I want to run the statement DESCRIBE TABLE dwh.ods.users with the role PUBLIC.
I have already grant privileges to role public with:
grant all privileges on schema ods to public;
However, when I try to run the query, I get the following error:
SQL compilation error:
Table 'DWH.ODS.USERS' does not exist or not authorized.
With the role USERADMIN it works. How could I solve it? Thanks
You also have to grant USAGE on the database. Granting all privileges on the schema doesn't mean granting privileges for the database.
GRANT USAGE ON DATABASE <database> TO ROLE <role>;
In your case:
GRANT USAGE ON DATABASE dwh TO ROLE public;
You can find more info about the USAGE-right here: https://docs.snowflake.com/en/user-guide/security-access-control-privileges.html
Please try to grant SELECT on table, USAGE on schema and database:
grant usage on database DWH to public;
grant usage on schema DWH.ODS to public;
grant select on table DWH.ODS.USERS to public;
Related
I am trying to grant all privileges for a database to a role in snowflake
This includes all ability to read, create, update and delete schemas, stages, storage integrations, tables and so on.
Also should include any future objects created in the database.
grant all on database test to developer;
This only grants view of the database and not the schema or any other objects within the database
Unfortunately in Snowflake, there is no as such command to grant all access via a single command.
Even with all privileges command, you have to grant one usage privilege against the object to be effective.
It's mentioned in the documentation on Schema Privileges as well.
For future grants, you can try following commands at schema and database level
SCHEMA LEVEL
grant usage on database SAMPLEDATABASE1 to role testrole12;
grant usage on schema SAMPLEDATABASE1.TEST to role testrole12;
grant select on future tables in schema SAMPLEDATABASE1.TEST to role testrole12;
grant role testrole12 to user SUJANT3;
DATABASE LEVEL
grant usage on database SAMPLEDATABASE1 to role testrole12;
grant usage on future schemas in database SAMPLEDATABASE1 to role testrole12;
grant select on future tables in database SAMPLEDATABASE1 to role testrole12;
grant role testrole12 to user SUJANT3;
There is no one single command to affect all the objects under the database, but you can run these set of SQL's per object:
GRANT ALL ON ALL schemas in database <DB> TO ROLE <role>;
GRANT ALL ON ALL TABLES IN SCHEMA <db.schema> TO ROLE <role>;
similarly for future grants:
grant all on future schemas in database <DB> TO ROLE <role>;
grant all on future tables in schema <db.schema> to ROLE <role>;
This can be extended to views and other objects too.
It sounds like you want to grant ownership? There can only be 1 owner per object, so I recommend you use this only when appropriate:
GRANT OWNERSHIP ON DATABASE TEST
TO DEVELOPER
COPY CURRENT GRANTS
;
Note: Copying current grants retains the current privileges, except ownership is transferred. Otherwise, all existing privileges will be dropped.
I have a custom role (readwrite) which is granted to the built-in SYSADMIN role.
I have a database CDP_MODELS which has a schema MODELS in it (the owner for which is SYSADMIN).
I have a user WCOX who is a part of the readwrite role.
I need to provide the user WCOX write access to the CDP_MODELS.MODELS DB so that the user can create new tables.
What I have tried so far -
I see that the readwrite role has usage permission on the database as well as the schema.
But when I login as the readwrite role and try to create a table on the MODELS schema in the CDP_MODELS DB, it gives the following error -
SQL access control error: Insufficient privileges to operate on schema
'MODELS'
I have also explicitly tried to run the below queries and then try creating the table, but to no luck.
grant usage on database CDP_MODELS to role READWRITE;
grant usage on schema CDP_MODELS.MODELS to role READWRITE;
grant select,insert on future tables in schema CDP_MODELS.MODELS to role READWRITE;
Is there something which I am missing?
You are missing Create Table privilege on the Schema.
grant create table on schema CDP_MODELS.MODELS to role READWRITE;
I made all table grants to a role:
grant select on all tables in schema WORKING to role PROD_WORKING_SR;
grant select on all views in schema WORKING to role PROD_WORKING_SR;
grant select on future tables in schema WORKING to role PROD_WORKING_SR;
grant select on future views in schema WORKING to role PROD_WORKING_SR;
but when I try to verify the grants using command:
show grants to role PROD_WORKING_SR
I get nothing. Can someone help me with a query that I can extract all privileges granted to a role like I did above.
Appreciate your help!!!
You need to give USAGE privilege to the role for database and schema
You can do this using
grant usage on database <your db name> to role PROD_WORKING_SR;
grant usage on schema WORKING to role PROD_WORKING_SR;
I created a user ANALYST_USER and granted a role ANALYST.
When I tried to create a table in the TEST_DB, I got a following error message:
Unable to create table TEST.
