Context Functions (Session Object)
Returns the name of the account-level role of the object executing the query or NULL if the name of the role is a database role.
In this Topic:
If using the INVOKER_ROLE function with Column-level Security, verify that your Snowflake account is Enterprise Edition or higher.
The following table summarizes the relationship between the query and the INVOKER_ROLE value in the masking policy SQL expression.
Query where the masking policy applies
Value Returned by INVOKER_ROLE
View owner role.
UDF owner role.
Stored procedure with callers right
Stored procedure with owners right
Stored procedure owner role.
Task owner role.
The role that queries a given stream.
The following diagram shows the relationship of a query performer, roles in Snowflake, and masking policies on tables or views.
R0, R1, R2, R3
Are roles in Snowflake.
P1, P2, P3
Are masking policies in Snowflake.
Are views in Snowflake.
Is a table in Snowflake.
Based on this diagram, the values of CURRENT_ROLE and INVOKER_ROLE in a query are as follows:
The following examples show how to use the INVOKER_ROLE in a masking policy SQL expression.
Return NULL for unauthorized users:
case when invoker_role() IN ('ANALYST') then val else NULL end;
Return a static masked value for unauthorized users:
case when invoker_role() in ('ANALYST') then val else '********' end;
Return a hash value using SHA2 , SHA2_HEX for unauthorized users:
case when invoker_role() in ('ANALYST') then val else sha2(val) -- return hash of the column value end;