I am trying to use the Salesforce Analytics (Tableau-CRM) Snowflake output connector but getting the below error from Snowflake.
SQL access control error: Insufficient privileges to operate on table stage 'TEST_NZ_EMP' when the JDBC 3.12.2 connector runs the below command.`
put file:///data/00Db0000000d/8Mo/.elt_maestro_elt.00Db0000000d8Mo.03C5p000003eKXMEA2_maestro_11149256732875375332/tmp03C5p000003eKXMEA2.896586859/GetFromGateway_g.38fe869b-0e3d-4500-87b0-45c2449898db/output-aggregate-folder25db8c0f-941b-4cfc-a049-fee9295e1d44/TEST_NZ_EMP_* #%"TEST_NZ_EMP"/qFgpy auto_compress=true overwrite=true;
The account has been given the following permissions using this article for instructions https://www.snowflake.com/blog/integrating-salesforce-data-with-snowflake-using-tableau-crm-sync-out/
GRANT USAGE ON DATABASE SYNC_DB TO ROLE SYNCOUT;
GRANT USAGE, CREATE TABLE, CREATE STAGE ON SCHEMA SYNC_DB.SYNCOUT TO ROLE SYNCOUT;
GRANT SELECT, INSERT, UPDATE, DELETE, TRUNCATE ON FUTURE TABLES IN SCHEMA SYNC_DB.SYNCOUT TO ROLE SYNCOUT;
Any suggestions on what other permission could be required?
Thank you
You need to have OWNERSHIP on the table to be able to stage files.
From our documentation:
Note that a table stage is not a separate database object; rather, it is an implicit stage tied to the table itself. A table stage has no grantable privileges of its own. To stage files to a table stage, list the files, query them on the stage, or drop them, you must be the table owner (have the role with the OWNERSHIP privilege on the table).
For more information, read here
Related
I have granted USAGE on the schemas and database.
I have granted select on all tables.
Using that role, I can read data from all tables within any schema.
I then grant the permission to create tables in all schemas within that database
GRANT CREATE TABLE ON ALL SCHEMAS IN DATABASE TEST1_CONTROL TO DEVELOPERS;
Yet, when I issue this command (while using DEVELOPERS role), I get an error
CREATE TABLE PDS.ERIC_TEST_TABLE(COUCOU STRING NULL);
What am I missing?
Works fine for me (script below). Going to go with what Lukasz commented and that your schema was created later.
use role accountadmin;
create database TEST1_CONTROL;
create schema PDS;
create role DEVELOPERS;
grant role DEVELOPERS to user <your_username>;
GRANT USAGE ON DATABASE TEST1_CONTROL TO DEVELOPERS;
GRANT USAGE ON ALL SCHEMAS IN DATABASE TEST1_CONTROL TO DEVELOPERS;
GRANT CREATE TABLE ON ALL SCHEMAS IN DATABASE TEST1_CONTROL TO DEVELOPERS;
use role DEVELOPERS;
CREATE TABLE PDS.ERIC_TEST_TABLE(COUCOU STRING NULL);
Snowflake does offer future grants if you want a role to have access to any new schemas that would be created in the future.
We have build a streaming pipeline that has the rights to create new tables in snowflake when they are created in the source system. (running under the role PROD_EL_ROLE)
Even though we have time travel enabled 'for backup', I want to prevent the PROD_EL_ROLE itself from being able to 'accidentally' DROP tables. AFAIK, this cannot be done directly as the creator of a table in snowflake is also the owner, and thus, is also allowed to drop the table
What I tried in addition, is to transfer the owner to another role higher in our RBAC hierarchy (PROD_SYSADMIN_ROLE) . This unfortunately only works by using REVOKE GRANTS, which is not what we want as with the creating of a table under PROD_EL_ROLE various privileges are auto-created by various FUTURE GRANTS. And we obviously don't want to remove them.
If I use COPY GRANTS, it does not work due to the PROD_EL_ROLE not having the MANAGE GRANTS right. Which is a grant we obviously do not want to give to PROD_EL_ROLE...
I only want to prevent table dropping by PROD_EL_ROLE
Any idea how to solve this?
To follow the DAC concept, you own the object created then you can customise grants to it, so no way to prevent dropping it unless a higher role in same RBAC hierarchy claims ownership, and grant back some or ALL privileges of the object to that role.
