I am setting up a data share for a user and would like to also give them access to a UDF as well.
I can share the data with the account like this:
create it and share warehouse and database
CREATE DATABASE shared_db1 FROM SHARE ab12345.share1;
GRANT USAGE ON WAREHOUSE testing_vw TO ROLE PUBLIC;
GRANT IMPORTED PRIVILEGES ON DATABASE shared_db1 TO ROLE PUBLIC;
Can I do the same for the UDF object
GRANT USAGE ON UDFobject TO ROLE PUBLIC;
Is there a special privilege I need to set up for the consumer account?
I believe you can share UDFs but only if it's a secure UDF. Here's a couple links to review:
https://docs.snowflake.net/manuals/sql-reference/udf-secure.html
https://www.snowflake.com/blog/the-power-of-secure-user-defined-functions-for-protecting-shared-data/
Related
I created a new Database (DB_COMMON) using ACCOUNTADMIN role and I grant ALL PRIVILEGES to other roles but I am not able to see newly created Database (DB_COMMON) using those roles. Am I missing something? Please guide.
Here is the complete code:
USE DATABASE ACCOUNTADMIN;
-- DATABASE CREATION
CREATE DATABASE IF NOT EXISTS DB_COMMON;
-- PERMISSION TO ALL THE FUTURE SCHEMAS
GRANT ALL PRIVILEGES ON FUTURE SCHEMAS IN DATABASE DB_COMMON TO ROLE DEVADMIN;
GRANT ALL PRIVILEGES ON FUTURE SCHEMAS IN DATABASE DB_COMMON TO ROLE QAADMIN;
GRANT ALL PRIVILEGES ON FUTURE SCHEMAS IN DATABASE DB_COMMON TO ROLE UATADMIN;
GRANT ALL PRIVILEGES ON FUTURE SCHEMAS IN DATABASE DB_COMMON TO ROLE PRODADMIN;
-- PERMISSION TO ALL THE FUTURE TABLES
GRANT ALL PRIVILEGES ON FUTURE TABLES IN DATABASE DB_COMMON TO ROLE DEVADMIN;
GRANT ALL PRIVILEGES ON FUTURE TABLES IN DATABASE DB_COMMON TO ROLE QAADMIN;
GRANT ALL PRIVILEGES ON FUTURE TABLES IN DATABASE DB_COMMON TO ROLE UATADMIN;
GRANT ALL PRIVILEGES ON FUTURE TABLES IN DATABASE DB_COMMON TO ROLE PRODADMIN;
-- CREATION OF SCHEMA
USE DATABASE DB_COMMON;
CREATE SCHEMA IF NOT EXISTS COMMON;
After these commands, if I switch to these roles (DEVADMIN, QAADMIN, etc) I am not able to see DB_COMMON Database. Am I missing something? Please guide.
It is not recommeded to use ACCOUNTADMIN role as owner of user-defined databases:
Avoid Using the ACCOUNTADMIN Role to Create Objects:
The ACCOUNTADMIN role is intended for performing initial setup tasks in the system and managing account-level objects and tasks on a day-to-day basis. As such, it should not be used to create objects in your account, unless you absolutely need these objects to have the highest level of secure access. If you create objects with the ACCOUNTADMIN role and you want users to have access to these objects, you must explicitly grant privileges on the objects to the roles for these users.
Instead, we recommend creating a hierarchy of roles aligned with business functions in your organization and ultimately assigning these roles to the SYSADMIN role. For more information, see Aligning Object Access with Business Functions in this topic.
Second the USAGE permission on the database needs to be granted.
GRANT USAGE ON DATABASE ... TO ROLE ...;
Database Privileges:
USAGE
Enables using a database, including returning the database details in the SHOW DATABASES command output. Additional privileges are required to view or take actions on objects in a database.
I would like a new role which can query snowflake account usage. Currently only Account Admin have this privilege and don’t want to assign Account Admin for required users.
The IMPORTED PRIVILEGES grant would allow a non-admin role access to the SNOWFLAKE.ACCOUNT_USAGE schemas (docs). There is also a MONITOR USAGE global grant which allows similar billing and usage monitoring but through information_schema functions instead. See the documentation here -- particularly the table is helpful to explain the differences between these two options.
