SNOWFLAKE: Is it possible to grant a ROLE CREATE TEMPORARY TABLES but not PERMANENT tables?
The following snippet would not allow a role to CREATE TABLE, but allow CREATE TEMP tables. Also, the third command does not exist/work.
GRANT ALL PRIVILEGES ON SCHEMA myDB.mySchema TO ROLE myRole;
REVOKE CREATE TABLE ON SCHEMA myDB.mySchema FROM ROLE myRole;
GRANT CREATE **TEMPORARY** TABLE ON SCHEMA myDB.mySchema FROM ROLE myRole;
I can see many use cases where we want to limit a class of users from creating perm tables, but allow them to use scratch data.
That feature you are asking for is SNOW-62117 for reference, please ask about that with Snowflake Support.
Another option to consider for users to use scratch data is for an admin to create Views for scratch data.
https://docs.snowflake.net/manuals/sql-reference/sql/create-materialized-view.html
Or check out the data exchange to administer what types of scratch data you can use, depending on the use case. https://docs.snowflake.net/manuals/sql-reference/sql/create-materialized-view.html
Hope that helps!
Related
There is a table created by a Sysadmin. I would like both Sysadmin and Analyst role to be able to drop, modify, or replace the same table if possible. I understand we can change ownership of the table, but if both roles can drop, modify, or replace the table, that would be great.
This ANALYST role has limited access to snowflake databases and has following grant privileges:
USAGE (Databases)
CREATE TABLE, CREATE VIEW and USAGE (Schemas)
DELETE, INSERT, SELECT and UPDATE (Tables and Views)
Regarding Ownership: You are right, only one role can be the owner of an object at one particular point in time.
However, you can have several roles, which are able to DROP, MODIFY and REPLACE the same table. This can be achieved by either
Assigning the same privileges to the roles with two separate GRANT statements
Assigning Role A to Role B so that Role B is inheriting all the privileges from Role A
I would like to give access to a role and it should be able to create schemas, create tables, Materialized views ..etc. He should be able to do everything related to the database.
How to achieve this?
Thanks,
Xi
Two options:
Make the role the owner of the database
Grant the role the specific permissions you want it to have
I am creating a user that should only have access to the database tables metadata,via INFORMATION_SCHEMA, and not the table data. So no perms to query the tables directly. The role the user will be a member of will have USAGE privileges on INFORMATION_SCHEMA schema. I tested the user with that role and it is only able to see tables within public and no where else.
I did see in Snowflake documentation:
"The output of a view or table function depend on the privileges granted to the user’s current role. When querying an INFORMATION_SCHEMA view or table function, only objects for which the current role has been granted access privileges are returned."
So, I tried to grant to the role MONITOR and USAGE on other schemas; but, that did not work either. Only when I granted a role with read access to all the tables in the schema was it able to see and query from INFORMATION_SCHEMA.TABLES the tables in that schema. This, however, is not what I want as now that user would be able to query data from the tables. I just want to set that user to be able to query and gather the metadata of tables and not allow data access. Is there a way in Snowflake to setup and perform this type of setup?
I believe the only way to do this would be to provide access to the SNOWFLAKE.ACCOUNT_USAGE share on Snowflake, which also has TABLES and would allow this user to query the metadata of all tables and columns in that Snowflake account. There is a lot more information available in that share, but at least the user would not have access to any real data, if that is what you are after.
I'm looking to create a database role within a database that allows the developer members of that role the ability to create/alter/drop procedures and functions. I do not want them to be able to create/alter/drop tables though, that is managed by a different team.
I found GRANT CREATE PROCEDURE/TABLE/FUNCTION, but I'm not able to allow them to ALTER/DROP the procedures/functions as well.
I have also tried:
CREATE ROLE developer
GRANT VIEW DEFINITION ON database::MyDb TO developer
GRANT ALTER ON DATABASE::MyDb TO developer
-- Above allows modification of procedures/functions, but also tables
DENY CREATE TABLE ON DATABASE::MyDb TO developer
-- Above denies create table, can still alter/drop tables, which I also want to prevent
How can I Grant some users permission to drop and create a single table only in the SQL 2005 database accessed by our VB.net 2005 Win app?
Some articles suggest Granting Control rights to the table but I cannot make this work. If you think this is teh way to go, can you show me the correct syntax?
You cannot assign DROP or CREATE permissions on a single table, as those are schema and database level permissions:
DROP TABLE requires ALTER permission on the schema to which the table belongs, CONTROL permission on the table, or membership in the db_ddladmin fixed database role.
CREATE TABLE requires CREATE TABLE permission in the database and ALTER permission on the schema in which the table is being created.
If the user has control permissions on the table they may be able to drop it, but you would not be able to create it again. There are two approaches that you could take depending on your requirements:
If you simply need to change the structure of the table, you should use the TRUNCATE TABLE statement to delete all the records (without logging) and then use the ALTER TABLE statement to add/remove columns.
If you really want the user to be able to drop and then create the table again you will need to create the table in a different schema and assign the user the correct permissions for that schema. See this article about using schemas in MS SQL to get you started. Once you have the table in a separate schema you can grant the db_ddladmin role for the new schema to the user and they should be able to create and delete only tables in that schema.
Use this:
DENY ALTER ON SCHEMA::dbo
But this doesn't prevent the user from granting back this right to himself.