Snowflake cannot use schema - snowflake-cloud-data-platform

I created new user, and new role. I assigned to the user that role.
These are the role privileges:
GRANT OWNERSHIP ON SCHEMA <DB name>.<schema name> TO ROLE <role name>;
GRANT USAGE ON DATABASE <DB name> TO ROLE <role name>;
But I still failing on
USE SCHEMA <schema name>;
002043 (02000): SQL compilation error:
Object does not exist, or operation cannot be performed.
Edit 1:
With new schema it does work, it stops working if the schema was created by another user with another role and then I grant the ownership of that schema to the newly create role
Edit 2:
Also when I ran show SCHEMAS; the schema I granted ownership to, is not displayed, only the schemas that the user have created

This all worked without problem for me:
use role accountadmin;
create role delete_stacko;
grant role delete_stacko to role sysadmin;
create schema temp.delete_schema;
grant ownership on schema temp.delete_schema to role delete_stacko;
grant usage on database temp to role delete_stacko;
use role delete_stacko;
use schema temp.delete_schema;
I created a new role, a new schema, and when switching to that role I had all permissions needed to use that schema. Make sure to check that the schema is in the database you are trying to work with - or use prefixes to be completely sure.

Related

Snowflake - Give full access on database to role; revoke access on specific schemas to user that is part of the role

Is there a way to do this?
There is a admin role which is the owner of the database, schema & all other objects.
There is tester role with only read/write permissions on 1 schema of the database.
The tester role needs to be a part of the admin role for that 1 specific schema (so that any new objects created - the ownership will be on the admin role).
Have to revoke access to users of the tester role access on all other schemas in the database
I've tried these scripts:
grant role testerrole to user tester1;
grant usage on database DEMODB to role adminrole;
grant usage on database DEMODB to role testerrole;
grant all on database DEMODB to role adminrole;
grant select,insert,update,delete in schema "DEMODB"."DEVSCHM" to role testerrole;
--Adding tester role in admin role
grant role adminrole to testerrole;
-- revoke all other schema access to tester1 (This fails. How to fix this?)
revoke usage on schema "DEMODB"."PRDSCHM" from user tester1;
revoke usage on schema "DEMODB"."QASSCHM" from user tester1;
Looking to accomplish this - The testerrole needs to be able to create objects in the DEVSCHM, but ownership of the object should still be held with adminrole
If I've understood your question, you want the admin role to own all objects regardless of the role that created them. If that is the case then just grant future ownership on the relevant objects to the admin role

How do I grant all privileges for a database to a role in Snowflake

I am trying to grant all privileges for a database to a role in snowflake
This includes all ability to read, create, update and delete schemas, stages, storage integrations, tables and so on.
Also should include any future objects created in the database.
grant all on database test to developer;
This only grants view of the database and not the schema or any other objects within the database
Unfortunately in Snowflake, there is no as such command to grant all access via a single command.
Even with all privileges command, you have to grant one usage privilege against the object to be effective.
It's mentioned in the documentation on Schema Privileges as well.
For future grants, you can try following commands at schema and database level
SCHEMA LEVEL
grant usage on database SAMPLEDATABASE1 to role testrole12;
grant usage on schema SAMPLEDATABASE1.TEST to role testrole12;
grant select on future tables in schema SAMPLEDATABASE1.TEST to role testrole12;
grant role testrole12 to user SUJANT3;
DATABASE LEVEL
grant usage on database SAMPLEDATABASE1 to role testrole12;
grant usage on future schemas in database SAMPLEDATABASE1 to role testrole12;
grant select on future tables in database SAMPLEDATABASE1 to role testrole12;
grant role testrole12 to user SUJANT3;
There is no one single command to affect all the objects under the database, but you can run these set of SQL's per object:
GRANT ALL ON ALL schemas in database <DB> TO ROLE <role>;
GRANT ALL ON ALL TABLES IN SCHEMA <db.schema> TO ROLE <role>;
similarly for future grants:
grant all on future schemas in database <DB> TO ROLE <role>;
grant all on future tables in schema <db.schema> to ROLE <role>;
This can be extended to views and other objects too.
It sounds like you want to grant ownership? There can only be 1 owner per object, so I recommend you use this only when appropriate:
GRANT OWNERSHIP ON DATABASE TEST
TO DEVELOPER
COPY CURRENT GRANTS
;
Note: Copying current grants retains the current privileges, except ownership is transferred. Otherwise, all existing privileges will be dropped.

Snowflake custom role not able to create tables on a schema

I have a custom role (readwrite) which is granted to the built-in SYSADMIN role.
I have a database CDP_MODELS which has a schema MODELS in it (the owner for which is SYSADMIN).
I have a user WCOX who is a part of the readwrite role.
I need to provide the user WCOX write access to the CDP_MODELS.MODELS DB so that the user can create new tables.
What I have tried so far -
I see that the readwrite role has usage permission on the database as well as the schema.
But when I login as the readwrite role and try to create a table on the MODELS schema in the CDP_MODELS DB, it gives the following error -
SQL access control error: Insufficient privileges to operate on schema
'MODELS'
I have also explicitly tried to run the below queries and then try creating the table, but to no luck.
grant usage on database CDP_MODELS to role READWRITE;
grant usage on schema CDP_MODELS.MODELS to role READWRITE;
grant select,insert on future tables in schema CDP_MODELS.MODELS to role READWRITE;
Is there something which I am missing?
You are missing Create Table privilege on the Schema.
grant create table on schema CDP_MODELS.MODELS to role READWRITE;

How to create snowflake security admin role and at same time restrict the permission only on one database

Environment: snowflake database.
i am trying to find a way to create a role which have security admin permission but should limit the permission only to specific database. is this doable or not? if so, anyone can help me on this? thanks so much.
Thanks, Alex
SECURITYADMIN is a role created by default in Snowflake and a lot of his permissions are not database-related (for example role and user management). Indeed most of the database-related grants belongs to SYSADMIN role.
So if you want to create a custom role having limited permissions on a specific database. You should list the permission which are database related and grant this permissions to the custom role.
For example if you want to give all privileges to a role on a specific database you can use :
GRANT ALL PRIVILEGES ON DATABASE my_db TO ROLE my_custom_role;
Roles are account-level, not db-level objects. So I am guessing you are trying actually to do the same role mgmt that SECURITYADMIN does, but at db-level. In that case:
use role SECURITYADMIN;
create role SECURITYADMIN_DB1;
grant create user, create role to SECURITYADMIN_DB1;
After that create Access Roles for your db:
https://docs.snowflake.com/en/user-guide/security-access-control-considerations.html#aligning-object-access-with-business-functions
Then assign all access roles to the custom SECURITYADMIN_DB1 role, so your role will manage that particular db only.

Insufficient privileges to drop schema

Trying to grant a role access to drop a schema from a database in Snowflake. What grants do I need to apply?
Currently if we try to execute this statement for the user:
DROP SCHEMA IF EXISTS 'schemaname_123'
We get this error:
SQL access control error: Insufficient privileges to operate on schema 'schemaname_123'
The role currently has these grants on the database
GRANT USAGE, MONITOR, CREATE SCHEMA ON DATABASE RAW TO ROLE INGESTION_ROLE;
The DROP privilege is tied to the object owner.
To drop a schema, you must be using a role that has ownership privilege on the schema.
Note that granting ownership in fact transfer the ownership to another role.
grant ownership on schema schemaname_123 to role INGESTION_ROLE;

Resources