SNOWFLAKE database roles

When an account is provisioned, the SNOWFLAKE database is automatically imported. The database is an example of Snowflake using Secure Data Sharing to provide object metadata and other usage metrics for your organization and accounts.

Access to schema objects in the SNOWFLAKE database is controlled by different database roles. The following sections describe each SNOWFLAKE database role, its associated privileges, and the associated schema objects the role is granted access to.

ACCOUNT_USAGE schema

ACCOUNT_USAGE schemas have four defined SNOWFLAKE database roles, each granted the SELECT privilege on specific views.

Role

Purpose and Description

OBJECT_VIEWER

The OBJECT_VIEWER role provides visibility into object metadata.

USAGE_VIEWER

The USAGE_VIEWER role provides visibility into historical usage information.

GOVERNANCE_VIEWER

The GOVERNANCE_VIEWER role provides visibility into policy related information.

SECURITY_VIEWER

The SECURITY_VIEWER role provides visibility into security based information.

ACCOUNT_USAGE Views by Database Role

The OBJECT_VIEWER, USAGE_VIEWER, GOVERNANCE_VIEWER, and SECURITY_VIEWER roles have the SELECT privilege to query Account Usage views in the shared SNOWFLAKE database.

A checkmark (i.e. ✔) indicates the role is granted the SELECT privilege on the view.

View

OBJECT_VIEWER Role

USAGE_VIEWER Role

GOVERNANCE_VIEWER Role

SECURITY_VIEWER Role

COLUMNS view

COMPLETE_TASK_GRAPHS view

DATABASES view

ELEMENT_TYPES view

FIELDS view

FILE_FORMATS view

FUNCTIONS view

HYBRID_TABLES view

INDEXES view

INDEX_COLUMNS view

OBJECT_DEPENDENCIES view

PIPES view

REFERENTIAL_CONSTRAINTS view

SCHEMATA view

SEQUENCES view

STAGES view

TABLE_CONSTRAINTS view

TABLES view

TAGS view

VIEWS view

AUTOMATIC_CLUSTERING_HISTORY view

BLOCK_STORAGE_HISTORY view

CLASS_INSTANCES view

CLASSES view

COPY_HISTORY view

DATA_QUALITY_MONITORING_USAGE_HISTORY view

DATA_TRANSFER_HISTORY view

DATABASE_STORAGE_USAGE_HISTORY view

EVENT_USAGE_HISTORY view

EXTERNAL_ACCESS_HISTORY view

HYBRID_TABLE_USAGE_HISTORY view

LOAD_HISTORY view

MATERIALIZED_VIEW_REFRESH_HISTORY view

METERING_DAILY_HISTORY view

METERING_HISTORY view

PIPE_USAGE_HISTORY view

REPLICATION_USAGE_HISTORY view

REPLICATION_GROUP_REFRESH_HISTORY view

REPLICATION_GROUP_USAGE_HISTORY view

SERVICES view

SNOWPARK_CONTAINER_SERVICES_HISTORY view

SEARCH_OPTIMIZATION_HISTORY view

SERVERLESS_TASK_HISTORY view

STAGE_STORAGE_USAGE_HISTORY view

STORAGE_USAGE view

TABLE_DML_HISTORY View

TABLE_PRUNING_HISTORY View

TABLE_STORAGE_METRICS view

TASK_HISTORY view

WAREHOUSE_EVENTS_HISTORY view

WAREHOUSE_LOAD_HISTORY view

WAREHOUSE_METERING_HISTORY view

ACCESS_HISTORY view

AGGREGATE_ACCESS_HISTORY view

AGGREGATE_QUERY_HISTORY view

AGGREGATION_POLICIES view

DATA_CLASSIFICATION_LATEST view

DATA_METRIC_FUNCTION_REFERENCES view

MASKING_POLICIES view

QUERY_ACCELERATION_ELIGIBLE view

QUERY_HISTORY view

POLICY_REFERENCES view

PROJECTION_POLICIES view

ROW_ACCESS_POLICIES view

TAG_REFERENCES view

GRANTS_TO_ROLES view

GRANTS_TO_USERS view

LOGIN_HISTORY view

NETWORK_POLICIES view

NETWORK_RULES view

NETWORK_RULE_REFERENCES view

PASSWORD_POLICIES view

ROLES view

SECRETS view

SESSION_POLICIES view

SESSIONS view

USERS view

READER_ACCOUNT_USAGE schema

The READER_USAGE_VIEWER SNOWFLAKE database role is granted SELECT privilege on all READER_ACCOUNT_USAGE views. As reader accounts are created by clients, the READER_USAGE_VIEWER role is expected to be granted to those roles used to monitor reader account use.

View

LOGIN_HISTORY view

QUERY_HISTORY view

RESOURCE_MONITORS view

STORAGE_USAGE view

WAREHOUSE_METERING_HISTORY view

ORGANIZATION_USAGE schema

The ORGANIZATION_USAGE_VIEWER, ORGANIZATION_BILLING_VIEWER, and ORGANIZATION_ACCOUNTS_VIEWER SNOWFLAKE database roles are granted the SELECT privilege on Organization Usage views in the shared SNOWFLAKE database.

