Any new role created on the account automatically gets access to a shared database and any attempt to REVOKE IMPORTED PRIVILEGES from the newly created role makes no change, the query to revoke access completes successfully. Notably, when IMPORTED PRIVILEGES are revoked/granted from a role on any other shared DB, it works perfectly fine.
DB: Snowflake
In my case I had two other roles that were children of role PUBLIC. Any new role that was created automatically inherited the privileges of these two roles via the relationship to PUBLIC. Due to this, the command revoke imported privileges on database <MY_DB> from role PUBLIC; and revoke imported privileges on database <MY_DB> from role my_role; did not remove the privileges on the DB.
Removing the relationship between the other roles and PUBLIC fixed this issue for me:
revoke role my_other_role1 from role PUBLIC;
revoke role my_other_role2 from role PUBLIC;
Related
how to perform joins and how to maintain warehouse?
I have tried:
create table table_name values i int, nm string;
How to create a role in snowflake without any privileges or minimum privileges ?
I tried to create a role with parent role security-admin .
when I assign this role to user i am able to see databases of parent role also.
After I created role with parent role as public still I am able to see databases
what shall I do that a created role should not have access to any unless I grant it ?
When you CREATE ROLE, it's an independent object and does not come with any privileges:
use role accountadmin;
create role empty_role;
show grants to role empty_role;
The last command does not return anything even if it is created by the accountadmin role.
grant role empty_role to user gokhan;
use role empty_role;
show databases;
As the new role has no additional access, the last command shows the databases which the PUBLIC role has access. I hope this explains why you see some databases when you switch to your new role.
I have a share(i.e. shareTest_share) in accountAdmin role in one of my reader accounts in snowflake.
Now I want to create a database from this, but from sysAdmin role.
The statement for creating database is:
CREATE or replace DATABASE shareTest_db FROM SHARE mukulanalytics.shareTest_share
This is giving permission issue since I am trying to execute it from the sysAdmin role instead of accountAdmin role which has the access to shareTest_share share.
Error:
SQL access control error: Insufficient privileges to operate on foreign share 'SHARETEST_SHARE'
How can I create a database from share in a different role with share in another role?
You will have to grant the IMPORT SHARE privilege to SYSADMIN/any other users
use role accountadmin
grant import share on account to sysadmin
use role sysadmin
create database TEST from share <>
https://docs.snowflake.com/en/user-guide/security-access-privileges-shares.html
the privileges required to achieve this are described here: https://docs.snowflake.com/en/user-guide/security-access-privileges-shares.html
Is there a way to do this?
There is a admin role which is the owner of the database, schema & all other objects.
There is tester role with only read/write permissions on 1 schema of the database.
The tester role needs to be a part of the admin role for that 1 specific schema (so that any new objects created - the ownership will be on the admin role).
Have to revoke access to users of the tester role access on all other schemas in the database
I've tried these scripts:
grant role testerrole to user tester1;
grant usage on database DEMODB to role adminrole;
grant usage on database DEMODB to role testerrole;
grant all on database DEMODB to role adminrole;
grant select,insert,update,delete in schema "DEMODB"."DEVSCHM" to role testerrole;
--Adding tester role in admin role
grant role adminrole to testerrole;
-- revoke all other schema access to tester1 (This fails. How to fix this?)
revoke usage on schema "DEMODB"."PRDSCHM" from user tester1;
revoke usage on schema "DEMODB"."QASSCHM" from user tester1;
Looking to accomplish this - The testerrole needs to be able to create objects in the DEVSCHM, but ownership of the object should still be held with adminrole
If I've understood your question, you want the admin role to own all objects regardless of the role that created them. If that is the case then just grant future ownership on the relevant objects to the admin role
I created new user, and new role. I assigned to the user that role.
These are the role privileges:
GRANT OWNERSHIP ON SCHEMA <DB name>.<schema name> TO ROLE <role name>;
GRANT USAGE ON DATABASE <DB name> TO ROLE <role name>;
But I still failing on
USE SCHEMA <schema name>;
002043 (02000): SQL compilation error:
Object does not exist, or operation cannot be performed.
Edit 1:
With new schema it does work, it stops working if the schema was created by another user with another role and then I grant the ownership of that schema to the newly create role
Edit 2:
Also when I ran show SCHEMAS; the schema I granted ownership to, is not displayed, only the schemas that the user have created
This all worked without problem for me:
use role accountadmin;
create role delete_stacko;
grant role delete_stacko to role sysadmin;
create schema temp.delete_schema;
grant ownership on schema temp.delete_schema to role delete_stacko;
grant usage on database temp to role delete_stacko;
use role delete_stacko;
use schema temp.delete_schema;
I created a new role, a new schema, and when switching to that role I had all permissions needed to use that schema. Make sure to check that the schema is in the database you are trying to work with - or use prefixes to be completely sure.
I used the following statements:
USE ROLE SECURITYADMIN;
CREATE ROLE TEST_ROLE;
CREATE USER TEST_USER PASSWORD='PASSWORD', DEFAULT_ROLE='TEST_ROLE', DEFAULT_WAREHOUSE='MY_WH';
GRANT ROLE TEST_ROLE TO TEST_USER;
When I login with the TEST_USER, the user has access to all existing databases/schemas/tables/views. How come?
This is expected behaviour if the PUBLIC role was granted access to all your database objects.
By default, all users belong to the PUBLIC role.
You may check the privileges of the TEST_ROLE with this grant statement, which lists all privileges and roles granted to the role:
show grants to role TEST_ROLE;
and lists all users and roles to which the role has been granted:
show grants of role TEST_ROLE;