SHOW SESSION POLICIES¶

Lists session policy information, including the creation date, database and schema names, owner, and any available comments.

See also:

Session Policy DDL Reference

Syntax¶

SHOW SESSION POLICIES
  [ LIKE '<pattern>' ]
  [ IN
       {
         ACCOUNT                                         |

         DATABASE                                        |
         DATABASE <database_name>                        |

         SCHEMA                                          |
         SCHEMA <schema_name>                            |

         APPLICATION <application_name>                  |
         APPLICATION PACKAGE <application_package_name>  |
       }
    |
    ON
       {
         ACCOUNT           |
         USER <user_name>  |
       }
  ]
  [ STARTS WITH '<name_string>' ]
  [ LIMIT <rows> ]
Copy

Parameters¶

LIKE 'pattern'

Optionally filters the command output by object name. The filter uses case-insensitive pattern matching, with support for SQL wildcard characters (% and _).

For example, the following patterns return the same results:

... LIKE '%testing%' ...
... LIKE '%TESTING%' ...

. Default: No value (no filtering is applied to the output).

[ IN ... ]

Optionally specifies the scope of the command. Specify one of the following:

ACCOUNT

Returns records for the entire account.

DATABASE, . DATABASE db_name

Returns records for the current database in use or for a specified database (db_name).

If you specify DATABASE without db_name and no database is in use, the keyword has no effect on the output.

Note

Using SHOW commands without an IN clause in a database context can result in fewer than expected results.

Objects with the same name are only displayed once if no IN clause is used. For example, if you have table t1 in schema1 and table t1 in schema2, and they are both in scope of the database context you’ve specified (that is, the database you’ve selected is the parent of schema1 and schema2), then SHOW TABLES only displays one of the t1 tables.

SCHEMA, . SCHEMA schema_name

Returns records for the current schema in use or a specified schema (schema_name).

SCHEMA is optional if a database is in use or if you specify the fully qualified schema_name (for example, db.schema).

If no database is in use, specifying SCHEMA has no effect on the output.

APPLICATION application_name, . APPLICATION PACKAGE application_package_name

Returns records for the named Snowflake Native App or application package.

If you omit IN ..., the scope of the command depends on whether the session currently has a database in use:

  • If a database is currently in use, the command returns the objects you have privileges to view in the database. This has the same effect as specifiying IN DATABASE.

  • If no database is currently in use, the command returns the objects you have privileges to view in your account. This has the same effect as specifiying IN ACCOUNT.

[ ON ... ]

Lists the policies that are effective on the specified object. This command considers precedence. For example, listing policies on a user will show the account or built-in policy that is effective for the user if there is no policy set specifically on the user. Specify one of the following:

ACCOUNT

Returns policies effective on the account.

USER user_name

Returns policies effective on the specified user.

STARTS WITH 'name_string'

Optionally filters the command output based on the characters that appear at the beginning of the object name. The string must be enclosed in single quotes and is case sensitive.

For example, the following strings return different results:

... STARTS WITH 'B' ...
... STARTS WITH 'b' ...

. Default: No value (no filtering is applied to the output)

LIMIT rows

Optionally limits the maximum number of rows returned. The actual number of rows returned might be less than the specified limit. For example, the number of existing objects is less than the specified limit.

Default: No value (no limit is applied to the output).

Access control requirements¶

A role used to execute this SQL command must have at least one of the following privileges at a minimum:

Privilege

Object

Notes

APPLY SESSION POLICY

Account

OWNERSHIP

Session policy

OWNERSHIP is a special privilege on an object that is automatically granted to the role that created the object, but can also be transferred using the GRANT OWNERSHIP command to a different role by the owning role (or any role with the MANAGE GRANTS privilege).

The USAGE privilege on the parent database and schema are required to perform operations on any object in a schema. Note that a role granted any privilege on a schema allows that role to resolve the schema. For example, a role granted CREATE privilege on a schema can create objects on that schema without also having USAGE granted on that schema.

For instructions on creating a custom role with a specified set of privileges, see Creating custom roles.

For general information about roles and privilege grants for performing SQL actions on securable objects, see Overview of Access Control.

For additional details on session policy DDL and privileges, see Managing session policies.

Usage notes¶

  • The command doesn’t require a running warehouse to execute.

  • The command only returns objects for which the current user’s current role has been granted at least one access privilege.

  • The MANAGE GRANTS access privilege implicitly allows its holder to see every object in the account. By default, only the account administrator (users with the ACCOUNTADMIN role) and security administrator (users with the SECURITYADMIN role) have the MANAGE GRANTS privilege.

  • To post-process the output of this command, you can use the pipe operator (->>) or the RESULT_SCAN function. Both constructs treat the output as a result set that you can query.

    The output column names for this command are generated in lowercase. If you consume a result set from this command with the pipe operator or the RESULT_SCAN function, use double-quoted identifiers for the column names in the query to ensure that they match the column names in the output that was scanned. For example, if the name of an output column is type, then specify "type" for the identifier.

  • The value for LIMIT rows can’t exceed 10000. If LIMIT rows is omitted, the command results in an error if the result set is larger than ten thousand rows.

    To view results for which more than ten thousand records exist, either include LIMIT rows or query the corresponding view in the Snowflake Information Schema.

Example¶

SHOW SESSION POLICIES;
Copy
----------------------------------+-----------------------+---------------+-------------+----------------+--------------+--------------------------------------------------+---------+
         created_on               | name                  | database_name | schema_name |      kind      |  owner       |   comment                                        | options |
----------------------------------+-----------------------+---------------+-------------+----------------+--------------+--------------------------------------------------+---------+
  Mon, 11 Jan 2021 00:00:00 -0700 | session_policy_prod_1 | MY_DB         | MY_SCHEMA   | SESSION_POLICY | POLICY_ADMIN | session policy for use in the prod_1 environment | ""      |
----------------------------------+-----------------------+---------------+-------------+----------------+--------------+--------------------------------------------------+---------+
Language: English