In snowflake, I have a table "dbtest"."schematest"."testtable" created by role Accountadmin.
Now i want to alter a column in this table using another role roletest;
I have given all access till table leve to roletest
# using accountadmin roles i have granted all the access
use role accountadmin
use warehouse testwarehouse
# granted database level permission to the role
GRANT USAGE ON DATABASE DBTEST TO ROLE ROLETEST;
# granted schema level permission to the rol
GRANT USAGE ON SCHEMA DBTEST.SCHEMATEST TO ROLE ROLETEST;
GRANT SELECT ON ALL VIEWS IN SCHEMA DBTEST.SCHEMATEST TO ROLE ROLETEST;
GRANT SELECT ON FUTURE VIEWS IN SCHEMA DBTEST.SCHEMATEST TO ROLE ROLETEST;
GRANT SELECT ON ALL TABLES IN SCHEMA DBTEST.SCHEMATEST TO ROLE ROLETEST;
GRANT SELECT ON FUTURE TABLES IN SCHEMA DBTEST.SCHEMATEST TO ROLE ROLETEST;
GRANT USAGE, CREATE FUNCTION, CREATE PROCEDURE, CREATE TABLE, CREATE VIEW, CREATE EXTERNAL TABLE, CREATE MATERIALIZED VIEW, CREATE TEMPORARY TABLE ON SCHEMA DBTEST.SCHEMATEST TO ROLE ROLETEST;
# also at table leve i have granted the permissions
GRANT INSERT, DELETE, REBUILD, REFERENCES, SELECT, TRUNCATE, UPDATE ON TABLE "DBTEST"."SCHEMATEST"."testtable" TO ROLE "ROLETEST";
Now when i try
use role roletest;
use warehouse roletest_wh;
alter table "DBTEST"."SCHEMATEST"."testtable" alter column c1 drop not null;
i get the error
SQL access control error: Insufficient privileges to operate on table 'testtable'
I also tried
GRANT OWNERSHIP ON "DBTEST"."SCHEMATEST"."testtable" TO ROLE roletest;
it gives error
SQL execution error: Dependent grant of privilege 'SELECT' on securable "DBTEST"."SCHEMATEST"."testtable" to role 'SYSADMIN' exists. It must be revoked first. More than one dependent grant may exist: use 'SHOW GRANTS' command to view them. To revoke all dependent grants while transferring object ownership, use convenience command 'GRANT OWNERSHIP ON <target_objects> TO <target_role> REVOKE CURRENT GRANTS'.
https://docs.snowflake.com/en/sql-reference/sql/grant-ownership.html#examples
In a single step, revoke all privileges on the existing tables in the mydb.public schema and transfer ownership of the tables (along with a copy of their current privileges) to the analyst role:
grant ownership on all tables in schema mydb.public to role analyst copy current grants;
Grant ownership on the mydb.public.mytable table to the analyst role along with a copy of all current outbound privileges on the table:
grant ownership on table mydb.public.mytable to role analyst copy current grants;
Only the owner of an object can alter that object.
When changing ownership you need to use one of the revoke/copy grants options
Related
I am trying to grant all privileges for a database to a role in snowflake
This includes all ability to read, create, update and delete schemas, stages, storage integrations, tables and so on.
Also should include any future objects created in the database.
grant all on database test to developer;
This only grants view of the database and not the schema or any other objects within the database
Unfortunately in Snowflake, there is no as such command to grant all access via a single command.
Even with all privileges command, you have to grant one usage privilege against the object to be effective.
It's mentioned in the documentation on Schema Privileges as well.
For future grants, you can try following commands at schema and database level
SCHEMA LEVEL
grant usage on database SAMPLEDATABASE1 to role testrole12;
grant usage on schema SAMPLEDATABASE1.TEST to role testrole12;
grant select on future tables in schema SAMPLEDATABASE1.TEST to role testrole12;
grant role testrole12 to user SUJANT3;
DATABASE LEVEL
grant usage on database SAMPLEDATABASE1 to role testrole12;
grant usage on future schemas in database SAMPLEDATABASE1 to role testrole12;
grant select on future tables in database SAMPLEDATABASE1 to role testrole12;
grant role testrole12 to user SUJANT3;
There is no one single command to affect all the objects under the database, but you can run these set of SQL's per object:
GRANT ALL ON ALL schemas in database <DB> TO ROLE <role>;
GRANT ALL ON ALL TABLES IN SCHEMA <db.schema> TO ROLE <role>;
similarly for future grants:
grant all on future schemas in database <DB> TO ROLE <role>;
grant all on future tables in schema <db.schema> to ROLE <role>;
This can be extended to views and other objects too.