These are some of the more common built-in grant options for a billing-monitoring role, but if you need a more custom solution, you can always create some custom SQL (perhaps stored procedure and task for maintenance) that copies only the desired admin results from ACCOUNT_USAGE to a custom table/view. Then you can grant access to that custom object to your non-admins.
I have granted USAGE on the schemas and database.
I have granted select on all tables.
Using that role, I can read data from all tables within any schema.
I then grant the permission to create tables in all schemas within that database
GRANT CREATE TABLE ON ALL SCHEMAS IN DATABASE TEST1_CONTROL TO DEVELOPERS;
Yet, when I issue this command (while using DEVELOPERS role), I get an error
CREATE TABLE PDS.ERIC_TEST_TABLE(COUCOU STRING NULL);
What am I missing?
Works fine for me (script below). Going to go with what Lukasz commented and that your schema was created later.
use role accountadmin;
create database TEST1_CONTROL;
create schema PDS;
create role DEVELOPERS;
grant role DEVELOPERS to user <your_username>;
GRANT USAGE ON DATABASE TEST1_CONTROL TO DEVELOPERS;
GRANT USAGE ON ALL SCHEMAS IN DATABASE TEST1_CONTROL TO DEVELOPERS;
GRANT CREATE TABLE ON ALL SCHEMAS IN DATABASE TEST1_CONTROL TO DEVELOPERS;
use role DEVELOPERS;
CREATE TABLE PDS.ERIC_TEST_TABLE(COUCOU STRING NULL);
Snowflake does offer future grants if you want a role to have access to any new schemas that would be created in the future.
I'm trying to create a Role hierarchy in Snowflake with a "top level" role which will be used for my helpdesk support team to manage users and resources within Snowflake. But this role cannot have access to any stored data due to compliance restrictions.
For user management, I've just granted SECURITYADMIN to the role and it seems to work pretty well. But for databases I would like to avoid using SYSADMIN as I would be inheriting the ability to view everything in the databases. So I've come up with a hierarchy that I think makes sense, which is basically the following with some added project roles:
ACCOUNTADMIN >--- HELPDESK (create/drop db then hand off to OU_MANAGER)
- OU_MANAGER (create/drop schema/tables and assign grants within the OU) > OU_MEMBER (usage on resources in db)
What I would like to do is create the databases with my HELPDESK role, then grant all on that db to the management role for the organizational unit and hand it off to them.
I'm not sure if this is possible in Snowflake, or if I just have my syntax wrong. But I get an error when I try to run a basic grant create database to role helpdesk, and I can't find anything definitive in the docs about granting this kind of access.
use role accountadmin;
grant create database on account to role helpdesk;
I would like to create a role that would have permissions to clone any database, present and future.
Something like
GRANT CREATE DATABASE ON ACCOUNT TO ROLE CLONE_ADMIN;
Followed by
GRANT USAGE ON FUTURE DATABASES TO ROLE CLONE_ADMIN;
Is it possible?
Future grants can only be applied to schema objects.
From the documentation"When a database is cloned, the schemas in the cloned database copy the future privileges from the source schemas. This maintains consistency with the regular object grants, in which the grants of the source object (i.e. database) are not copied to the clone, but the grants on all the children objects (i.e. schemas in the database) are copied to the clones."
Future grants cannot be applied to databases.
USE ROLE ACCOUNTADMIN;
USE DATABASE ANALYTICS;
CREATE OR REPLACE ROLE DATA;
GRANT USAGE ON DATABASE ANALYTICS TO DATA;
GRANT CREATE DATABASE ON ACCOUNT TO ROLE DATA;
GRANT ROLE DATA TO USER NEW_USER1;
USE ROLE DATA;
CREATE DATABASE Z_NEW_USER1_TEST CLONE ANALYTICS;
The feature of future grant at database level is in the roadmap. It is currently in private preview with selected customers to gather feedback from early users.
Stay tune from update from Snowflake when this feature will become accessible to wider audience.