Snowflake custom role not able to create tables on a schema - snowflake-cloud-data-platform

I have a custom role (readwrite) which is granted to the built-in SYSADMIN role.
I have a database CDP_MODELS which has a schema MODELS in it (the owner for which is SYSADMIN).
I have a user WCOX who is a part of the readwrite role.
I need to provide the user WCOX write access to the CDP_MODELS.MODELS DB so that the user can create new tables.
What I have tried so far -
I see that the readwrite role has usage permission on the database as well as the schema.
But when I login as the readwrite role and try to create a table on the MODELS schema in the CDP_MODELS DB, it gives the following error -
SQL access control error: Insufficient privileges to operate on schema
'MODELS'
I have also explicitly tried to run the below queries and then try creating the table, but to no luck.
grant usage on database CDP_MODELS to role READWRITE;
grant usage on schema CDP_MODELS.MODELS to role READWRITE;
grant select,insert on future tables in schema CDP_MODELS.MODELS to role READWRITE;
Is there something which I am missing?

You are missing Create Table privilege on the Schema.
grant create table on schema CDP_MODELS.MODELS to role READWRITE;

Related

Snowflake cannot use schema

I created new user, and new role. I assigned to the user that role.
These are the role privileges:
GRANT OWNERSHIP ON SCHEMA <DB name>.<schema name> TO ROLE <role name>;
GRANT USAGE ON DATABASE <DB name> TO ROLE <role name>;
But I still failing on
USE SCHEMA <schema name>;
002043 (02000): SQL compilation error:
Object does not exist, or operation cannot be performed.
Edit 1:
With new schema it does work, it stops working if the schema was created by another user with another role and then I grant the ownership of that schema to the newly create role
Edit 2:
Also when I ran show SCHEMAS; the schema I granted ownership to, is not displayed, only the schemas that the user have created
This all worked without problem for me:
use role accountadmin;
create role delete_stacko;
grant role delete_stacko to role sysadmin;
create schema temp.delete_schema;
grant ownership on schema temp.delete_schema to role delete_stacko;
grant usage on database temp to role delete_stacko;
use role delete_stacko;
use schema temp.delete_schema;
I created a new role, a new schema, and when switching to that role I had all permissions needed to use that schema. Make sure to check that the schema is in the database you are trying to work with - or use prefixes to be completely sure.

Snowflake roles are not able to see newly created Privileged database?

I created a new Database (DB_COMMON) using ACCOUNTADMIN role and I grant ALL PRIVILEGES to other roles but I am not able to see newly created Database (DB_COMMON) using those roles. Am I missing something? Please guide.
Here is the complete code:
USE DATABASE ACCOUNTADMIN;
-- DATABASE CREATION
CREATE DATABASE IF NOT EXISTS DB_COMMON;
-- PERMISSION TO ALL THE FUTURE SCHEMAS
GRANT ALL PRIVILEGES ON FUTURE SCHEMAS IN DATABASE DB_COMMON TO ROLE DEVADMIN;
GRANT ALL PRIVILEGES ON FUTURE SCHEMAS IN DATABASE DB_COMMON TO ROLE QAADMIN;
GRANT ALL PRIVILEGES ON FUTURE SCHEMAS IN DATABASE DB_COMMON TO ROLE UATADMIN;
GRANT ALL PRIVILEGES ON FUTURE SCHEMAS IN DATABASE DB_COMMON TO ROLE PRODADMIN;
-- PERMISSION TO ALL THE FUTURE TABLES
GRANT ALL PRIVILEGES ON FUTURE TABLES IN DATABASE DB_COMMON TO ROLE DEVADMIN;
GRANT ALL PRIVILEGES ON FUTURE TABLES IN DATABASE DB_COMMON TO ROLE QAADMIN;
GRANT ALL PRIVILEGES ON FUTURE TABLES IN DATABASE DB_COMMON TO ROLE UATADMIN;
GRANT ALL PRIVILEGES ON FUTURE TABLES IN DATABASE DB_COMMON TO ROLE PRODADMIN;
-- CREATION OF SCHEMA
USE DATABASE DB_COMMON;
CREATE SCHEMA IF NOT EXISTS COMMON;
After these commands, if I switch to these roles (DEVADMIN, QAADMIN, etc) I am not able to see DB_COMMON Database. Am I missing something? Please guide.
It is not recommeded to use ACCOUNTADMIN role as owner of user-defined databases:
Avoid Using the ACCOUNTADMIN Role to Create Objects:
The ACCOUNTADMIN role is intended for performing initial setup tasks in the system and managing account-level objects and tasks on a day-to-day basis. As such, it should not be used to create objects in your account, unless you absolutely need these objects to have the highest level of secure access. If you create objects with the ACCOUNTADMIN role and you want users to have access to these objects, you must explicitly grant privileges on the objects to the roles for these users.
Instead, we recommend creating a hierarchy of roles aligned with business functions in your organization and ultimately assigning these roles to the SYSADMIN role. For more information, see Aligning Object Access with Business Functions in this topic.
Second the USAGE permission on the database needs to be granted.
GRANT USAGE ON DATABASE ... TO ROLE ...;
Database Privileges:
USAGE
Enables using a database, including returning the database details in the SHOW DATABASES command output. Additional privileges are required to view or take actions on objects in a database.

