Replication support for CREATE <class_name> privilege¶
Attention
This behavior change is in the 2024_04 bundle.
For the current status of the bundle, refer to Bundle History.
The CREATE <class_name> privilege is granted on a schema to a role. A role granted this privilege can be used to create an instance of class <class_name>.
For example, the following statement grants the role budget_creator the privilege to create instances of the
SNOWFLAKE.CORE.BUDGET class in schema budgets_db.budgets_schema:
GRANT CREATE SNOWFLAKE.CORE.BUDGET
ON SCHEMA budgets_db.budgets_schema
TO ROLE budget_creator;
Note
Privileges granted to roles are replicated to target accounts only if the ROLES object type is included in the OBECT_TYPES list for a replication or failover group. The object the privilege is granted must also be replicated.
The replication of the CREATE <class_name> privilege behaves as follows:
- Before the change:
If a role is granted the CREATE <class_name> privilege on a schema in a source account, this privilege grant is not replicated to target accounts.
For example, the CREATE SNOWFLAKE.ML.FORECAST privilege is granted using the following statement in a source account:
GRANT CREATE SNOWFLAKE.ML.FORECAST ON SCHEMA admin_db.admin_schema TO ROLE analyst;
If the database
admin_dband roles are replicated to a target account, the CREATE SNOWFLAKE.ML.FORECAST privilege grant is not replicated. The roleanalystcan’t create instances of the SNOWFLAKE.ML.FORECAST class in the target account.- After the change:
If a role is granted the CREATE <class_name> privilege on a schema in a source account, the privilege grant is replicated to the target account if the following objects are included in the replication or failover group:
The database that contains the schema on which the privilege is granted.
The ROLES object type is included in the OBJECT_TYPES list.
A user granted the role with the CREATE <class_name> privilege in a target account can create an instance of <class_name> in the replicated schema in the target account.
For example, the CREATE SNOWFLAKE.ML.FORECAST privilege is granted using the following statement in a source account:
GRANT CREATE SNOWFLAKE.ML.FORECAST ON SCHEMA admin_db.admin_schema TO ROLE analyst;
If the database
admin_dband roles are replicated to a target account, the CREATE SNOWFLAKE.ML.FORECAST privilege grant is replicated. The roleanalystcan create instances of the SNOWFLAKE.ML.FORECAST class in the target account.
For a list of available Snowflake classes, see SQL class reference.
Ref: 1607