Access control: Privileges can be granted to users¶

Attention

This behavior change is in the 2025_02 bundle.

For the current status of the bundle, refer to Bundle History.

The ability to grant privileges is changing as follows:

Before the change:: You can grant privileges only to roles (RBAC).
After the change:: You can also grant privileges directly to users (UBAC). Privileges granted to a user allow that user access only when ALL secondary roles are activated in the current session.

This change extends the Snowflake access control framework to include user-based access control (UBAC).

Note

To use UBAC, you must enable the 2025_02 behavior change bundle in your account.

To enable this bundle in your account, execute the following statement:

SELECT SYSTEM$ENABLE_BEHAVIOR_CHANGE_BUNDLE('2025_02');

For example, when bundle 2025_02 is enabled, the following command syntax will be supported:

GRANT <privileges> ... TO USER;

To grant the USAGE privilege on a Streamlit application to a specific user, joe:

GRANT USAGE ON STREAMLIT streamlit_db.streamlit_schema.streamlit_app TO USER joe;

If you need to disable UBAC in your account after Bundle 2025_02 becomes enabled by default, set the account parameter DISABLE_USER_PRIVILEGE_GRANTS = TRUE. For example:

ALTER ACCOUNT SET DISABLE_USER_PRIVILEGE_GRANTS = TRUE;

Ref: 1924