I am trying to select the table(T1) which has different role as owner.
Then I have granted the access to DB or SCHEMA using ACCOUNTADMIN privilege still I am not able to access sample table(T1).
Then I thinking to connect any one of existing user to the role and get an access, unfortunately no user are active in that role.
Please share your suggestion/opinion for how to get an access or how to change the ownership of the table. Appreciate your help.
Thanks.
I understand that the first user of the snowflake will be an Accountadmin. But, What other roles does he have access to by default, and does only the first user of the snowflake have Accountadmin role access by default?
The default set of role that a user gets is Public. Along with this, the administrator designated user has accountadmin role assigned to it.
https://docs.snowflake.com/en/user-guide/security-access-control-configure.html
https://docs.snowflake.com/en/user-guide/admin-user-management.html
https://docs.snowflake.com/en/user-guide/admin-user-management.html#user-roles
The accountadmin role can be assigned to different users if there is a requirement for multiple admins but this should be a very careful exercise.
If you set up a new account (trial / on-demand) you get ACCOUNTADMIN and every role.
If you are on capacity plan the first user gets the four roles as described
Through design of an established account, i.e. you're a customer and an administrator in your company has set up access for you then you can set up with a default role
If you are not, and no admin has been done to assign a role to you then you get public, which (if properly designed) gives you access to nothing ;)
I'm trying to restrict read permissions on some entities to a specific user.
In Oracle I'd simply do
GRANT SELECT ON sensitive_schema.my_table1 TO error_2646;
GRANT SELECT ON sensitive_schema.my_table2 TO error_2646;
GRANT SELECT ON sensitive_schema.my_tableN TO error_2646;
or ideally at schema level
GRANT SELECT ON sensitive_schema TO error_2646;
Can I do this in Snowflake? In the documentation it looks like permissions are managed by role in Snowflake and I'd rather not change this person's role.
https://docs.snowflake.com/en/sql-reference/sql/grant-privilege.html
As Snowflake's approch for permission is Role-based Access Control (RBAC) you will not be able to give GRANTS to a specific user.
If you absolutly don't want to work on role for this, maybe you can have a look on Dynamic Data Masking. You will be able to mask data to a specific user using current_user(). But you will have to create a masking policy for every field type you want to mask and apply this policy to every field in your table so i would not recommend this compared to role approach.
Executed this statement while using ACCOUNTADMIN role:
GRANT CREATE WAREHOUSE ON ACCOUNT TO ROLE DATABASE_ADMIN;
However when I use DATABASE_ADMIN role and then execute create warehouse statement, it gives me following error:
SQL access control error: Insufficient privileges to operate on account 'XXXX'
What am I missing here?
The most common problem I've run into with this is that the Snowflake web IDE actually has two role selectors. The one in the top right is your role when dealing with the interface, but each sheet has their own role as well.
Try adding an explicit use statement before your create.
use role DATABASE_ADMIN;
create warehouse MY_WAREHOUSE ...;
I have a SQL Server 2005 database that I'm trying to access as a limited user account, using Windows authentication. I've got BUILTIN\Users added as a database user (before I did so, I couldn't even open the database). I'm working under the assumption that everybody is supposed to have permissions for the "public" role applied to them, so I didn't do anything with role assignment. Under tblFoo, I can use the SSMS Properties dialog (Permissions page) to add "public", then set explicit permissions. Among these is "Grant" for SELECT. But running
SELECT * from tblFoo;
as a limited (BUILTIN\Users) account gives me an error "Select permission denied on object 'tblFoo', database 'bar', schema 'dbo'". In the properties dialog, there's an "Effective Permissions button, but it's greyed out.
Further, I tried creating a non-priv account called "UserTest", adding that at the server level, then mapping it down to the "bar" database. This let me add UserTest to the "Users or Roles" list, which let me run "Effective Permissions" for the account. No permissions are listed at all -- this doesn't seem right. The account must be in public, and public grants (among other things) Select on tblFoo, so why doesn't the UserTest account show an effective permission? I feel like I'm going a bit crazy here.
ASIDE: I am aware that many people don't like using the "public" role to set permissions. This is just my tinkering time; in final design I'm sure we'll have several flexible (custom) database roles. I'm just trying to figure out the behavior I'm seeing, so please no "don't do that!" answers.
UPDATE: Apparently I know just enough SQL Server to be a danger to myself and others. In setting permissions (as I said, "among others"), I had DENY CONTROL. When I set this permission, I think I tried to look up what it did, had a vague idea, and decided on DENY. I cannot currently recall why this seemed the thing to do, but it would appear that that was the reason I was getting permission failures. So I'm updating my question: can anyone explain the "CONTROL" permission, as it pertains to tables?
You only need to have SELECT rights. In raw SQL (see the "script" icon/button in your dialogue box), it's GRANT SELECT ON dbo.tblFoo to public. This is the only permission needed to view the data,
In this case, the error message explicitly mentions "deny". "DENY" is a right in itself, so it mentions it,
If you had no rights, you'd get the message (very approximately) "tblFoo does not exist or you do not have rights"
"DENY CONTROL" is mentioned here. In this case, you denied all rights to the public role.
The grantee effectively has all
defined permissions on the securable
Assuming "UserTest" is a domain user account, connect as a member of the sysadmin role and run
EXEC MASTER.dbo.xp_logininfo 'Domain\UserTest', 'all'
(substituting your domain name for "Domain")
this will display the Windows groups etc. that the account is inheriting security permissions from and the level of access, e.g. you would expect to see something like:
account name type privilege mapped login name permission path
domain\usertest user user domain\usertest BUILTIN\Users
This will help troubleshoot where the account is inheriting permissions from, e.g. which Windows groups it is part of that have permissions to the database. If this all looks OK then I would follow your own advice and not mess with the public role.
Create a database role in your
database
Assign explicit permissions for that
role
Create a server login for your user
account
Open the server login, go to the
User Mapping section, click on the
database and select the database
role you created