastructure as code) | Creates Snowflake users, warehouses, databases, and roles. | `accounts/rwd/{env}/teams/rwd/users.json` |
| RBAC YAML (application grants) | Assigns users to roles; grants schema and table privileges. | `access_control/rbac_sheets/rwd/{env}/rwd/rwd.yml` |

## Source of truth

- Repo: `eng/informatics/dxp/ndp-account-request`
- Terraform users: `accounts/rwd/{development,preproduction,production}/teams/rwd/users.json`
- RBAC YAML: `access_control/rbac_sheets/rwd/{env}/rwd/rwd.yml`
- RBAC engine: `access_control/rbac_utils/main.py`

For the step-by-step onboarding workflow, see **How to Grant Access**. For the role hierarchy and permissions matrix, see **Snowflake Role Reference**.
