snowflake - query grants to role - snowflake-cloud-data-platform

I made all table grants to a role:
grant select on all tables in schema WORKING to role PROD_WORKING_SR;
grant select on all views in schema WORKING to role PROD_WORKING_SR;
grant select on future tables in schema WORKING to role PROD_WORKING_SR;
grant select on future views in schema WORKING to role PROD_WORKING_SR;
but when I try to verify the grants using command:
show grants to role PROD_WORKING_SR
I get nothing. Can someone help me with a query that I can extract all privileges granted to a role like I did above.
Appreciate your help!!!

You need to give USAGE privilege to the role for database and schema
You can do this using
grant usage on database <your db name> to role PROD_WORKING_SR;
grant usage on schema WORKING to role PROD_WORKING_SR;

Related

Snowflake - Give full access on database to role; revoke access on specific schemas to user that is part of the role

Is there a way to do this?
There is a admin role which is the owner of the database, schema & all other objects.
There is tester role with only read/write permissions on 1 schema of the database.
The tester role needs to be a part of the admin role for that 1 specific schema (so that any new objects created - the ownership will be on the admin role).
Have to revoke access to users of the tester role access on all other schemas in the database
I've tried these scripts:
grant role testerrole to user tester1;
grant usage on database DEMODB to role adminrole;
grant usage on database DEMODB to role testerrole;
grant all on database DEMODB to role adminrole;
grant select,insert,update,delete in schema "DEMODB"."DEVSCHM" to role testerrole;
--Adding tester role in admin role
grant role adminrole to testerrole;
-- revoke all other schema access to tester1 (This fails. How to fix this?)
revoke usage on schema "DEMODB"."PRDSCHM" from user tester1;
revoke usage on schema "DEMODB"."QASSCHM" from user tester1;
Looking to accomplish this - The testerrole needs to be able to create objects in the DEVSCHM, but ownership of the object should still be held with adminrole
If I've understood your question, you want the admin role to own all objects regardless of the role that created them. If that is the case then just grant future ownership on the relevant objects to the admin role

How do I grant all privileges for a database to a role in Snowflake

I am trying to grant all privileges for a database to a role in snowflake
This includes all ability to read, create, update and delete schemas, stages, storage integrations, tables and so on.
Also should include any future objects created in the database.
grant all on database test to developer;
This only grants view of the database and not the schema or any other objects within the database
Unfortunately in Snowflake, there is no as such command to grant all access via a single command.
Even with all privileges command, you have to grant one usage privilege against the object to be effective.
It's mentioned in the documentation on Schema Privileges as well.
For future grants, you can try following commands at schema and database level
SCHEMA LEVEL
grant usage on database SAMPLEDATABASE1 to role testrole12;
grant usage on schema SAMPLEDATABASE1.TEST to role testrole12;
grant select on future tables in schema SAMPLEDATABASE1.TEST to role testrole12;
grant role testrole12 to user SUJANT3;
DATABASE LEVEL
grant usage on database SAMPLEDATABASE1 to role testrole12;
grant usage on future schemas in database SAMPLEDATABASE1 to role testrole12;
grant select on future tables in database SAMPLEDATABASE1 to role testrole12;
grant role testrole12 to user SUJANT3;
There is no one single command to affect all the objects under the database, but you can run these set of SQL's per object:
GRANT ALL ON ALL schemas in database <DB> TO ROLE <role>;
GRANT ALL ON ALL TABLES IN SCHEMA <db.schema> TO ROLE <role>;
similarly for future grants:
grant all on future schemas in database <DB> TO ROLE <role>;
grant all on future tables in schema <db.schema> to ROLE <role>;
This can be extended to views and other objects too.
It sounds like you want to grant ownership? There can only be 1 owner per object, so I recommend you use this only when appropriate:
GRANT OWNERSHIP ON DATABASE TEST
TO DEVELOPER
COPY CURRENT GRANTS
;
Note: Copying current grants retains the current privileges, except ownership is transferred. Otherwise, all existing privileges will be dropped.

Insufficient privileges to operate on schema 'PUBLIC'

I created a user ANALYST_USER and granted a role ANALYST.
When I tried to create a table in the TEST_DB, I got a following error message:
Unable to create table TEST.
SQL access control error: Insufficient privileges to operate on schema 'PUBLIC'
Here are the statements I wrote before trying to create a table using the ANALYST_USER account.
USE ROLE SECURITYADMIN;
-- Create Role--
CREATE ROLE ANALYST
-- Database--
GRANT USAGE ON DATABASE TEST_DB TO ROLE ANALYST;
-- Schema--
GRANT USAGE, MONITOR ON ALL SCHEMAS IN DATABASE TEST_DB TO ROLE ANALYST;
GRANT USAGE, MONITOR ON FUTURE SCHEMAS IN DATABASE
TEST_DB TO ROLE ANALYST;
-- Warehouse--
GRANT USAGE ON WAREHOUSE TEST_WH TO ROLE ANALYST;
GRANT USAGE ON WAREHOUSE TEST_WH TO ROLE ANALYST;
-- Tables/Views--
GRANT SELECT ON ALL TABLES IN DATABASE TEST_DB TO ROLE ANALYST;
GRANT SELECT ON FUTURE TABLES IN DATABASE TEST_DB TO ROLE
ANALYST;
-- User -- GRANT ROLE ANALYST to USER ANALYST_USER;
Does anyone know how to solve this issue?
Following statement solved the issue.
GRANT ALL ON ALL SCHEMAS IN DATABASE TEST_DB TO ROLE ANALYST;
GRANT ALL ON FUTURE SCHEMAS IN DATABASE TEST_DB TO ROLE ANALYST;
I understand this gives "ALL" permissions, so if we want to give only "create table" permission, then we need to use following statement instead:
Grant create table on schema IN DATABASE TEST_DB to role ANALYST;
It is because the role was missing create table rights on the public schema. You just have usage and monitor privileges in your schema grant. So, GRANT CREATE TABLE ON SCHEMA TEST_DB.PUBLIC TO ROLE ANALYST; would have solved your issue.

