Access control: Disallow GRANT REFERENCE_USAGE if GRANT USAGE isn’t set first (Preview)¶
Attention
This behavior change is in the 2025_07 bundle.
For the current status of the bundle, refer to Bundle History.
When this behavior change bundle is enabled, users will not be able to set GRANT REFERENCE_USAGE on a database without first setting GRANT USAGE.
- Before the change:
Users could run GRANT REFERENCE_USAGE on a database to a share without running GRANT USAGE, and Snowflake would apply the grant on the database as GRANT USAGE.
- After the change:
Users must run GRANT USAGE before running GRANT REFERENCE_USAGE.
Before this change, if a user ran the following command without running GRANT USAGE, Snowflake also applied GRANT USAGE on the same database to the same share:
GRANT REFERENCE_USAGE ON DATABASE database2 TO SHARE share1;
After the change, if a user runs GRANT REFERENCE_USAGE without first running GRANT USAGE, Snowflake will return the following error:
Cannot grant REFERENCE_USAGE on database {db_name} to share {share_name}. Grant USAGE on a database to share prior to granting REFERENCE_USAGE.
Ref: 2136