Categories:

User & Security DDL (Access Control)

GRANT ROLE¶

Assigns a role to a user or another role:

• Granting a role to another role creates a “parent-child” relationship between the roles (also referred to as a role hierarchy).

• Granting a role to a user enables the user to perform all operations allowed by the role (through the access privileges granted to the role).

For more details, see Access Control in Snowflake.

REVOKE ROLE

GRANT <privileges> … TO ROLE

Syntax¶

GRANT ROLE <name> TO { ROLE <parent_role_name> | USER <user_name> }


Parameters¶

name

Specifies the identifier for the role to grant. If the identifier contains spaces or special characters, the entire string must be enclosed in double quotes. Identifiers enclosed in double quotes are also case-sensitive.

ROLE parent_role_name

Grants the role to the specified role.

USER user_name

Grants the role to the specified user.

Usage Notes¶

• For roles, the command is typically used to grant custom roles to either the system-defined administrator roles (ACCOUNTADMIN, SECURITYADMIN, SYSADMIN) or other custom roles.

• The system-defined roles, including PUBLIC, do not need to be granted to other roles because the role hierarchy for these roles is defined and maintained by Snowflake.

Examples¶

GRANT ROLE analyst TO ROLE SYSADMIN;

GRANT ROLE analyst TO USER user1;