Categories:

Context Functions (Session Object)

INVOKER_ROLE

Returns the role name of the object executing the query.

See also:

Advanced Column-level Security Topics

In this Topic:

Syntax

INVOKER_ROLE()

Arguments

None.

Usage Notes

  • If using the INVOKER_ROLE function with Column-level Security, verify that your Snowflake account is Enterprise Edition or higher.

  • The following table summarizes the relationship between the query and the INVOKER_ROLE value in the masking policy SQL expression.

    Query where the masking policy applies

    Value Returned by INVOKER_ROLE

    View

    View owner role.

    UDF

    UDF owner role.

    Stored procedure with callers right

    CURRENT_ROLE.

    Stored procedure with owners right

    Stored procedure owner role.

    Task

    Task owner role.

    Stream

    The role that queries a given stream.

  • The following diagram shows the relationship of a query performer, roles in Snowflake, and masking policies on tables or views.

    Invoker Role Many Views

    Where:

    • R0, R1, R2, R3

      Are roles in Snowflake.

    • P1, P2, P3

      Are masking policies in Snowflake.

    • V1, V2

      Are views in Snowflake.

    • T

      Is a table in Snowflake.

    Based on this diagram, the values of CURRENT_ROLE and INVOKER_ROLE in a query are as follows:

    Policy

    CURRENT_ROLE

    INVOKER_ROLE

    P1

    R3

    R1

    P2

    R3

    R2

    P3

    R3

    R3

Examples

The following examples show how to use the INVOKER_ROLE in a masking policy SQL expression.

Return NULL for unauthorized users:

case
  when invoker_role() IN ('ANALYST') then val
  else NULL
end;

Return a static masked value for unauthorized users:

case
  when invoker_role() in ('ANALYST') then val
  else '********'
end;

Return a hash value using SHA2 , SHA2_HEX for unauthorized users:

case
  when invoker_role() in ('ANALYST') then val
  else sha2(val) -- return hash of the column value
end;