Categories:

Context Functions (Session Object)

INVOKER_ROLE

Returns the role name of the object executing the query.

Use the INVOKER_ROLE function in a Column-level Security masking policy SQL expression.

See also:

Advanced Column-level Security Topics

In this Topic:

Syntax

INVOKER_ROLE()

Arguments

None.

Usage Notes

The following table summarizes the relationship between the query and the INVOKER_ROLE value in the masking policy SQL expression.

Query where the masking policy applies

Value Returned by INVOKER_ROLE

View

View owner role.

UDF

UDF owner role.

Stored procedure with callers right

CURRENT_ROLE.

Stored procedure with owners right

Stored procedure owner role.

Task

Task owner role.

Stream

The role that queries a given stream.

The following diagram shows the relationship of a query performer, roles in Snowflake, and masking policies on tables or views.

Invoker Role Many Views

Where:

  • R0, R1, R2, R3

    Are roles in Snowflake.

  • P1, P2, P3

    Are masking policies in Snowflake.

  • V1, V2

    Are views in Snowflake.

  • T

    Is a table in Snowflake.

Based on this diagram, the values of CURRENT_ROLE and INVOKER_ROLE in a query are as follows:

Policy

CURRENT_ROLE

INVOKER_ROLE

P1

R3

R1

P2

R3

R2

P3

R3

R3

Examples

The following examples show how to use the INVOKER_ROLE in a masking policy SQL expression.

Return NULL for unauthorized users:

case
  when invoker_role() IN ('ANALYST') then val
  else NULL
end;

Return a static masked value for unauthorized users:

case
  when invoker_role() in ('ANALYST') then val
  else '********'
end;

Return a hash value using SHA2 , SHA2_HEX for unauthorized users:

case
  when invoker_role() in ('ANALYST') then val
  else sha2(val) -- return hash of the column value
end;