Is it possible to grant SELECT on all future tables on any schema in a database?

I'm trying to setup a Snowflake role that have access to all current and future tables in a given database:
create role if not exists MYROLE;
grant usage on database MYDB to role MYROLE;
grant usage on all schemas in database MYDB to role MYROLE;
grant usage on future schemas in database MYDB to role MYROLE;
grant select on all tables in database MYDB to role MYROLE;
grant select on future tables in database MYDB to role MYROLE;
the SHOW FUTURE GRANTS IN DATABASE MYDB; confirms that the grants are there:
created_on privilege grant_on name grant_to grantee_name grant_option
... USAGE SCHEMA MYDB.<SCHEMA> ROLE MYROLE false
... SELECT TABLE MYDB.<TABLE> ROLE MYROLE false
But they don't seem to have any effect.
I have a test schema MYDB.TEST and when I create tables with other role OTHERROLE the MYROLE can't "see" them.
use role accountadmin;
grant select on all tables in database MYDB to role MYROLE;
grant select on future tables in database MYDB to role MYROLE;
use role otherrole;
CREATE OR REPLACE TABLE mydb.test.ruben_test AS (
SELECT * FROM (values (1,2),(3,4),(5,6)) x(id,value)
);
select * from mydb.test.ruben_test; -- OTHERROLE can see table
use role myrole;
select * from mydb.test.ruben_test; -- SQL compilation error: Object 'MYDB.TEST.RUBEN_TEST' does not exist or not authorized.
use role accountadmin;
grant select on all tables in database MYDB to role MYROLE;
use role myrole;
select * from mydb.test.ruben_test; -- now it can see it
The grant select on future tables in database MYDB to role MYROLE; seems to be ignored.
If I use grant select on future tables in schema MYDB.TEST to role MYROLE; then it will work, but I really don't want to have to write a grant for each schema in the db.
I'm opening a support case with Snowflake but in the meantime, is it possible to have a grant in all future table in database or not?
Yes, it's possible. Most likely you have future grants at the schema level and that prevents the future grants at the database level from running as stated in Precedence rule for future grants.
As the future grants can be defined at both the database and schema
level, the schema level grants always take precedence over the
database level grants, the snowflake will ignore the future grants
applied at the database level. Even if the user tries to change the
future grants at the database level and one of the child schemas had a
different future grant defined explicitly then this change will not be
reflected at the schema level, it will be simply ignored without
showing any error.

snowflake grants for create table

I want to grant Create/Drop/Select/Insert/Delete/Truncate current & future table access to a role.
I did following still having problem.
grant usage on database TESTDB to role TEST_ROLE;
grant usage on schema TESTDB.TESTSCHEMA to role TEST_ROLE;
grant all on future tables in schema TESTDB.TESTSCHEMA to role TEST_ROLE;
grant all on all tables in schema TESTDB.TESTSCHEMA to role TEST_ROLE;
use role TEST_ROLE;
create table TESTDB.TESTSCHEMA.TESTTAB (name varchar(20);
SQL access control error: Insufficient privileges to operate on schema 'TESTSCHEMA'
Thanks
Creating a table is an action performed in the context of a schema.
You need to use GRANT CREATE TABLE ON SCHEMA ...
I think you are looking to give all permissions of the new schema TESTSCHEMA (except ownership or giving grant to other roles) to the new role TEST_ROLE then use:
grant ALL PRIVILEGES on schema TESTDB.TESTSCHEMA to role TEST_ROLE;
you may verify the privileges giving by
show grants to role TEST_ROLE;
If you think that is too much, then make a list exactly what you want out of the SHOW command result and try to write the REVOKE/GRANT new command following doc of the privileges you wanna revoke/grant and we can assist further?
Below permissions need to be grant as per your requirement
Example
RoleName- PRODUCTION_DBT
USE ROLE ACCOUNTADMIN (Role with Super Privileges as AccountAdmin)
GRANT USAGE ON WAREHOUSE TO ROLE PRODUCTION_DBT
GRANT USAGE ON DATABASE TO ROLE PRODUCTION_DBT
GRANT USAGE ON SCHEMA . TO ROLE
PRODUCTION_DBT
GRANT CREATE TABLE ON SCHEMA . TO ROLE
PRODUCTION_DBT
GRANT SELECT ON ALL TABLES IN SCHEMA . TO
ROLE PRODUCTION_DBT
GRANT SELECT ON FUTURE TABLES IN SCHEMA . TO
ROLE PRODUCTION_DBT
GRANT INSERT, UPDATE, DELETE ON ALL TABLES IN .
TO ROLE PRODUCTION_DBT
GRANT TRUNCATE ON ALL TABLES IN SCHEMA . TO
ROLE PRODUCTION_DBT
GRANT CREATE VIEW ON SCHEMA . TO ROLE
PRODUCTION_DBT
GRANT CREATE PROCEDURE ON SCHEMA . TO ROLE
PRODUCTION_DBT
Below grants will provide CURD access to a role.
grant usage on database…
grant usage on schema…
grant create table on schema….
--above will give CURD
grant select, insert, delete, ... on all tables in schema
--above grant will take care of all exists table grants
grant select, insert, delete, ... on future tables in schema
--above grant will take care of all future tables

Resources