GRANT … TO ROLE statement, the role can grant the same privilege to other roles. If a privilege was granted to a role with the WITH GRANT OPTION parameter included in the tables and views), the role mustĪlso have the USAGE privilege on the parent database and schema. When granting privileges on schema objects (e.g. Only the SECURITYADMIN and ACCOUNTADMIN system roles have the MANAGE GRANTS privilege however, the privilege can be granted In general, a role with any one of the following sets of privileges can grant privileges on an object to other roles: When granting privileges on an individual UDF or stored procedure, you must specify the data types of the arguments, if any,Īccess Control Requirements ¶ Granting privileges on individual objects In addition, to grant the WRITE privilege on an internal stage, the READ privilege mustįor more details about external and internal stages, see CREATE STAGE. READ | WRITE only applies to internal stages. The OWNERSHIP privilege on objects can only be transferred to a subordinate role of the schema owner. Instead, Snowflake recommendsĬreating a shared role and using the role to create objects that are automatically accessible to all users who have been granted the role. However, note that, in the Snowflake model, bulk granting of privileges is not a recommended practice. Only objects that currently exist within the container are affected. Into a series of individual GRANT commands on each object. This is a convenience option internally, the command is expanded Objects of the same type within the container (i.e. Note that the IMPORTED PRIVILEGES privilege cannot be granted to a database role.įor schemas and objects in schemas, an ALL object_type_plural in container option is provided to grant privileges on all For more details, see Overview of Access Control.įor databases, the IMPORTED PRIVILEGES privilege only applies to shared databases (i.e. Higher-level roles within the role hierarchy. Privileges granted to a particular role are automatically inherited by any other roles to which the role is granted, as well as any other Is returned for any privileges that could not be granted. That only privileges held and grantable by the role executing the GRANT command are actually granted to the target role. The special ALL keyword can be used to grant all applicable privileges to the specified object type. Multiple privileges can be specified for the same object type in a single GRANT statement (with each privilege separated by commas), or The GRANT OWNERSHIP command has a different Object from one role to another role, use GRANT OWNERSHIP instead. To grant the OWNERSHIP privilege on an object (or all objects of a specified type in a schema) to a role, transferring ownership of the database_role_name, the command looks for the database role in the current databaseĪll privileges are limited to the database that contains the database role, as well as other objects in the same database. If the identifier is notįully qualified in the form of db_name. the role to which the privileges are granted). Specifies the identifier for the recipient database role (i.e. Specifies the identifier for the recipient role (i.e. Note that bulk grants on pipes are not allowed. Specifies the type of object for schema-level objects. Specifies the identifier for the object on which the privileges are granted. GRANT OWNERSHIP, GRANT … TO SHARE See also: Privileges for schema objects, such as tables, views, stages, file formats, UDFs, and sequences in the database that contains theįor more details about roles and securable objects, see Overview of Access Control. Privileges for schemas in the database that contains the database role. Privileges for the database that contains the database role. The privileges that can be granted to database roles are grouped into the following categories: Privileges for schema objects, such as tables, views, stages, file formats, UDFs, and sequences. Privileges for account objects, such as resource monitors, virtual warehouses, and databases. The privileges that can be granted to roles are grouped into the following categories: The privileges that can be granted are object-specific.įor information on granting privileges on securable objects to a share, see GRANT … TO SHARE. Grants one or more access privileges on a securable object to a role or database role.
0 Comments
Leave a Reply. |
AuthorWrite something about yourself. No need to be fancy, just an overview. ArchivesCategories |