Replication support for CREATE <class_name> privilege (Pending)

Attention

This behavior change is in the 2024_04 bundle.

For the current status of the bundle, refer to Bundle History.

The CREATE <class_name> privilege is granted on a schema to a role. A role granted this privilege can be used to create an instance of class <class_name>.

For example, the following statement grants the role budget_creator the privilege to create instances of the SNOWFLAKE.CORE.BUDGET class in schema budgets_db.budgets_schema:

GRANT CREATE SNOWFLAKE.CORE.BUDGET
  ON SCHEMA budgets_db.budgets_schema
  TO ROLE budget_creator;
Copy

Note

Privileges granted to roles are replicated to target accounts only if the ROLES object type is included in the OBECT_TYPES list for a replication or failover group. The object the privilege is granted must also be replicated.

The replication of the CREATE <class_name> privilege behaves as follows:

Before the change:

If a role is granted the CREATE <class_name> privilege on a schema in a source account, this privilege grant is not replicated to target accounts.

For example, the CREATE SNOWFLAKE.ML.FORECAST privilege is granted using the following statement in a source account:

GRANT CREATE SNOWFLAKE.ML.FORECAST
  ON SCHEMA admin_db.admin_schema
  TO ROLE analyst;
Copy

If the database admin_db and roles are replicated to a target account, the CREATE SNOWFLAKE.ML.FORECAST privilege grant is not replicated. The role analyst can’t create instances of the SNOWFLAKE.ML.FORECAST class in the target account.

After the change:

If a role is granted the CREATE <class_name> privilege on a schema in a source account, the privilege grant is replicated to the target account if the following objects are included in the replication or failover group:

  • The database that contains the schema on which the privilege is granted.

  • The ROLES object type is included in the OBJECT_TYPES list.

A user granted the role with the CREATE <class_name> privilege in a target account can create an instance of <class_name> in the replicated schema in the target account.

For example, the CREATE SNOWFLAKE.ML.FORECAST privilege is granted using the following statement in a source account:

GRANT CREATE SNOWFLAKE.ML.FORECAST
  ON SCHEMA admin_db.admin_schema
  TO ROLE analyst;
Copy

If the database admin_db and roles are replicated to a target account, the CREATE SNOWFLAKE.ML.FORECAST privilege grant is replicated. The role analyst can create instances of the SNOWFLAKE.ML.FORECAST class in the target account.

For a list of available Snowflake classes, see SQL class reference.

Ref: 1607