View

ORGANIZATION_BILLING_VIEWER Role

ORGANIZATION_USAGE_VIEWER Role

ORGANIZATION_ACCOUNTS_VIEWER Role

ACCOUNTS view

CONTRACT_ITEMS view

LISTING_AUTO_FULFILLMENT_USAGE_HISTORY view

RATE_SHEET_DAILY view

REMAINING_BALANCE_DAILY view

USAGE_IN_CURRENCY_DAILY view

MARKETPLACE_DISBURSEMENT_REPORT View

DATA_TRANSFER_DAILY_HISTORY view

DATA_TRANSFER_HISTORY view

DATABASE_STORAGE_USAGE_HISTORY view

AUTOMATIC_CLUSTERING_HISTORY view

MARKETPLACE_PAID_USAGE_DAILY View

MATERIALIZED_VIEW_REFRESH_HISTORY view

METERING_DAILY_HISTORY view

MONETIZED_USAGE_DAILY View

PIPE_USAGE_HISTORY view

QUERY_ACCELERATION_HISTORY view

REPLICATION_GROUP_USAGE_HISTORY view

REPLICATION_USAGE_HISTORY view

SEARCH_OPTIMIZATION_HISTORY view

STAGE_STORAGE_USAGE_HISTORY view

STORAGE_DAILY_HISTORY view

WAREHOUSE_METERING_HISTORY view

CORE schema

The CORE_VIEWER SNOWFLAKE database role is granted to the PUBLIC role in all Snowflake accounts containing a shared SNOWFLAKE database. The USAGE privilege is granted to all Snowflake-defined functions and bundles in the CORE schema.

Budget class

The BUDGET_CREATOR Snowflake database role is granted the USAGE privilege on the SNOWFLAKE.CORE schema and the BUDGET class in the schema. This grant allows users with the BUDGET_CREATOR role to create instances of the BUDGET class.

For more information, see Create a custom role to create budgets.

Tag objects

The CORE_VIEWER database role is granted the APPLY privilege each Data Classification system tag: SNOWFLAKE.CORE.PRIVACY_CATEGORY and SNOWFLAKE.CORE.SEMANTIC_CATEGORY. These grants allow users with a role that is granted the CORE_VIEWER database role to assign these system tags to columns.

For details, see:

ALERT schema

The ALERT_VIEWER SNOWFLAKE database role is granted the USAGE privilege on the functions defined in this schema.

ML schema

The ML_USER SNOWFLAKE database role is granted to the PUBLIC role in all Snowflake accounts that contain a shared SNOWFLAKE database and allows customers to access and use ML functions.

MONITORING schema

The MONITORING_VIEWER database role has the SELECT privilege on all views in the MONITORING schema.

The MONITORING_VIEWER database role is granted to the PUBLIC role in all Snowflake accounts containing a shared SNOWFLAKE database.

CORTEX schema

The CORTEX_USER SNOWFLAKE database role allows customers to access Cortex LLM Functions. Initially, this database role is granted to only the ACCOUNTADMIN role. ACCOUNTADMIN must propagate this role to account roles in order to allow users to use Cortex LLM Functions.

SNOWFLAKE.COPILOT_USER database role

The SNOWFLAKE.COPILOT_USER database role allows customers to access Snowflake Copilot features. Initially, this database role is granted to the PUBLIC role. The PUBLIC role is automatically granted to all users and roles, so this allows all users in your account to use Snowflake Copilot. If you want to limit access to Snowflake Copilot features, you can revoke access to the PUBLIC role and grant access to specific roles. For details, see Access control requirements.

Using SNOWFLAKE database roles

Administrators can use the GRANT DATABASE ROLE to assign a SNOWFLAKE database role to another role, which can then be granted to a user. This would allow the user to access a specific subset of views in the SNOWFLAKE database.

In this following example a role is created which can be used to view SNOWFLAKE database object metadata, and does the following:

  1. Creates a custom role.

  2. Grants the OBJECT_VIEWER role to the custom role.

  3. Grants the custom role to a user.

To create and grant the custom role, do the following:

  1. Create the CAN_VIEWMD role, using CREATE ROLE that will be used to grant access to object metadata.

    Only users with the USERADMIN system role or higher, or another role with the CREATE ROLE privilege on the account, can create roles.

    CREATE ROLE CAN_VIEWMD COMMENT = 'This role can view metadata per SNOWFLAKE database role definitions';
    
    Copy
  2. Grant the OBJECT_VIEWER role to the CAN_VIEWMD role.

    Only users with the OWNERSHIP role can grant SNOWFLAKE database roles. For additional information, refer to GRANT DATABASE ROLE.

    GRANT DATABASE ROLE OBJECT_VIEWER TO ROLE CAN_VIEWMD;
    
    Copy
  3. Assign CAN_VIEWMD role to user smith.

    Only users with the SECURITYADMIN role can grant roles to users. For additional options, refer to GRANT ROLE.

    GRANT ROLE CAN_VIEWMD TO USER smith;
    
    Copy