So, for your requirement here another separate process/user need use PROD_SYSADMIN_ROLE to claim objects ownership and grant back ALL PRIVILEGES on that object to role PROD_EL_ROLE
USE ROLE PROD_SYSADMIN_ROLE;
grant ownership on ALL TABLES in SCHEMA TESTDB.TESTSCHEMA
TO ROLE PROD_SYSADMIN_ROLE;
grant ALL PRIVILEGES on ALL TABLES in SCHEMA TESTDB.TESTSCHEMA
TO ROLE PROD_EL_ROLE;
Now the role PROD_EL_ROLE can do all DML operations but no DDL operations on it again (dropping/modifying the definition of the object).
Is there any way to check the user name who created the table in snowflake database.
To previous questions in stack over flow some one suggested below query.
How to find the user who created a table in Snowflake
but I am unable to run the query, showing below error
Error: SQL compilation error: Shared database is no longer available for use. It will need to be re-created if and when the publisher makes it available again.
After gone through some documentation in snowflake I understood it need share access
Please let us know if this share access can be granted to every end user to find the user name who created table ? is it recommended to grant to users.
if so how to grant access to user
or is there any alternative way to get this information.
Regards,
Srinivas
Run the following command to find your current role:
select current_role();
Then ask your account admin to grant access to the SNOWFLAKE database:
grant IMPORTED PRIVILEGES on database snowflake to role your_role_name;
You can try information Schema. If you have access to that database then you should be good.
select user_name,query_text,*
from table(information_schema.query_history())
where contains(lower(query_text),'<your table name>')
and query_type = 'CREATE_TABLE'
order by start_time;
I have two Snowflake account and need to clone or copy the databases and tables on the same region.
Solutions that I am trying to replicate:
Data Sharing Intro Reference
I read that:
"Snowflake supports using grants to provide granular access control to
selected objects (schemas, tables, secure views, and secure UDFs) in
the database (i.e., you grant access privileges for one or more
specific objects within the database)."
It sounds like I could share a UDF with the database I want to share with the account, but read only features. This is confirmed:
" ...but cannot perform any of the DML tasks that are allowed in a
full account (data loading, insert, update, etc.)."
Setting up one account as a provider:
USE ROLE ACCOUNTADMIN;
CREATE MANAGED ACCOUNT reader_acct1
ADMIN_NAME = user1 , ADMIN_PASSWORD = 'Sdfed43da!44' ,
TYPE = READER;
//create share
CREATE SHARE Articlelibary_share;
GRANT USAGE ON DATABASE Snapshots TO SHARE Articlelibary_share;
GRANT USAGE ON SCHEMA Snapshots.public TO SHARE Articlelibary_share;
GRANT SELECT ON TABLE Snapshots.public.Articlelibary_TEST TO SHARE Articlelibary_share;
However the error I am getting the error in my worksheet that says:
SQL compilation error: Database 'SNAPSHOTS' does not exist or not
authorized.
What I have found is that when I am in the ACCOUNTADMIN role I can see the snapshot table, however, in the SYSADMIN I cannot see the the Snapshots table.
So, how can I fix the Database/Table permissions so that I can add it to the share?
The activities of creating a share and allowing access to other accounts has to be performed only by the ACCOUNTADMIN and that is the reason for the error that you are seeing.
From Documentation it is very clear :
https://docs.snowflake.net/manuals/user-guide/data-sharing-gs.html#getting-started-with-secure-data-sharing
To perform the tasks described in this topic, you must use the ACCOUNTADMIN role.
I have 2 schemas on my database, an admin (which contains all the tables) and a second schema which has grants to select, update, delete from synonym tables from admin. (I am using 11G)
I am working just with the admin schema.
What i am trying to do is, get the scn before an operation is done:
SELECT current_scn FROM V$DATABASE;
then some oeprations are done, and after that I am trying to make a select with the scn that i stored it before operations:
SELECT * FROM myTable AS OF SCN 2312312;
and then
ORA-01031: insufficient privileges
01031. 00000 - "insufficient privileges"
*Cause: An attempt was made to perform a database operation without
the necessary privileges.
*Action: Ask your database administrator or designated security
administrator to grant you the necessary privileges
this error is coming.
You need to grant the user privileges to run a flashback query against the table.
grant flashback
on myTable
to someUser;
Or you can give the user privileges to run flashback queries against any table
grant flashback any table
to someUser
Generally, auditors get rather nervous when they see the various "any" privileges but this one is reasonably safe. You may also want to grant privileges on the dbms_flashback package as well.
The documentation has a good overview of the administrative tasks to enable flashback features.