Create an organizational listing¶
Create an organizational listing to share data products securely within your organization. Before you create an organizational listing, review the prerequisites, known limitations, and considerations.
Prerequisites¶
Your organization has an ORGADMIN role. (Organization accounts are optional.)
Known limitations¶
Support for organizational listings in government regions is currently in preview with the following limitations:
Creating custom organization profiles in government regions isn’t supported.
The ACCESS_HISTORY view in the organization account isn’t available.
Organizational listings created from commercial or Virtual Private Snowflake (VPS) accounts don’t show up when searching, filtering, or browsing listings.
You must use the API to target specific regions.
Data products supported: Snowflake Native App Framework and shares.
Organizational listings that contain a Snowflake Native App do not support target roles for access or discovery.
The following features are not supported when using organizational listings:
Provider studio analytics.
Reader accounts.
You cannot specify specific regions in organizational listings using Snowsight.
Instead, you can specify the region in the manifest YAML file when creating or altering the listing programatically.
Considerations¶
Before you target an entire organization, check for external tenants. Adjust the target accounts for your data products before adding them to an organizational listing unless you intend to share them with external tenants.
Each share can be attached to one listing.
Each Native App can be attached to one or more listings.
For organization changes (such as mergers) with accounts containing organizational listings, contact Snowflake Support.
Access control requirements¶
Use the information provided here to determine the specific roles and privileges that you must have to execute organizational listing SQL commands.
For instructions on creating a custom role with a specified set of privileges, see Creating custom roles.
For general information about roles and privilege grants for performing SQL actions on securable objects, see Overview of Access Control.
Assign organizational listing privileges¶
To create an organizational listing, a role must have the necessary privileges to create a share, as shown in Share creation and management, as well as necessary privileges to create an organizational listing from it, as shown in Privileges to create an organizational listing using the share.
Privileges to alter an organizational listing¶
One of the following privileges is required to alter a listing.
Role |
Notes |
---|---|
OWNERSHIP |
Can |
MODIFY with grants option |
Can grant modify on data exchange listing <listing_name> to role <role_name>
|
Consume or query an organizational listing¶
To directly consume an organizational listing, you can reference the Uniform Listing Locator (ULL) without any additional privileges. If you require mounting the listing, then the following privileges are required:
Privilege |
Object |
Notes |
---|---|---|
IMPORT ORGANIZATION LISTING |
ACCOUNT |
To import an organizational listing. |
CREATE database |
ACCOUNT |
To create a database and mount the listing objects. |
Manage listing auto-fulfillment settings¶
Before managing auto-fulfillment settings for your organization listing, ensure that you have the necessary roles to manage auto-fulfilling the listing. See the auto-fulfillment required privileges for more information.
A role used to execute this operation must have the following privileges at a minimum:
Privilege |
Object |
Notes |
---|---|---|
MANAGE LISTING AUTO FULFILLMENT |
ACCOUNT |
To configure the auto-fulfillment settings. |
Create an organizational listing in Snowsight or SQL¶
Create an organizational listing.
Sign in to Snowsight.
Select Data Products » Provider Studio in the left-side navigation menu.
Select + Create Listing » Internal Marketplace.
Select + Data Product.
In the + Data Product dialog, click + Select.
Navigate to a data product such as a table, view or other data product.
Alternatively, search for and choose a data product to share.
Select Done when complete.
Select Save.
Specify who can access the listing (the target accounts, roles, and regions).
Select + Access Control. The Access and discovery dialog displays.
Complete the Grant access section:
Field
Description
Who can access this data product?
Select one of the following:
Entire organization: Anyone in the organization can access the listing.
If Entire organization is selected and cross-cloud auto-fulfillment is enabled on your account, then you’ll be prompted to review the auto-fulfillment refresh settings for the listing.
Selected accounts and roles: Only selected accounts and roles can access.
No accounts or roles are pre-approved: (Default) Data product will only be available by request.
Accounts
If Selected accounts and roles is selected, select one or more accounts.
Optional. Select + Add another account to add second and subsequent accounts.
By default, all roles in the selected accounts can access the listing. Select Selected roles to grant access only to specific roles each selected account.
Complete the Allow discovery section:
Field
Description
Who else can discover the listing and request access?
Select one of:
Entire organization: (Default) Anyone in the organization can discover listing and request access. This field is selected and disabled if Entire organization is specified for in the Grant access section.
Selected accounts and roles: Only selected accounts and roles can discover listing and request access.
Not discoverable by users without access: Only users with access can discover this listing.
Accounts
If Select accounts and roles is selected, select one or more accounts.
Optional. Select + Add another account to add second and subsequent accounts and grant access to specific roles.
Selected user roles
If Selected roles is selected, enter one or more roles to grant access.
If Allow discovery is Selected accounts and roles, then select Set up request approval flow.
In the Set up request approval flow dialog, select one of the following options in the How should the request approval happen? list:
Manage requests in Snowflake: Enter the email address of the request approver and optionally specify additional roles that can approve requests.
Manage requests outside of Snowflake: Enter an email address for the request approver or enter a URL that points to an internal ticketing system.
Note
The Set up request approval flow button isn’t available if the data product is accessible by the entire organization or if the data product is not discoverable by users without access.
Provide a title, and review the generated Uniform Listing Locator (ULL).
Changing a listings title is optional but recommended. For more information, see Uniform Listing Locator.
Select Untitled Listing.
For Listing title, enter a descriptive title for your data product.
Select Save or Cancel.
Complete the listing.
Enter addition information about listing page to guide consumers, such as description, data dictionary, usage examples, attributes and more.
Note that Support Contact is required.
Select Publish to make the listing available in the Internal Marketplace.
If you exit without publishing, the listing is saved as a draft that’s ready for review or for the addition of descriptive metadata.
Create an organizational listing from the share with the required attributes included in YAML (entered in $$ delimiters).
This part of the manifest yaml specifies the accounts that will be able to use the organizational listing:
organization_targets:
access:
This example creates a listing using the required settings in the manifest YAML. It targets one role in one account in one region and includes support and approver contacts:
Note
support_contact
is required.
approver_contact
is required if a discovery
target is provided.
USE ROLE <organizational_listing_role>;
CREATE ORGANIZATION LISTING <organization_listing_name>
SHARE <share_name> AS
$$
title: "My title"
description: "One region, all accounts"
organization_profile: "INTERNAL"
organization_targets:
discovery:
- account: "<account_name>"
roles:
- "<role>"
access:
- account: "<account_name>"
roles:
- "<role>"
support_contact: "support@somedomain.com"
approver_contact: "approver@somedomain.com"
locations:
access_regions:
- name: "PUBLIC.<snowflake_region>"
$$;
For a complete list of all fields and values for an organizational listing see Organization listing manifest reference. For additional examples, see Set who can discover and access an organizational listing.