I use an hierarchy of roles (technical role on specific object) and a usage role X granted with this technical role.
my schema dataprep is with access managed.
grant usage on warehouse WH to role TWX;
grant ownership on all tasks in schema dataprep to role TX revoke current grants;
grant ownership on future tasks in schema dataprep to role TX revoke current grants;
grant role TWX to role X
grant role Tx to role X
i have too fixed the privilege execute_task on account.
with role X, i created an task with success but i have an error when resuming this task:
Cannot execute task , USAGE privilege on the task's warehouse must be granted to owner role
So i use differents grant directly on role X and it's work.
i don't understand. the inheriting does not work for task execution ? can you explain the problem ?
thanks
In managed access schemas (i.e. schemas created using the CREATE SCHEMA … WITH MANAGED ACCESS syntax), only the schema owner (i.e. the role with the OWNERSHIP privilege on the schema) can grant or revoke privileges on future objects in the schema.
More details: https://docs.snowflake.com/en/user-guide/security-access-control-configure.html#security-privileges-required-to-manage-future-grants
Related
I've got Accountadmin role on this Snowflake account. I ran show grants on schema command in snowflake and get these privileges as on the screenshot.
Ownership privilege is empty and so it doesn't let me run grant ownership on schema "DATABASE_NAME"."SCHEMA_NAME" to accountadmin for the above schema to assign myself the ownership privilege.
I need to have ownership privilege to remove some tables from this schema.
Could someone suggest how to assign ownership privilege to accountadmin role for this schema?
This situation can be caused by user-initiated actions, if a grant is involving system owned entities (such as default) roles, and via using MANAGE GRANTS on ACCOUNT privilege to custom roles.
I would suggest opening a Support Case as we'd need to review all the grant changes that occurred on that schema to understand what caused the situation in the first place, and then revert it.
That said, you should still be able to execute this statement with either ACCOUNTADMIN or SECURITYADMIN:
use role accountadmin;
grant ownership on schema "DATABASE_NAME"."SCHEMA_NAME" to role accountadmin;
What permissions are required to access information_schema.warehouse_load_history from snowsql? I created a role and user like the below and this shows 0 results.
create role TESTROLE;
grant imported privileges on database SNOWFLAKE to role TESTROLE;
create user TEST_USER
LOGIN_NAME = TEST_USER
password = 'Testsnowflake$1234'
default_warehouse = TEST_WH
default_role = TESTROLE
default_namespace = SNOWFLAKE.INFORMATION_SCHEMA;
grant role TESTROLE to user TEST_USER;
grant usage on WAREHOUSE TEST_WH to role TESTROLE;
Please see this link for required privileges
https://docs.snowflake.com/en/sql-reference/functions/warehouse_load_history.html#usage-notes
To get results from this function, one of the following roles or
privileges are required:
The ACCOUNTADMIN role can get results from this function as it has all
of the global account permissions.
A role with the MONITOR USAGE global privilege on the ACCOUNT can
query this function for any warehouses in the account.
A role with the MONITOR privilege on the WAREHOUSE can query this
function for the warehouse it has permissions on.
A role with the OWNERSHIP privilege on the WAREHOUSE has all
permissions on the warehouse including MONITOR.
For more details, see Access Control Privileges.
When calling an Information Schema table function, the session must
have an INFORMATION_SCHEMA schema in use or the function name must be
fully-qualified. For more details, see Snowflake Information Schema.
Is there a way to do this?
There is a admin role which is the owner of the database, schema & all other objects.
There is tester role with only read/write permissions on 1 schema of the database.
The tester role needs to be a part of the admin role for that 1 specific schema (so that any new objects created - the ownership will be on the admin role).
Have to revoke access to users of the tester role access on all other schemas in the database
I've tried these scripts:
grant role testerrole to user tester1;
grant usage on database DEMODB to role adminrole;
grant usage on database DEMODB to role testerrole;
grant all on database DEMODB to role adminrole;
grant select,insert,update,delete in schema "DEMODB"."DEVSCHM" to role testerrole;
--Adding tester role in admin role
grant role adminrole to testerrole;
-- revoke all other schema access to tester1 (This fails. How to fix this?)
revoke usage on schema "DEMODB"."PRDSCHM" from user tester1;
revoke usage on schema "DEMODB"."QASSCHM" from user tester1;
Looking to accomplish this - The testerrole needs to be able to create objects in the DEVSCHM, but ownership of the object should still be held with adminrole
If I've understood your question, you want the admin role to own all objects regardless of the role that created them. If that is the case then just grant future ownership on the relevant objects to the admin role
I created a new Database (DB_COMMON) using ACCOUNTADMIN role and I grant ALL PRIVILEGES to other roles but I am not able to see newly created Database (DB_COMMON) using those roles. Am I missing something? Please guide.
