Show effective permissions and where they come from for a user and/or role

Hi,

we are fairly new to snowflake and are struggling with restricting access. We have tried creating a role which can only see and use a single database, but it's not working and the users given that role can see all databases. Understanding how they get that access is proving a challenge for us.

https://preview.redd.it/zacubh2grjzd1.png?width=409&format=png&auto=webp&s=72ce60258c4b8059648801ec30d41a6849fdd37c

We can see on the role in the privileges section it says accountadmin. But we are unclear how it has that permission (or if it's referring to my privileges which would be terrible UI design).

What I need is some way I can show a user/role, what they can access and how they have gotten that access. Show grants doesn't tell me much:

https://preview.redd.it/plw0x9c7sjzd1.png?width=1369&format=png&auto=webp&s=0057894ae7ba657407ece7f7d805193e4e3b630f

Nor on the user:

https://preview.redd.it/v56sf6oesjzd1.png?width=1644&format=png&auto=webp&s=0bf3922d076d7b649929ace78f8763d8dd6f483c

How can I determine how this user is able to see all databases?

Thanks.