I am trying to grant the monitor privilege on all current and future tasks in a snowflake database to a particular role.
The documentation offers no examples.
I tried GRANT MONITOR ON ALL TASKS ON DATABASE MY_DB TO ROLE ROLE_OVER
Is something like that possible? Do you have to go schema by schema? Individual task by task?
Try this (IN instead of ON):
GRANT MONITOR ON ALL TASKS IN DATABASE MY_DB TO ROLE ROLE_OVER
;
Related
I'm tring to monitor snowflake tasks from information_schema.TASK_HISTORY,
I have as task: TASK_A created by user: USER_A with role: ROLE_A
and another task: TASK_B created by user: USER_B with role: ROLE_B
in a same shared database and schema.
When I query information_schema.TASK_HISTORY from USER_A, I can only see only TASK_A's history.
how can I query both task history's,
What type of privilege or grants I have to give in order to view the combined task history while running the query from one of the user.
Tried giving ownership of TASK_B to ROLE_A but getting the following error
grantee need to be a subordinate role of the schema owner
The data in the INFORMATION_SCHEMA is regularly filtered by the permissions available to the role querying it.
Re the INFORMATION_SCHEMA you can see the permissions required to see the data in this view in the docs here:
Returns results only for the ACCOUNTADMIN role, the task owner (i.e. the role with the OWNERSHIP privilege on the task) or a role with the global MONITOR EXECUTION privilege. Note that unless a role with the MONITOR EXECUTION privilege also has the USAGE privilege on the database and schema that store the task, the DATABASE_NAME and SCHEMA_NAME values in the output are NULL.
If you can cope with the delayed information (up to 45 mins for TASK_HISTORY), the SNOWFLAKE.ACCOUNT_USAGE.TASK_HISTORY view will have the complete view of all of the tasks executed by all users / roles.
There are a few options here:
Grant the MONITOR EXECUTION privilege to ROLE_A and ROLE_B
Use the ‘ACCOUNT_USAGE’ views to see all of the history for all tasks but delayed
You could grant ROLE_B to ROLE_A or vice versa (this would only work one-way around though otherwise you’d have a circular relationship)
Have a role ROLE_C that has ownership of both tasks and then grant ROLE_C to ROLE_A and ROLE_B.
There are probably some other options, but it would be helpful if you could detail your requirements in more detail so that I can provide a better recommendation.
I created a new Database (DB_COMMON) using ACCOUNTADMIN role and I grant ALL PRIVILEGES to other roles but I am not able to see newly created Database (DB_COMMON) using those roles. Am I missing something? Please guide.
Here is the complete code:
USE DATABASE ACCOUNTADMIN;
-- DATABASE CREATION
CREATE DATABASE IF NOT EXISTS DB_COMMON;
-- PERMISSION TO ALL THE FUTURE SCHEMAS
GRANT ALL PRIVILEGES ON FUTURE SCHEMAS IN DATABASE DB_COMMON TO ROLE DEVADMIN;
GRANT ALL PRIVILEGES ON FUTURE SCHEMAS IN DATABASE DB_COMMON TO ROLE QAADMIN;
GRANT ALL PRIVILEGES ON FUTURE SCHEMAS IN DATABASE DB_COMMON TO ROLE UATADMIN;
GRANT ALL PRIVILEGES ON FUTURE SCHEMAS IN DATABASE DB_COMMON TO ROLE PRODADMIN;
-- PERMISSION TO ALL THE FUTURE TABLES
GRANT ALL PRIVILEGES ON FUTURE TABLES IN DATABASE DB_COMMON TO ROLE DEVADMIN;
GRANT ALL PRIVILEGES ON FUTURE TABLES IN DATABASE DB_COMMON TO ROLE QAADMIN;
GRANT ALL PRIVILEGES ON FUTURE TABLES IN DATABASE DB_COMMON TO ROLE UATADMIN;
GRANT ALL PRIVILEGES ON FUTURE TABLES IN DATABASE DB_COMMON TO ROLE PRODADMIN;
-- CREATION OF SCHEMA
USE DATABASE DB_COMMON;
CREATE SCHEMA IF NOT EXISTS COMMON;
After these commands, if I switch to these roles (DEVADMIN, QAADMIN, etc) I am not able to see DB_COMMON Database. Am I missing something? Please guide.
It is not recommeded to use ACCOUNTADMIN role as owner of user-defined databases:
Avoid Using the ACCOUNTADMIN Role to Create Objects:
The ACCOUNTADMIN role is intended for performing initial setup tasks in the system and managing account-level objects and tasks on a day-to-day basis. As such, it should not be used to create objects in your account, unless you absolutely need these objects to have the highest level of secure access. If you create objects with the ACCOUNTADMIN role and you want users to have access to these objects, you must explicitly grant privileges on the objects to the roles for these users.
