CREATE APPLICATION ROLE

Creates a new application role or replaces an existing application role within an application created using the Native Apps Framework.

After creating an application role, you can grant object privileges to the application role and then grant the application role to other application roles or individual users to enable access control security for objects in an application.

Within an installed application, you can grant an application role to other application roles or you can grant privileges on other objects within the application or objects owned by the application in the consumer account.

Application roles are implicitly granted to the application owner WITH GRANT OPTION. The application owner may grant these roles to account level roles, providing access to the objects that are owned by the application.

See also:

ALTER APPLICATION ROLE, GRANT APPLICATION ROLE, REVOKE APPLICATION ROLE, SHOW APPLICATION ROLES

Syntax

CREATE [ OR REPLACE ] APPLICATION ROLE [ IF NOT EXISTS ] <name>
  [ COMMENT = '<string_literal>' ]
Copy

Required Parameters

name

Specifies the identifier (i.e. name) for the application role; must be unique in the application in which the role is created.

The identifier must start with an alphabetic character and cannot contain spaces or special characters unless the entire identifier string is enclosed in double quotes (e.g. "My object"). Identifiers enclosed in double quotes are also case-sensitive.

If the identifier is not fully qualified, in the form of application_name.application_role_name, the command creates the application role in the current application for the session.

For more details, see Identifier requirements.

Optional Parameters

COMMENT = 'string_literal'

Specifies a comment for the application role.

Default: No value

Usage Notes

The maximum upper limit of active application roles per application is 20.

Examples

CREATE APPLICATION ROLE APP_ROLE
  COMMENT = 'Application role for the Hello Snowflake application.';
Copy