SHOW ROLES¶
Lists all the roles which you can view across your entire account, including the system-defined roles and any custom roles that exist.
Important
Snowflake allows users to list roles; however, the ability to list roles is not the same as using any role. Knowing the names of roles does not allow any additional access.
This is a part of Discretionary Access Control and Role-Based Access Control. For more information, see Overview of Access Control.
- See also:
Syntax¶
SHOW [ TERSE ] ROLES
  [ LIKE '<pattern>' ]
  [ IN CLASS <class_name> ]
  [ STARTS WITH '<name_string>']
  [ LIMIT <rows> [ FROM '<name_string>' ] ]
Parameters¶
- TERSE
- Returns only a subset of columns: - is_default
- Specifies whether the role used to run the command is the user’s default role. 
- is_current
- Specifies whether the role used to run the command is the user’s current role. 
- is_inherited
- Specifies whether the role used to run the command inherits the specified role. 
 
- LIKE 'pattern'
- Optionally filters the command output by object name. The filter uses case-insensitive pattern matching, with support for SQL wildcard characters ( - %and- _).- For example, the following patterns return the same results: - ... LIKE '%testing%' ...- ... LIKE '%TESTING%' ...- . Default: No value (no filtering is applied to the output). 
- IN CLASS class_name
- Returns records for the specified class ( - class_name).
- STARTS WITH 'name_string'
- Optionally filters the command output based on the characters that appear at the beginning of the object name. The string must be enclosed in single quotes and is case sensitive. - For example, the following strings return different results: - ... STARTS WITH 'B' ...- ... STARTS WITH 'b' ...- . Default: No value (no filtering is applied to the output) 
- LIMIT rows [ FROM 'name_string' ]
- Optionally limits the maximum number of rows returned, while also enabling “pagination” of the results. The actual number of rows returned might be less than the specified limit. For example, the number of existing objects is less than the specified limit. - The optional - FROM 'name_string'subclause effectively serves as a “cursor” for the results. This enables fetching the specified number of rows following the first row whose object name matches the specified string:- The string must be enclosed in single quotes and is case sensitive. 
- The string does not have to include the full object name; partial names are supported. 
 - Default: No value (no limit is applied to the output) - Note - For SHOW commands that support both the - FROM 'name_string'and- STARTS WITH 'name_string'clauses, you can combine both of these clauses in the same statement. However, both conditions must be met or they cancel out each other and no results are returned.- In addition, objects are returned in lexicographic order by name, so - FROM 'name_string'only returns rows with a higher lexicographic value than the rows returned by- STARTS WITH 'name_string'.- For example: - ... STARTS WITH 'A' LIMIT ... FROM 'B'would return no results.
- ... STARTS WITH 'B' LIMIT ... FROM 'A'would return no results.
- ... STARTS WITH 'A' LIMIT ... FROM 'AB'would return results (if any rows match the input strings).
 
Usage notes¶
- If you specify - CLASS, only the following columns are returned:- | created_on | name | comment |
- The command doesn’t require a running warehouse to execute. 
- The command only returns objects for which the current user’s current role has been granted at least one access privilege. 
- The MANAGE GRANTS access privilege implicitly allows its holder to see every object in the account. By default, only the account administrator (users with the ACCOUNTADMIN role) and security administrator (users with the SECURITYADMIN role) have the MANAGE GRANTS privilege. 
- To post-process the output of this command, you can use the pipe operator ( - ->>) or the RESULT_SCAN function. Both constructs treat the output as a result set that you can query.- The output column names for this command are generated in lowercase. If you consume a result set from this command with the pipe operator or the RESULT_SCAN function, use double-quoted identifiers for the column names in the query to ensure that they match the column names in the output that was scanned. For example, if the name of an output column is - type, then specify- "type"for the identifier.
Examples¶
Show all roles:
SHOW ROLES;---------------------------------+---------------+------------+------------+--------------+-------------------+------------------+---------------+---------------+--------------------------+ created_on | name | is_default | is_current | is_inherited | assigned_to_users | granted_to_roles | granted_roles | owner | comment | ---------------------------------+---------------+------------+------------+--------------+-------------------+------------------+---------------+---------------+--------------------------+ Fri, 05 Dec 2014 16:25:06 -0800 | ACCOUNTADMIN | Y | Y | N | 1 | 0 | 2 | | | Mon, 15 Dec 2014 17:58:33 -0800 | ANALYST | N | N | N | 0 | 6 | 0 | SECURITYADMIN | Data analyst | Fri, 05 Dec 2014 16:25:06 -0800 | PUBLIC | N | N | Y | 0 | 0 | 0 | | | Fri, 05 Dec 2014 16:25:06 -0800 | SECURITYADMIN | N | N | Y | 0 | 1 | 0 | | | Fri, 05 Dec 2014 16:25:06 -0800 | SYSADMIN | N | N | Y | 5 | 1 | 2 | | | ---------------------------------+---------------+------------+------------+--------------+-------------------+------------------+---------------+---------------+--------------------------+
In this example:
- The ACCOUNTADMIN system-defined role is the current role and default role for the current (i.e. logged-in) user. 
- In addition to the four system-defined roles, one custom role (ANALYST) has been created. The role is owned by the SECURITYADMIN system-defined role. 
Return up to ten account roles in the account after the first role named my_role2:
SHOW ROLES LIMIT 10 FROM 'my_role2';