Access control: Disallow GRANT REFERENCE_USAGE if GRANT USAGE isn’t set first (Preview)

Attention

This behavior change is in the 2025_07 bundle.

For the current status of the bundle, refer to Bundle History.

When this behavior change bundle is enabled, users will not be able to set GRANT REFERENCE_USAGE on a database without first setting GRANT USAGE.

Before the change:

Users could run GRANT REFERENCE_USAGE on a database to a share without running GRANT USAGE, and Snowflake would apply the grant on the database as GRANT USAGE.

After the change:

Users must run GRANT USAGE before running GRANT REFERENCE_USAGE.

Before this change, if a user ran the following command without running GRANT USAGE, Snowflake also applied GRANT USAGE on the same database to the same share:

GRANT REFERENCE_USAGE ON DATABASE database2 TO SHARE share1;
Copy

After the change, if a user runs GRANT REFERENCE_USAGE without first running GRANT USAGE, Snowflake will return the following error:

Cannot grant REFERENCE_USAGE on database {db_name} to share {share_name}. Grant USAGE on a database to share prior to granting REFERENCE_USAGE.

Ref: 2136