If a table, schema or database is dropped accidentally, and a minute later undropped - will it lose all privileges that were granted on it?
I have read the Snowflake documentation, but they don't seem to mention that.
The grants will be recovered along with the table, meaning the roles that had the privilege on the table/object will be available for use
https://docs.snowflake.com/en/sql-reference/account-usage/grants_to_roles#columns
https://docs.snowflake.com/en/sql-reference/sql/undrop
Related
I'm experiencing a strange behavior in Snowflake and couldn't find any explanation in the documentation.
use role accountadmin ;
use database some_database;
create schema test_schema;
drop schema test_schema;
Result:
SQL access control error: Insufficient privileges to operate on schema 'TEST_SCHEMA'
When I check the schemas with show schemas I find that the ownership of TEST_SCHEMA belongs to another role.
Snowflake documentation only says that the ownership of an object is set to the role which created it, and the only way to have it owned by another role is transfer of ownership.
I've tried granting usage on future schema to accountadmin, but it hasn't fixed the problem.
Any ideas?
The database probably has future grants set up on it that automatically assigns ownership of each new schema created
We have build a streaming pipeline that has the rights to create new tables in snowflake when they are created in the source system. (running under the role PROD_EL_ROLE)
Even though we have time travel enabled 'for backup', I want to prevent the PROD_EL_ROLE itself from being able to 'accidentally' DROP tables. AFAIK, this cannot be done directly as the creator of a table in snowflake is also the owner, and thus, is also allowed to drop the table
What I tried in addition, is to transfer the owner to another role higher in our RBAC hierarchy (PROD_SYSADMIN_ROLE) . This unfortunately only works by using REVOKE GRANTS, which is not what we want as with the creating of a table under PROD_EL_ROLE various privileges are auto-created by various FUTURE GRANTS. And we obviously don't want to remove them.
If I use COPY GRANTS, it does not work due to the PROD_EL_ROLE not having the MANAGE GRANTS right. Which is a grant we obviously do not want to give to PROD_EL_ROLE...
I only want to prevent table dropping by PROD_EL_ROLE
Any idea how to solve this?
To follow the DAC concept, you own the object created then you can customise grants to it, so no way to prevent dropping it unless a higher role in same RBAC hierarchy claims ownership, and grant back some or ALL privileges of the object to that role.
So, for your requirement here another separate process/user need use PROD_SYSADMIN_ROLE to claim objects ownership and grant back ALL PRIVILEGES on that object to role PROD_EL_ROLE
USE ROLE PROD_SYSADMIN_ROLE;
grant ownership on ALL TABLES in SCHEMA TESTDB.TESTSCHEMA
TO ROLE PROD_SYSADMIN_ROLE;
grant ALL PRIVILEGES on ALL TABLES in SCHEMA TESTDB.TESTSCHEMA
TO ROLE PROD_EL_ROLE;
Now the role PROD_EL_ROLE can do all DML operations but no DDL operations on it again (dropping/modifying the definition of the object).
While exploring Snowflake documentation on Audit Logging (user login history, object creation/deletion, query execution history etc), I found the below information.
But in my trail account, I didn't find any shared DB with name 'SNOWFLAKE'.
Would apreciate if someone can throw more light on this feature.
Neeraj
You need to choose the 'ACCOUNTADMIN' role in the context of your session to see that database.
You should set the ACCOUNTADMIN role in the context to access the SNOWFLAKE database.
Alternatively, As accountadmin, you can grant the privilege for viewing the data to other users as below.
Grant imported privileges on database snowflake to ; -- where is an existing/new role granted to
Changing the role in right upper corner is not sufficient. Yo uneed to change the role in the context.
After that, 'SNOWFLAKE' shared DB will be visible.
What is the best way to prevent changes to a database or verify the integrity of this, so that it can not be altered from an application created for this database.
assuming you have a username and password to access the database permits reading - writing.
requirements:
The user has write permissions
Do not depend on a particular system like (MySQL, Oracle, SQL Server)
solution I'm looking for is not based on the user's permissions on the database
Most modern databases allow you to grant reading and writing permissions but while disallowing DDL commands like ALTER TABLE.
Do not give users that should not alter the DB structure permission to execute DDL.
If by "Alter" you mean change any data rows, rather than the database structure, you can grant the user only SELECT rights.
The user or account that your application uses must be granted permissions from the database server. Typically permissions include things like:
Select
Insert
Update
Delete
Alter
Drop
Only give the user account the permissions needed; in other words, don't grant Alter permission, and the application (or anyone using the same login) won't be able to alter tables.
Two strategies: 1) if you are running SQL Server, Oracle, DB2, etc, you can configure permissions so users are reader/writer by default (which means no alter permissions). 2) you can periodically check to see if someone has changed the data structure or even set up a DB trigger to detect changes and record who/when, etc (depends on your DB platform)
Could you please advise, what are permissions required to give user access to read Database diagrams in SQL Server 2005?
Thanks a lot!
From BOL
Although any user with access to a database can create a diagram, once the diagram has been created, the only users who can see it are the diagram's creator and any member of the db_owner role.
Ownership of diagrams can only be transferred to members of the db_owner role. This is only possible if the previous owner of the diagram has been removed from the database.
If the owner of a diagram has been removed from the database, the diagram will remain in the database until a member of the db_owner role attempts to open it. At that point the db_owner member can choose to take over ownership of the diagram.
So, db_owner/dbo is best
Try with this:
ALTER AUTHORIZATION ON DATABASE::AdventureWorks TO sa;
I've just found this in MSDN:
... you can grant execute premission on sp_creatediagram stored
procedure to someone who needs to create the diagram; you can grant
execute alter, rename or drop permisson as well. However, please note
that you still need related premission on tables, schemas otherwise
you may not be able to save the diagram. For instance, if you create a
new table in the diagram, you need CREATE TABLE permission on
corresponding Schema
less than db_owner/dbo