I am trying to change the OWNERSHIP from one role to other role in Snowflake DWH. Say Old Owner Role is the role with current Ownership, New Owner Roleis the role to which I wish to give ownership and R3 be a role which already has some access to the object of interest. I am getting below error when I am trying to do so.
SQL execution error: Dependent grant of privilege 'SELECT' on
securable '' to role 'R3'
exists. It must be revoked first. More than one dependent
grant may exist
Why should an existing role be a problem for Ownership change?
Kannan, according to the Snowflake documentation (https://docs.snowflake.net/manuals/sql-reference/sql/grant-ownership.html), ownership of an object can't be granted (transferred) to another role unless all current privileges granted on the object have been revoked (using the REVOKE command). It looks like either the current owner or a member of a role with the appropriate privileges previously granted the SELECT privilege on the object (presumably a table or view) to the R3 role. That privilege will need to be revoked before ownership of the object can be transferred.
According to the same doc page, the restriction exists to prevent the new owner from unknowingly inheriting the object with grants already made on it.
Related
I've got Accountadmin role on this Snowflake account. I ran show grants on schema command in snowflake and get these privileges as on the screenshot.
Ownership privilege is empty and so it doesn't let me run grant ownership on schema "DATABASE_NAME"."SCHEMA_NAME" to accountadmin for the above schema to assign myself the ownership privilege.
I need to have ownership privilege to remove some tables from this schema.
Could someone suggest how to assign ownership privilege to accountadmin role for this schema?
This situation can be caused by user-initiated actions, if a grant is involving system owned entities (such as default) roles, and via using MANAGE GRANTS on ACCOUNT privilege to custom roles.
I would suggest opening a Support Case as we'd need to review all the grant changes that occurred on that schema to understand what caused the situation in the first place, and then revert it.
That said, you should still be able to execute this statement with either ACCOUNTADMIN or SECURITYADMIN:
use role accountadmin;
grant ownership on schema "DATABASE_NAME"."SCHEMA_NAME" to role accountadmin;
I need information within Snowflake which captures "Role to Privilege mapping".
Example :: If I am an user "USER_01" & I have the role as "ANALYST", then this "ANALYST" role has access to which all the objects (database/schema/table/etc..) in Snowflake account I would need that information.
Any pointers like queries/metadata tables/etc.. would help as there has to be some metadata tables which would keep this role to privilege mapping.
For e.g., queries like :
show grants to user USER_01
--> This gives what role has been assigned to this user. But this do not convey any information regarding what all privileges has been given to that role. Like if this role has got below access:
grant usage on database DB_01 to role analyst;
grant all privileges on schema schema_01 to role analyst;
grant all privileges on all tables in schema schema_01 to role analyst;
SHOW GRANTS:
SHOW GRANTS TO ROLE <role_name>
Key point: Access Control Framework
Role-based Access Control (RBAC): Access privileges are assigned to roles, which are in turn assigned to users.
Access priviliges are not assigned directly to users.
If you want to list all the privileges given to a user, you may use the stored procedure described in this KB article:
https://community.snowflake.com/s/article/How-to-Capture-Snowflake-Users-Roles-and-Grants-Into-a-Table
I have given grant all privileges to role svn_dev, but it is not giving access to create, alter and drop stage permissions across all schemas. How do I provide this to a role?
I have also tried
grant ownership on database DA_DEV to role svn_dev;
I get an error
SQL execution error: Dependent grant of privilege 'CREATE SCHEMA' on securable.
To revoke all dependent grants while transferring object ownership, use convenience command 'GRANT OWNERSHIP ON <target_objects> TO <target_role> REVOKE CURRENT GRANTS'.
How to give create stage permissions?
The error message gives a way to fix it in most cases. Try this:
grant ownership on database DA_DEV to role svn_dev revoke current grants;
If you can't revoke current grants because it would be too much work to re-issue the grants, you can explicitly revoke the grants that are preventing a change in ownership. You can check them using show grants.
You can grant create stage like this:
grant create stage on schema <DATABASE>.<SCHEMA> to role <ROLE>;
I want to create a role on snowflake limited only to one database and one schema and give there a read access on all tables.
I create a role, grant:
grant usage on database1,
grant usage on database1.schema1,
grat select on all tables in database1.schema1,
and I grant usage and operate on one warehouse1.
However, additionally to this I am seeing also other databases and other schemas with this role, despite no grants were added, also there is additional warehouse to warehouse1.
How I can limit access with this role and not see something that appear as default
'databases' even for roles with no grants?
Regards
P
You will be able to find out what the role can and cannot do.
Check the which users and/or roles are granted the privilege of the role:
show grants of role ;
Then check what privileges were given to the role:
show grants to role ;
All the users are granted the PUBLIC role. Hence, never grant any privileges to the PUBLIC role, as this simply means giving the whole world access to a database, schema and tables/views etc.
Fundamentally I want
my "DBA" user; the original account which has the SYSADMIN and ACCOUNTADMIN roles, to be able to see any object in the database as well as its data. It seems that at least at the level of ACCOUNTADMIN I should be able to do this.
a "power" user; via a role (dr_uce_role) I can assign at a database level where the user can do virtually everything within a database.
I thought I had made the power user role with the following code:
--grant power to engineer
grant all privileges on database dr_ev to dr_uce_role;
grant all privileges on all schemas in database dr_ev to dr_uce_role;
grant all privileges on all tables in schema dr_ev.public to dr_uce_role;
grant all privileges on all views in schema dr_ev.public to dr_uce_role;
grant select on future tables in schema dr_ev.public to dr_uce_role;
grant select on future views in schema dr_ev.public to dr_uce_role;
grant all privileges on all tables in schema dr_ev.stg to dr_uce_role;
grant all privileges on all views in schema dr_ev.stg to dr_uce_role;
grant select on future tables in schema dr_ev.stg to dr_uce_role;
grant select on future views in schema dr_ev.stg to dr_uce_role;
This user then created objects in the schemas. However my "DBA" user at SYSADMIN could not see the objects at all. With role ACCOUNTADMIN the user can see the objects, but not query them. My understanding is that ACCOUNTADMIN is the top level account, and can take ownership of these objects anyway, so if this is supposed to be a security feature I don't really understand how it is providing much protection as it can always steal ownership?
I tried changing ownership of an object as ACCOUNTADMIN to SYSADMIN, to find it had a blocking privilege;
grant ownership on dr_ev.stg.load_opportunity to sysadmin;
SQL execution error: Dependent grant of privilege 'DELETE' on securable 'DR_EV.STG.LOAD_OPPORTUNITY' to role 'DR_UCE_ROLE' exists. It must be revoked first. More than one dependent grant may exist: use 'SHOW GRANTS' command to view them. To revoke all dependent grants while transferring object ownership, use convenience command 'GRANT OWNERSHIP ON TO REVOKE CURRENT GRANTS'.`
I tried taking ownership with
grant ownership on all tables in schema dr_ev.stg to sysadmin revoke current grants;
which did work - although it left my power user unable to see the objects. So I granted them back with
grant all privileges on all tables in schema dr_ev.stg to dr_uce_role;
However I want my power user to be able to create or replace this table. I believe this requires the DROP TABLE privilege, although apparently my power user grants do not provide it, and I am unclear on how I should be providing it?
I will not say I have the greatest understanding of Snowflake privileges and am wondering if the statements above like grant all privileges on all tables in schema do not live at the schema level to blanket apply to all tables, but actually sets object level permissions and my original approach has simply been too granular as I do not actually wish to manage anything at object level. That being said, I am unclear in the doc how to manage at a higher level than object anyway if the statement is actually just a shortcut to set many object privileges. How can I accomplish my original goals?
The best practice for a situation like this is to grant all of your custom roles to the SYSADMIN role. This allows the sysadmin to do everything a SYSADMIN can do plus everything that all of the other roles can do. You have a lot of questions in your post, but I think this resolves many of them.
The way I did was to create a super role 'superole' and granted sysadmin, securityadmin and accountadmin to that role. I then attached the superrole to whoever I wanted to be my DBA...