GRANT <privileges> … TO APPLICATION¶
Grants one or more access privileges on a securable object to an application. The privileges that can be granted are object-specific.
- Variations:
Syntax¶
GRANT { { globalPrivileges } ON ACCOUNT
| { accountObjectPrivileges | ALL [ PRIVILEGES ] } ON { USER | RESOURCE MONITOR | WAREHOUSE | COMPUTE POOL | DATABASE | INTEGRATION | CONNECTION | FAILOVER GROUP | REPLICATION GROUP | EXTERNAL VOLUME } <object_name>
| { schemaPrivileges | ALL [ PRIVILEGES ] } ON { SCHEMA <schema_name> | ALL SCHEMAS IN DATABASE <db_name> }
| { schemaObjectPrivileges | ALL [ PRIVILEGES ] } ON { <object_type> <object_name> | ALL <object_type_plural> IN { DATABASE <db_name> | SCHEMA <schema_name> }
}
TO APPLICATION <name>
Where:
globalPrivileges ::=
{
CREATE {
COMPUTE POOL | DATABASE | WAREHOUSE
}
| BIND SERVICE ENDPOINT
| EXECUTE MANAGED TASK
| MANAGE WAREHOUSES
| READ SESSION
}
[ , ... ]
accountObjectPrivileges ::=
-- For COMPUTE POOL
{ MODIFY | MONITOR | OPERATE | USAGE } [ , ... ]
-- For CONNECTION
{ FAILOVER } [ , ... ]
-- For DATABASE
{ APPLYBUDGET | CREATE { DATABASE ROLE | SCHEMA }
| IMPORTED PRIVILEGES | MODIFY | MONITOR | USAGE } [ , ... ]
-- For EXTERNAL VOLUME
{ USAGE } [ , ... ]
-- For FAILOVER GROUP
{ FAILOVER | MODIFY | MONITOR | REPLICATE } [ , ... ]
-- For INTEGRATION
{ USAGE | USE_ANY_ROLE } [ , ... ]
-- For REPLICATION GROUP
{ MODIFY | MONITOR | REPLICATE } [ , ... ]
-- For RESOURCE MONITOR
{ MODIFY | MONITOR } [ , ... ]
-- For USER
{ MONITOR } [ , ... ]
-- For WAREHOUSE
{ APPLYBUDGET | MODIFY | MONITOR | USAGE | OPERATE } [ , ... ]
schemaPrivileges ::=
ADD SEARCH OPTIMIZATION
| CREATE {
ALERT | EXTERNAL TABLE | FILE FORMAT | FUNCTION
| IMAGE REPOSITORY | MATERIALIZED VIEW | PIPE | PROCEDURE
| { AGGREGATION | MASKING | PASSWORD | PROJECTION | ROW ACCESS | SESSION } POLICY
| SECRET | SEQUENCE | SERVICE | SNAPSHOT | STAGE | STREAM
| TAG | TABLE | TASK | VIEW
}
| MODIFY | MONITOR | USAGE
[ , ... ]
schemaObjectPrivileges ::=
-- For ALERT
{ MONITOR | OPERATE } [ , ... ]
-- For DYNAMIC TABLE
OPERATE, SELECT [ , ...]
-- For EVENT TABLE
{ INSERT | SELECT } [ , ... ]
-- For FILE FORMAT, FUNCTION (UDF or external function), PROCEDURE, SECRET, SEQUENCE, or SNAPSHOT
USAGE [ , ... ]
-- For IMAGE REPOSITORY
{ READ, WRITE } [ , ... ]
-- For PIPE
{ APPLYBUDGET | MONITOR | OPERATE } [ , ... ]
-- For { AGGREGATION | MASKING | PACKAGES | PASSWORD | PROJECTION | ROW ACCESS | SESSION } POLICY or TAG
APPLY [ , ... ]
-- For SECRET
READ, USAGE [ , ... ]
-- For SERVICE
{ MONITOR | OPERATE } [ , ... ]
-- For external STAGE
USAGE [ , ... ]
-- For internal STAGE
READ [ , WRITE ] [ , ... ]
-- For STREAM
SELECT [ , ... ]
-- For TABLE
{ APPLYBUDGET | DELETE | EVOLVE SCHEMA | INSERT | REFERENCES | SELECT | TRUNCATE | UPDATE } [ , ... ]
-- For TAG
READ
-- For TASK
{ APPLYBUDGET | MONITOR | OPERATE } [ , ... ]
-- For VIEW
{ REFERENCES | SELECT } [ , ... ]
-- For MATERIALIZED VIEW
{ APPLYBUDGET | REFERENCES | SELECT } [ , ... ]
For more details about the privileges supported for each object type, see Access control privileges.
Required parameters¶
object_nameSpecifies the identifier for the object on which the privileges are granted.
object_typeSpecifies the type of object for schema-level objects.
ALERTDYNAMIC TABLEEVENT TABLEEXTERNAL TABLEFILE FORMATFUNCTIONMASKING POLICYMATERIALIZED VIEWNETWORK RULEPACKAGES POLICYPASSWORD POLICYPIPEPROCEDUREROW ACCESS POLICYSECRETSESSION POLICYSEQUENCESTAGESTREAMTABLETAGTASKVIEW
object_type_pluralPlural form of
object_type(e.g.TABLES,VIEWS).Bulk grants on pipes are not allowed.
nameSpecifies the identifier for the recipient application (the application to which the privileges are granted).
Usage notes¶
Granting OWNERSHIP privileges on an object or all objects of a specified type in a schema or database to an application, or transferring ownership of the object from one application to another application, is not allowed.
Any ACCOUNT level privilege grant (not REVOKE) that is not in the current application version manifest is not allowed.
Example¶
Grant the SELECT privilege on a view to an application:
GRANT SELECT ON VIEW data.views.credit_usage
TO APPLICATION app_snowflake_credits;