USE SECONDARY ROLES

Specifies the active/current secondary roles for the session. The currently-active secondary roles set the context that determines whether the current user has the necessary privileges to perform SQL actions.

Note that authorization to execute CREATE <object> statements to create objects is provided by the primary role.

For more information, see secondary role enforcement.

See also:

USE ROLE

Syntax

USE SECONDARY ROLES {
      ALL
    | NONE
    | <role_name> [ , <role_name> ... ]
  }
Copy

Parameters

ALL

All roles that have been granted to the user in addition to the current active primary role.

Note that the set of roles is reevaluated when each SQL statement executes. If additional roles are granted to the user, and that user executes a new SQL statement, the newly granted roles are active secondary roles for the new SQL statement. The same logic applies to roles that are revoked from a user.

NONE

Disables secondary roles. The authorization for all SQL actions is provided via the primary role.

role_name [ , role_name ... ]

Allows the specified roles as secondary roles. The secondary roles can be user-defined account roles or system roles. Specify the role name as it is stored in Snowflake.

If the identifier contains spaces or special characters, the entire string must be enclosed in double quotes. Identifiers enclosed in double quotes are also case-sensitive.

For more information, see Identifier requirements.

Usage notes

  • To use a role, the role must have been granted to the user.

  • Note that you cannot select multiple roles in the context dropdown.

  • If the session policy specifies ALLOWED_SECONDARY_ROLES = () and the session policy is set on the account or user in the account, an error message occurs:

    No secondary roles are activated due to the session policy associated with the user or account.
Language: English