Here is the complete code:
USE DATABASE ACCOUNTADMIN;
-- DATABASE CREATION
CREATE DATABASE IF NOT EXISTS DB_COMMON;
-- PERMISSION TO ALL THE FUTURE SCHEMAS
GRANT ALL PRIVILEGES ON FUTURE SCHEMAS IN DATABASE DB_COMMON TO ROLE DEVADMIN;
GRANT ALL PRIVILEGES ON FUTURE SCHEMAS IN DATABASE DB_COMMON TO ROLE QAADMIN;
GRANT ALL PRIVILEGES ON FUTURE SCHEMAS IN DATABASE DB_COMMON TO ROLE UATADMIN;
GRANT ALL PRIVILEGES ON FUTURE SCHEMAS IN DATABASE DB_COMMON TO ROLE PRODADMIN;
-- PERMISSION TO ALL THE FUTURE TABLES
GRANT ALL PRIVILEGES ON FUTURE TABLES IN DATABASE DB_COMMON TO ROLE DEVADMIN;
GRANT ALL PRIVILEGES ON FUTURE TABLES IN DATABASE DB_COMMON TO ROLE QAADMIN;
GRANT ALL PRIVILEGES ON FUTURE TABLES IN DATABASE DB_COMMON TO ROLE UATADMIN;
GRANT ALL PRIVILEGES ON FUTURE TABLES IN DATABASE DB_COMMON TO ROLE PRODADMIN;
-- CREATION OF SCHEMA
USE DATABASE DB_COMMON;
CREATE SCHEMA IF NOT EXISTS COMMON;
After these commands, if I switch to these roles (DEVADMIN, QAADMIN, etc) I am not able to see DB_COMMON Database. Am I missing something? Please guide.
It is not recommeded to use ACCOUNTADMIN role as owner of user-defined databases:
Avoid Using the ACCOUNTADMIN Role to Create Objects:
The ACCOUNTADMIN role is intended for performing initial setup tasks in the system and managing account-level objects and tasks on a day-to-day basis. As such, it should not be used to create objects in your account, unless you absolutely need these objects to have the highest level of secure access. If you create objects with the ACCOUNTADMIN role and you want users to have access to these objects, you must explicitly grant privileges on the objects to the roles for these users.
Instead, we recommend creating a hierarchy of roles aligned with business functions in your organization and ultimately assigning these roles to the SYSADMIN role. For more information, see Aligning Object Access with Business Functions in this topic.
Second the USAGE permission on the database needs to be granted.
GRANT USAGE ON DATABASE ... TO ROLE ...;
Database Privileges:
USAGE
Enables using a database, including returning the database details in the SHOW DATABASES command output. Additional privileges are required to view or take actions on objects in a database.
I need information within Snowflake which captures "Role to Privilege mapping".
Example :: If I am an user "USER_01" & I have the role as "ANALYST", then this "ANALYST" role has access to which all the objects (database/schema/table/etc..) in Snowflake account I would need that information.
Any pointers like queries/metadata tables/etc.. would help as there has to be some metadata tables which would keep this role to privilege mapping.
For e.g., queries like :
show grants to user USER_01
--> This gives what role has been assigned to this user. But this do not convey any information regarding what all privileges has been given to that role. Like if this role has got below access:
grant usage on database DB_01 to role analyst;
grant all privileges on schema schema_01 to role analyst;
grant all privileges on all tables in schema schema_01 to role analyst;
SHOW GRANTS:
SHOW GRANTS TO ROLE <role_name>
Key point: Access Control Framework
Role-based Access Control (RBAC): Access privileges are assigned to roles, which are in turn assigned to users.
Access priviliges are not assigned directly to users.
If you want to list all the privileges given to a user, you may use the stored procedure described in this KB article:
https://community.snowflake.com/s/article/How-to-Capture-Snowflake-Users-Roles-and-Grants-Into-a-Table