After I created a Role and User as Read only for specific tables, The user gets an error: SQL access control error: Insufficient privileges to operate on warehouse
And I can see that the Warehouse is suspended for the Role that I created for him.
What am I forgetting ?
I created with this code:
GRANT USAGE ON WAREHOUSE DEV_DWH TO ROLE READ_R_AND_D;
GRANT USAGE ON DATABASE "Z_DWH_DEV" TO ROLE READ_R_AND_D;
GRANT USAGE ON SCHEMA "Z_DWH_DEV"."DWH" TO ROLE READ_R_AND_D;
GRANT SELECT ON TABLE "Z_DWH_DEV"."DWH"."FACT_DAILY" TO ROLE READ_R_AND_D;
grant role READ_R_AND_D to user EYAL;
Is the warehouse set to auto resume? If not, you need further permissions, other than usage to resume it
In order for the role to resume the warehouse - it needs to have to operate on the warehouse.
grant operate on warehouse DEV_DWH to role READ_R_AND_D;
This grants the role the ability to start, stop, suspend, or resume a virtual warehouse. Grants ability to suspend or resume a task.
Details: https://docs.snowflake.com/en/sql-reference/sql/grant-privilege.html#examples
Related
I've got Accountadmin role on this Snowflake account. I ran show grants on schema command in snowflake and get these privileges as on the screenshot.
Ownership privilege is empty and so it doesn't let me run grant ownership on schema "DATABASE_NAME"."SCHEMA_NAME" to accountadmin for the above schema to assign myself the ownership privilege.
I need to have ownership privilege to remove some tables from this schema.
Could someone suggest how to assign ownership privilege to accountadmin role for this schema?
This situation can be caused by user-initiated actions, if a grant is involving system owned entities (such as default) roles, and via using MANAGE GRANTS on ACCOUNT privilege to custom roles.
I would suggest opening a Support Case as we'd need to review all the grant changes that occurred on that schema to understand what caused the situation in the first place, and then revert it.
That said, you should still be able to execute this statement with either ACCOUNTADMIN or SECURITYADMIN:
use role accountadmin;
grant ownership on schema "DATABASE_NAME"."SCHEMA_NAME" to role accountadmin;
What permissions are required to access information_schema.warehouse_load_history from snowsql? I created a role and user like the below and this shows 0 results.
create role TESTROLE;
grant imported privileges on database SNOWFLAKE to role TESTROLE;
create user TEST_USER
LOGIN_NAME = TEST_USER
password = 'Testsnowflake$1234'
default_warehouse = TEST_WH
default_role = TESTROLE
default_namespace = SNOWFLAKE.INFORMATION_SCHEMA;
grant role TESTROLE to user TEST_USER;
grant usage on WAREHOUSE TEST_WH to role TESTROLE;
Please see this link for required privileges
https://docs.snowflake.com/en/sql-reference/functions/warehouse_load_history.html#usage-notes
To get results from this function, one of the following roles or
privileges are required:
The ACCOUNTADMIN role can get results from this function as it has all
of the global account permissions.
A role with the MONITOR USAGE global privilege on the ACCOUNT can
query this function for any warehouses in the account.
A role with the MONITOR privilege on the WAREHOUSE can query this
function for the warehouse it has permissions on.
A role with the OWNERSHIP privilege on the WAREHOUSE has all
permissions on the warehouse including MONITOR.
For more details, see Access Control Privileges.
When calling an Information Schema table function, the session must
have an INFORMATION_SCHEMA schema in use or the function name must be
fully-qualified. For more details, see Snowflake Information Schema.
I use an hierarchy of roles (technical role on specific object) and a usage role X granted with this technical role.
my schema dataprep is with access managed.
grant usage on warehouse WH to role TWX;
grant ownership on all tasks in schema dataprep to role TX revoke current grants;
grant ownership on future tasks in schema dataprep to role TX revoke current grants;
grant role TWX to role X
grant role Tx to role X
i have too fixed the privilege execute_task on account.
with role X, i created an task with success but i have an error when resuming this task:
Cannot execute task , USAGE privilege on the task's warehouse must be granted to owner role
So i use differents grant directly on role X and it's work.
i don't understand. the inheriting does not work for task execution ? can you explain the problem ?
thanks
In managed access schemas (i.e. schemas created using the CREATE SCHEMA … WITH MANAGED ACCESS syntax), only the schema owner (i.e. the role with the OWNERSHIP privilege on the schema) can grant or revoke privileges on future objects in the schema.
More details: https://docs.snowflake.com/en/user-guide/security-access-control-configure.html#security-privileges-required-to-manage-future-grants
In snowflake, we are creating a warehouse but when we create a warehouse with resource_moniter clause(it was created by accountadmin ) by sysadmin role it gives access level error. we have given all privileges to sysadmin on this resource monitor but it doesn't work.
can someone help in the creation of a warehouse without using "accountadmin" role?
CREATE WAREHOUSE privilege as listed here https://docs.snowflake.com/en/user-guide/security-access-control-privileges.html
must be granted by the accountadmin role to any other role which is being used for this operation.
By default sysadmin role would have this privilege, if not, then grant the privilege as accountadmin and use the sysadmin role to run the create operation.
It's not possible to create a warehouse with Resource Monitor unless you use the accountadmin role (even if you change the ownership of the resource monitor). Please note that, when you assign a resource monitor to a warehouse, you do not only affect the warehouse, you also affect the resource monitor because it might be shared by other users.
You need to create the warehouse, and then assign the resource monitor to the warehouse using the accountadmin role.
Trying to grant a role access to drop a schema from a database in Snowflake. What grants do I need to apply?
Currently if we try to execute this statement for the user:
DROP SCHEMA IF EXISTS 'schemaname_123'
We get this error:
SQL access control error: Insufficient privileges to operate on schema 'schemaname_123'
The role currently has these grants on the database
GRANT USAGE, MONITOR, CREATE SCHEMA ON DATABASE RAW TO ROLE INGESTION_ROLE;
The DROP privilege is tied to the object owner.
To drop a schema, you must be using a role that has ownership privilege on the schema.
Note that granting ownership in fact transfer the ownership to another role.
grant ownership on schema schemaname_123 to role INGESTION_ROLE;