A production debugging story about a subtle Snowflake OAuth failure affecting SCIM-provisioned users. When rolling out a Snowflake-managed MCP Server with per-user OAuth authentication, roughly a third of users received a misleading 'role does not exist or not authorized' error despite the role being fully granted. After three hours of investigation, the root cause was an undocumented Snowflake OAuth validation: the target session role's ownership chain must trace back through the standard RBAC hierarchy (SECURITYADMIN/SYSADMIN/USERADMIN). Roles created by Okta's SCIM provisioner are owned by OKTA_PROVISIONER, which sits outside this hierarchy, causing OAuth to silently reject them while Snowsight and other connectors continued working fine. The fix is transferring role ownership to SECURITYADMIN using COPY CURRENT GRANTS, then re-granting the role to the SCIM provisioner WITH GRANT OPTION so provisioning continues uninterrupted.
Sort: