GRANT and REVOKE Commands: Changes to the Output for a Failed Grant¶

The behavior of these commands is as follows:

• GRANT APPLICATION ROLE

• REVOKE APPLICATION ROLE

• GRANT <privileges> … TO APPLICATION ROLE

• REVOKE <privileges> FROM APPLICATION ROLE

• GRANT <privileges>

• REVOKE <privileges>

• GRANT <privilege> … TO SHARE

• REVOKE <privilege> … FROM SHARE

• GRANT ROLE

• REVOKE ROLE

• GRANT OWNERSHIP

Previously:

When you execute any of these commands and the operation does not work for one or more privileges or roles that you specify in the command, Snowflake formats the response as a “successful status message” (i.e. table) and indicates the relevant information. For example:

GRANT ALL ON ACCOUNT TO ROLE r1;

Copy

+--------------------------------------------------------------------------------------------------------------------------+
| status                                                                                                                   |
|--------------------------------------------------------------------------------------------------------------------------|
| Grant partially executed: privileges [MANAGE LISTING AUTO FULFILLMENT, MANAGE ORGANIZATION SUPPORT CASES] not granted.   |
+--------------------------------------------------------------------------------------------------------------------------+

This output is a representative example of one of many possible messages when executing any of these commands.

Currently:

When you execute either of these commands and the operation does not work for one or more privileges or roles that you specify in the command, Snowflake formats the response as an error message, with the error code, and indicates the relevant information. For example:

003011 (42501): Grant partially executed: privileges [MANAGE LISTING AUTO FULFILLMENT, MANAGE ORGANIZATION SUPPORT CASES] not granted.

The actual message text does not change.

Tip

If you have workflows that depend on the result of either of these commands, update your scripts to parse the error code information, which is 003011 (42501) in this example.

The list of error codes that are affected by this change are:

003011: Grant partially executed: [ one or more privileges ] not granted.
003012: Revoke partially executed: [ one or more privileges ] not revoked.
003102: Grant not executed: Insufficient privileges.
003103: Revoke not executed: Insufficient privileges.
003104: Grant not executed: Operation not supported on a SHARE object.
003105: Revoke not executed: Operation not supported on a SHARE object.

Copy

The value (42501) in the example reflects the SQL client the user chose to execute the command, which is the Snowflake Connector for Python in this example. This value might not show up depending on how you execute the command (e.g. Snowsight does not return this value or the error code value 003011).

The [ one or more privileges ] value is a placeholder to return information about the statement that caused the error. In the example, these placeholder shows that REFERENCE_USAGE privilege was not granted.

Ref: 515