It sounds like you want to grant ownership? There can only be 1 owner per object, so I recommend you use this only when appropriate:
GRANT OWNERSHIP ON DATABASE TEST
TO DEVELOPER
COPY CURRENT GRANTS
;
Note: Copying current grants retains the current privileges, except ownership is transferred. Otherwise, all existing privileges will be dropped.
I created a user ANALYST_USER and granted a role ANALYST.
When I tried to create a table in the TEST_DB, I got a following error message:
Unable to create table TEST.
SQL access control error: Insufficient privileges to operate on schema 'PUBLIC'
Here are the statements I wrote before trying to create a table using the ANALYST_USER account.
USE ROLE SECURITYADMIN;
-- Create Role--
CREATE ROLE ANALYST
-- Database--
GRANT USAGE ON DATABASE TEST_DB TO ROLE ANALYST;
-- Schema--
GRANT USAGE, MONITOR ON ALL SCHEMAS IN DATABASE TEST_DB TO ROLE ANALYST;
GRANT USAGE, MONITOR ON FUTURE SCHEMAS IN DATABASE
TEST_DB TO ROLE ANALYST;
-- Warehouse--
GRANT USAGE ON WAREHOUSE TEST_WH TO ROLE ANALYST;
GRANT USAGE ON WAREHOUSE TEST_WH TO ROLE ANALYST;
-- Tables/Views--
GRANT SELECT ON ALL TABLES IN DATABASE TEST_DB TO ROLE ANALYST;
GRANT SELECT ON FUTURE TABLES IN DATABASE TEST_DB TO ROLE
ANALYST;
-- User -- GRANT ROLE ANALYST to USER ANALYST_USER;
Does anyone know how to solve this issue?
Following statement solved the issue.
GRANT ALL ON ALL SCHEMAS IN DATABASE TEST_DB TO ROLE ANALYST;
GRANT ALL ON FUTURE SCHEMAS IN DATABASE TEST_DB TO ROLE ANALYST;
I understand this gives "ALL" permissions, so if we want to give only "create table" permission, then we need to use following statement instead:
Grant create table on schema IN DATABASE TEST_DB to role ANALYST;
It is because the role was missing create table rights on the public schema. You just have usage and monitor privileges in your schema grant. So, GRANT CREATE TABLE ON SCHEMA TEST_DB.PUBLIC TO ROLE ANALYST; would have solved your issue.
Trying to grant a role access to drop a schema from a database in Snowflake. What grants do I need to apply?
Currently if we try to execute this statement for the user:
DROP SCHEMA IF EXISTS 'schemaname_123'
We get this error:
SQL access control error: Insufficient privileges to operate on schema 'schemaname_123'
The role currently has these grants on the database
GRANT USAGE, MONITOR, CREATE SCHEMA ON DATABASE RAW TO ROLE INGESTION_ROLE;
The DROP privilege is tied to the object owner.
To drop a schema, you must be using a role that has ownership privilege on the schema.
Note that granting ownership in fact transfer the ownership to another role.
grant ownership on schema schemaname_123 to role INGESTION_ROLE;
I'm trying to setup a Snowflake role that have access to all current and future tables in a given database:
create role if not exists MYROLE;
grant usage on database MYDB to role MYROLE;
grant usage on all schemas in database MYDB to role MYROLE;
grant usage on future schemas in database MYDB to role MYROLE;
grant select on all tables in database MYDB to role MYROLE;
grant select on future tables in database MYDB to role MYROLE;
the SHOW FUTURE GRANTS IN DATABASE MYDB; confirms that the grants are there:
created_on privilege grant_on name grant_to grantee_name grant_option
... USAGE SCHEMA MYDB.<SCHEMA> ROLE MYROLE false
... SELECT TABLE MYDB.<TABLE> ROLE MYROLE false
But they don't seem to have any effect.