How do I grant all privileges for a database to a role in Snowflake

I am trying to grant all privileges for a database to a role in snowflake
This includes all ability to read, create, update and delete schemas, stages, storage integrations, tables and so on.
Also should include any future objects created in the database.
grant all on database test to developer;
This only grants view of the database and not the schema or any other objects within the database
Unfortunately in Snowflake, there is no as such command to grant all access via a single command.
Even with all privileges command, you have to grant one usage privilege against the object to be effective.
It's mentioned in the documentation on Schema Privileges as well.
For future grants, you can try following commands at schema and database level
SCHEMA LEVEL
grant usage on database SAMPLEDATABASE1 to role testrole12;
grant usage on schema SAMPLEDATABASE1.TEST to role testrole12;
grant select on future tables in schema SAMPLEDATABASE1.TEST to role testrole12;
grant role testrole12 to user SUJANT3;
DATABASE LEVEL
grant usage on database SAMPLEDATABASE1 to role testrole12;
grant usage on future schemas in database SAMPLEDATABASE1 to role testrole12;
grant select on future tables in database SAMPLEDATABASE1 to role testrole12;
grant role testrole12 to user SUJANT3;
There is no one single command to affect all the objects under the database, but you can run these set of SQL's per object:
GRANT ALL ON ALL schemas in database <DB> TO ROLE <role>;
GRANT ALL ON ALL TABLES IN SCHEMA <db.schema> TO ROLE <role>;
similarly for future grants:
grant all on future schemas in database <DB> TO ROLE <role>;
grant all on future tables in schema <db.schema> to ROLE <role>;
This can be extended to views and other objects too.
It sounds like you want to grant ownership? There can only be 1 owner per object, so I recommend you use this only when appropriate:
GRANT OWNERSHIP ON DATABASE TEST
TO DEVELOPER
COPY CURRENT GRANTS
;
Note: Copying current grants retains the current privileges, except ownership is transferred. Otherwise, all existing privileges will be dropped.

What is the complete list of privileges a role needs in order to create a table in a schema?

I have granted USAGE on the schemas and database.
I have granted select on all tables.
Using that role, I can read data from all tables within any schema.
I then grant the permission to create tables in all schemas within that database
GRANT CREATE TABLE ON ALL SCHEMAS IN DATABASE TEST1_CONTROL TO DEVELOPERS;
Yet, when I issue this command (while using DEVELOPERS role), I get an error
CREATE TABLE PDS.ERIC_TEST_TABLE(COUCOU STRING NULL);
What am I missing?
Works fine for me (script below). Going to go with what Lukasz commented and that your schema was created later.
use role accountadmin;
create database TEST1_CONTROL;
create schema PDS;
create role DEVELOPERS;
grant role DEVELOPERS to user <your_username>;
GRANT USAGE ON DATABASE TEST1_CONTROL TO DEVELOPERS;
GRANT USAGE ON ALL SCHEMAS IN DATABASE TEST1_CONTROL TO DEVELOPERS;
GRANT CREATE TABLE ON ALL SCHEMAS IN DATABASE TEST1_CONTROL TO DEVELOPERS;
use role DEVELOPERS;
CREATE TABLE PDS.ERIC_TEST_TABLE(COUCOU STRING NULL);
Snowflake does offer future grants if you want a role to have access to any new schemas that would be created in the future.

Insufficient privileges to drop schema

Trying to grant a role access to drop a schema from a database in Snowflake. What grants do I need to apply?
Currently if we try to execute this statement for the user:
DROP SCHEMA IF EXISTS 'schemaname_123'
We get this error:
SQL access control error: Insufficient privileges to operate on schema 'schemaname_123'
The role currently has these grants on the database
GRANT USAGE, MONITOR, CREATE SCHEMA ON DATABASE RAW TO ROLE INGESTION_ROLE;
The DROP privilege is tied to the object owner.
To drop a schema, you must be using a role that has ownership privilege on the schema.
Note that granting ownership in fact transfer the ownership to another role.
grant ownership on schema schemaname_123 to role INGESTION_ROLE;

Resources