SQL access control error: Insufficient privileges to operate on schema 'PUBLIC'
Here are the statements I wrote before trying to create a table using the ANALYST_USER account.
USE ROLE SECURITYADMIN;
-- Create Role--
CREATE ROLE ANALYST
-- Database--
GRANT USAGE ON DATABASE TEST_DB TO ROLE ANALYST;
-- Schema--
GRANT USAGE, MONITOR ON ALL SCHEMAS IN DATABASE TEST_DB TO ROLE ANALYST;
GRANT USAGE, MONITOR ON FUTURE SCHEMAS IN DATABASE
TEST_DB TO ROLE ANALYST;
-- Warehouse--
GRANT USAGE ON WAREHOUSE TEST_WH TO ROLE ANALYST;
GRANT USAGE ON WAREHOUSE TEST_WH TO ROLE ANALYST;
-- Tables/Views--
GRANT SELECT ON ALL TABLES IN DATABASE TEST_DB TO ROLE ANALYST;
GRANT SELECT ON FUTURE TABLES IN DATABASE TEST_DB TO ROLE
ANALYST;
-- User -- GRANT ROLE ANALYST to USER ANALYST_USER;
Does anyone know how to solve this issue?
Following statement solved the issue.
GRANT ALL ON ALL SCHEMAS IN DATABASE TEST_DB TO ROLE ANALYST;
GRANT ALL ON FUTURE SCHEMAS IN DATABASE TEST_DB TO ROLE ANALYST;
I understand this gives "ALL" permissions, so if we want to give only "create table" permission, then we need to use following statement instead:
Grant create table on schema IN DATABASE TEST_DB to role ANALYST;
It is because the role was missing create table rights on the public schema. You just have usage and monitor privileges in your schema grant. So, GRANT CREATE TABLE ON SCHEMA TEST_DB.PUBLIC TO ROLE ANALYST; would have solved your issue.
I want to grant Create/Drop/Select/Insert/Delete/Truncate current & future table access to a role.
I did following still having problem.
grant usage on database TESTDB to role TEST_ROLE;
grant usage on schema TESTDB.TESTSCHEMA to role TEST_ROLE;
grant all on future tables in schema TESTDB.TESTSCHEMA to role TEST_ROLE;
grant all on all tables in schema TESTDB.TESTSCHEMA to role TEST_ROLE;
use role TEST_ROLE;
create table TESTDB.TESTSCHEMA.TESTTAB (name varchar(20);
SQL access control error: Insufficient privileges to operate on schema 'TESTSCHEMA'
Thanks
Creating a table is an action performed in the context of a schema.
You need to use GRANT CREATE TABLE ON SCHEMA ...
I think you are looking to give all permissions of the new schema TESTSCHEMA (except ownership or giving grant to other roles) to the new role TEST_ROLE then use:
grant ALL PRIVILEGES on schema TESTDB.TESTSCHEMA to role TEST_ROLE;
you may verify the privileges giving by
show grants to role TEST_ROLE;
If you think that is too much, then make a list exactly what you want out of the SHOW command result and try to write the REVOKE/GRANT new command following doc of the privileges you wanna revoke/grant and we can assist further?
Below permissions need to be grant as per your requirement
Example
RoleName- PRODUCTION_DBT
USE ROLE ACCOUNTADMIN (Role with Super Privileges as AccountAdmin)
GRANT USAGE ON WAREHOUSE TO ROLE PRODUCTION_DBT
GRANT USAGE ON DATABASE TO ROLE PRODUCTION_DBT
GRANT USAGE ON SCHEMA . TO ROLE
PRODUCTION_DBT
GRANT CREATE TABLE ON SCHEMA . TO ROLE
PRODUCTION_DBT
GRANT SELECT ON ALL TABLES IN SCHEMA . TO
ROLE PRODUCTION_DBT
GRANT SELECT ON FUTURE TABLES IN SCHEMA . TO
ROLE PRODUCTION_DBT
GRANT INSERT, UPDATE, DELETE ON ALL TABLES IN .
TO ROLE PRODUCTION_DBT
GRANT TRUNCATE ON ALL TABLES IN SCHEMA . TO
ROLE PRODUCTION_DBT
GRANT CREATE VIEW ON SCHEMA . TO ROLE
PRODUCTION_DBT
GRANT CREATE PROCEDURE ON SCHEMA . TO ROLE
PRODUCTION_DBT
Below grants will provide CURD access to a role.
grant usage on database…
grant usage on schema…
grant create table on schema….
--above will give CURD
grant select, insert, delete, ... on all tables in schema
--above grant will take care of all exists table grants
grant select, insert, delete, ... on future tables in schema
--above grant will take care of all future tables