I have a test schema MYDB.TEST and when I create tables with other role OTHERROLE the MYROLE can't "see" them.
use role accountadmin;
grant select on all tables in database MYDB to role MYROLE;
grant select on future tables in database MYDB to role MYROLE;
use role otherrole;
CREATE OR REPLACE TABLE mydb.test.ruben_test AS (
SELECT * FROM (values (1,2),(3,4),(5,6)) x(id,value)
);
select * from mydb.test.ruben_test; -- OTHERROLE can see table
use role myrole;
select * from mydb.test.ruben_test; -- SQL compilation error: Object 'MYDB.TEST.RUBEN_TEST' does not exist or not authorized.
use role accountadmin;
grant select on all tables in database MYDB to role MYROLE;
use role myrole;
select * from mydb.test.ruben_test; -- now it can see it
The grant select on future tables in database MYDB to role MYROLE; seems to be ignored.
If I use grant select on future tables in schema MYDB.TEST to role MYROLE; then it will work, but I really don't want to have to write a grant for each schema in the db.
I'm opening a support case with Snowflake but in the meantime, is it possible to have a grant in all future table in database or not?
Yes, it's possible. Most likely you have future grants at the schema level and that prevents the future grants at the database level from running as stated in Precedence rule for future grants.
As the future grants can be defined at both the database and schema
level, the schema level grants always take precedence over the
database level grants, the snowflake will ignore the future grants
applied at the database level. Even if the user tries to change the
future grants at the database level and one of the child schemas had a
different future grant defined explicitly then this change will not be
reflected at the schema level, it will be simply ignored without
showing any error.
I want to grant Create/Drop/Select/Insert/Delete/Truncate current & future table access to a role.
I did following still having problem.
grant usage on database TESTDB to role TEST_ROLE;
grant usage on schema TESTDB.TESTSCHEMA to role TEST_ROLE;
grant all on future tables in schema TESTDB.TESTSCHEMA to role TEST_ROLE;
grant all on all tables in schema TESTDB.TESTSCHEMA to role TEST_ROLE;
use role TEST_ROLE;
create table TESTDB.TESTSCHEMA.TESTTAB (name varchar(20);
SQL access control error: Insufficient privileges to operate on schema 'TESTSCHEMA'
Thanks
Creating a table is an action performed in the context of a schema.
You need to use GRANT CREATE TABLE ON SCHEMA ...
I think you are looking to give all permissions of the new schema TESTSCHEMA (except ownership or giving grant to other roles) to the new role TEST_ROLE then use:
grant ALL PRIVILEGES on schema TESTDB.TESTSCHEMA to role TEST_ROLE;
you may verify the privileges giving by
show grants to role TEST_ROLE;
If you think that is too much, then make a list exactly what you want out of the SHOW command result and try to write the REVOKE/GRANT new command following doc of the privileges you wanna revoke/grant and we can assist further?
Below permissions need to be grant as per your requirement
Example
RoleName- PRODUCTION_DBT
USE ROLE ACCOUNTADMIN (Role with Super Privileges as AccountAdmin)
GRANT USAGE ON WAREHOUSE TO ROLE PRODUCTION_DBT
GRANT USAGE ON DATABASE TO ROLE PRODUCTION_DBT
GRANT USAGE ON SCHEMA . TO ROLE
PRODUCTION_DBT
GRANT CREATE TABLE ON SCHEMA . TO ROLE
PRODUCTION_DBT
GRANT SELECT ON ALL TABLES IN SCHEMA . TO
ROLE PRODUCTION_DBT
GRANT SELECT ON FUTURE TABLES IN SCHEMA . TO
ROLE PRODUCTION_DBT
GRANT INSERT, UPDATE, DELETE ON ALL TABLES IN .
TO ROLE PRODUCTION_DBT
GRANT TRUNCATE ON ALL TABLES IN SCHEMA . TO
ROLE PRODUCTION_DBT
GRANT CREATE VIEW ON SCHEMA . TO ROLE
PRODUCTION_DBT
GRANT CREATE PROCEDURE ON SCHEMA . TO ROLE
PRODUCTION_DBT
Below grants will provide CURD access to a role.
grant usage on database…
grant usage on schema…
grant create table on schema….
--above will give CURD
grant select, insert, delete, ... on all tables in schema
--above grant will take care of all exists table grants
grant select, insert, delete, ... on future tables in schema
--above grant will take care of all future tables