Instead, we recommend creating a hierarchy of roles aligned with business functions in your organization and ultimately assigning these roles to the SYSADMIN role. For more information, see Aligning Object Access with Business Functions in this topic.
Second the USAGE permission on the database needs to be granted.
GRANT USAGE ON DATABASE ... TO ROLE ...;
Database Privileges:
USAGE
Enables using a database, including returning the database details in the SHOW DATABASES command output. Additional privileges are required to view or take actions on objects in a database.
I am trying to grant all privileges for a database to a role in snowflake
This includes all ability to read, create, update and delete schemas, stages, storage integrations, tables and so on.
Also should include any future objects created in the database.
grant all on database test to developer;
This only grants view of the database and not the schema or any other objects within the database
Unfortunately in Snowflake, there is no as such command to grant all access via a single command.
Even with all privileges command, you have to grant one usage privilege against the object to be effective.
It's mentioned in the documentation on Schema Privileges as well.
For future grants, you can try following commands at schema and database level
SCHEMA LEVEL
grant usage on database SAMPLEDATABASE1 to role testrole12;
grant usage on schema SAMPLEDATABASE1.TEST to role testrole12;
grant select on future tables in schema SAMPLEDATABASE1.TEST to role testrole12;
grant role testrole12 to user SUJANT3;
DATABASE LEVEL
grant usage on database SAMPLEDATABASE1 to role testrole12;
grant usage on future schemas in database SAMPLEDATABASE1 to role testrole12;
grant select on future tables in database SAMPLEDATABASE1 to role testrole12;
grant role testrole12 to user SUJANT3;
There is no one single command to affect all the objects under the database, but you can run these set of SQL's per object:
GRANT ALL ON ALL schemas in database <DB> TO ROLE <role>;
GRANT ALL ON ALL TABLES IN SCHEMA <db.schema> TO ROLE <role>;
similarly for future grants:
grant all on future schemas in database <DB> TO ROLE <role>;
grant all on future tables in schema <db.schema> to ROLE <role>;
This can be extended to views and other objects too.
It sounds like you want to grant ownership? There can only be 1 owner per object, so I recommend you use this only when appropriate:
GRANT OWNERSHIP ON DATABASE TEST
TO DEVELOPER
COPY CURRENT GRANTS
;
Note: Copying current grants retains the current privileges, except ownership is transferred. Otherwise, all existing privileges will be dropped.
In snowflake, we are creating a warehouse but when we create a warehouse with resource_moniter clause(it was created by accountadmin ) by sysadmin role it gives access level error. we have given all privileges to sysadmin on this resource monitor but it doesn't work.
can someone help in the creation of a warehouse without using "accountadmin" role?
CREATE WAREHOUSE privilege as listed here https://docs.snowflake.com/en/user-guide/security-access-control-privileges.html
must be granted by the accountadmin role to any other role which is being used for this operation.
By default sysadmin role would have this privilege, if not, then grant the privilege as accountadmin and use the sysadmin role to run the create operation.
It's not possible to create a warehouse with Resource Monitor unless you use the accountadmin role (even if you change the ownership of the resource monitor). Please note that, when you assign a resource monitor to a warehouse, you do not only affect the warehouse, you also affect the resource monitor because it might be shared by other users.
You need to create the warehouse, and then assign the resource monitor to the warehouse using the accountadmin role.
After I created a Role and User as Read only for specific tables, The user gets an error: SQL access control error: Insufficient privileges to operate on warehouse
And I can see that the Warehouse is suspended for the Role that I created for him.
What am I forgetting ?
I created with this code:
GRANT USAGE ON WAREHOUSE DEV_DWH TO ROLE READ_R_AND_D;
GRANT USAGE ON DATABASE "Z_DWH_DEV" TO ROLE READ_R_AND_D;
GRANT USAGE ON SCHEMA "Z_DWH_DEV"."DWH" TO ROLE READ_R_AND_D;
GRANT SELECT ON TABLE "Z_DWH_DEV"."DWH"."FACT_DAILY" TO ROLE READ_R_AND_D;
grant role READ_R_AND_D to user EYAL;
Is the warehouse set to auto resume? If not, you need further permissions, other than usage to resume it
In order for the role to resume the warehouse - it needs to have to operate on the warehouse.
grant operate on warehouse DEV_DWH to role READ_R_AND_D;
This grants the role the ability to start, stop, suspend, or resume a virtual warehouse. Grants ability to suspend or resume a task.
Details: https://docs.snowflake.com/en/sql-reference/sql/grant-privilege.html#examples