GRANT DATABASE ROLE

Assigns a database role to an account role or another database role.

This action creates a “parent-child” relationship between the database role and the role it is granted to (also referred to as a role hierarchy).

Note that database roles cannot be granted directly to users.

For more details, see Overview of Access Control.

See also:

REVOKE DATABASE ROLE

GRANT ROLE , REVOKE ROLE

GRANT <privileges>

Syntax

GRANT DATABASE ROLE <name> TO ROLE <parent_role_name>
Copy

Parameters

name

Specifies the identifier (i.e. name) for the database role; must be unique in the database in which the role is created.

The identifier must start with an alphabetic character and cannot contain spaces or special characters unless the entire identifier string is enclosed in double quotes (e.g. "My object"). Identifiers enclosed in double quotes are also case-sensitive.

If the identifier is not fully qualified (in the form of db_name.database_role_name, the command looks for the database role in the current database for the session.

ROLE parent_role_name

Grants the role to the specified account role or database role.

A database role can be granted to either an account role or another database role in the same database. If the parent role is a database role and the identifier is not fully qualified (in the form of db_name.database_role_name, the command looks for the database role in the current database for the session.

Access control requirements

A role used to execute this SQL command must have the following privileges at a minimum:

Privilege or role

Object

Notes

ACCOUNTADMIN

SNOWFLAKE.BUDGET_CREATOR

A user with the ACCOUNTADMIN role can grant this database role to a custom role.

OWNERSHIP

Role

Role that is granted to a user or another role.

Alternatively, use a role with the global MANAGE GRANTS privilege. Only the SECURITYADMIN role, or a higher role, has this privilege by default. The privilege can be granted to additional roles as needed.

Note that operating on any object in a schema also requires the USAGE privilege on the parent database and schema.

For instructions on creating a custom role with a specified set of privileges, see Creating custom roles.

For general information about roles and privilege grants for performing SQL actions on securable objects, see Overview of Access Control.

Usage notes

The system-defined roles, including PUBLIC, do not need to be granted to other roles because the role hierarchy for these roles is defined and maintained by Snowflake.

Examples

GRANT DATABASE ROLE analyst TO ROLE SYSADMIN;
Copy