Create an organizational listing¶

Create an organizational listing to share data products securely within your organization. Before you create an organizational listing, review the prerequisites, known limitations, and considerations.

Prerequisites¶

Your organization has an ORGADMIN role. (Organization accounts are optional.)

Known limitations¶

Support for organizational listings in government regions is currently in preview with the following limitations:
- Creating custom organization profiles in government regions isn’t supported.
- The ACCESS_HISTORY view in the organization account isn’t available.
- Organizational listings created from commercial or Virtual Private Snowflake (VPS) accounts don’t show up when searching, filtering, or browsing listings.
You must use the API to target specific regions.
Data products supported: Snowflake Native App Framework and shares.
Organizational listings that contain a Snowflake Native App do not support target roles for access or discovery.
The following features are not supported when using organizational listings:
- Provider studio analytics.
- Reader accounts.
You cannot specify specific regions in organizational listings using Snowsight.

Instead, you can specify the region in the manifest YAML file when creating or altering the listing programatically.

Considerations¶

Before you target an entire organization, check for external tenants. Adjust the target accounts for your data products before adding them to an organizational listing unless you intend to share them with external tenants.
Each share can be attached to one listing.
Each Native App can be attached to one or more listings.
For organization changes (such as mergers) with accounts containing organizational listings, contact Snowflake Support.

Access control requirements¶

Use the information provided here to determine the specific roles and privileges that you must have to execute organizational listing SQL commands.

For instructions on creating a custom role with a specified set of privileges, see Creating custom roles.

For general information about roles and privilege grants for performing SQL actions on securable objects, see Overview of Access Control.

Assign organizational listing privileges¶

To create an organizational listing, a role must have the necessary privileges to create a share, as shown in Share creation and management, as well as necessary privileges to create an organizational listing from it, as shown in Privileges to create an organizational listing using the share.

Share creation and management¶

To create a share and to create and manage objects inside a share, a role must have the necessary privileges on the data objects, schemas, and the CREATE SHARE command.

Privilege	Object	Notes
CREATE SHARE	ACCOUNT	To `CREATE` a share
OWNERSHIP or USAGE with grants option	DATABASE	To see and `USE` the specified database.
OWNERSHIP or USAGE with grants option	SCHEMA	To see the specified schema.
SELECT	TABLE	To query specified tables in the specified schema.

The USAGE privilege on the parent database and schema is required to perform operations on any object in a schema.

Privileges to create an organizational listing using the share¶

One of the following privileges is required to create an organizational listing, in addition to the share-related privileges listed above.

Privilege	Object	Notes
CREATE ORGANIZATION LISTING	ACCOUNT	To create and alter organizational listings.
CREATE LISTING	ACCOUNT	To create and alter organizational listings and private listings.

Privileges to alter an organizational listing¶

One of the following privileges is required to alter a listing.

Role	Notes
OWNERSHIP	Can `ALTER` a share without additional grant options.
MODIFY with grants option	Can `ALTER` a share after granting modify privileges to a role. This can be done using: grant modify on data exchange listing <listing_name> to role <role_name> Copy

Consume or query an organizational listing¶

To directly consume an organizational listing, you can reference the Uniform Listing Locator (ULL) without any additional privileges. If you require mounting the listing, then the following privileges are required:

Privilege	Object	Notes
IMPORT ORGANIZATION LISTING	ACCOUNT	To import an organizational listing.
CREATE database	ACCOUNT	To create a database and mount the listing objects.

Manage listing auto-fulfillment settings¶

Before managing auto-fulfillment settings for your organization listing, ensure that you have the necessary roles to manage auto-fulfilling the listing. See the auto-fulfillment required privileges for more information.

A role used to execute this operation must have the following privileges at a minimum:

Privilege	Object	Notes
MANAGE LISTING AUTO FULFILLMENT	ACCOUNT	To configure the auto-fulfillment settings.

Create an organizational listing in Snowsight or SQL¶

Create an organizational listing.
1. Sign in to Snowsight.
2. Select Data Products » Provider Studio in the left-side navigation menu.
3. Select + Create Listing » Internal Marketplace.
4. Select + Data Product.
5. In the + Data Product dialog, click + Select.
6. Navigate to a data product such as a table, view or other data product.
  
  Alternatively, search for and choose a data product to share.
7. Select Done when complete.
8. Select Save.

Specify who can access the listing (the target accounts, roles, and regions).

Select + Access Control. The Access and discovery dialog displays.

Complete the Grant access section:

Field	Description
Who can access this data product?	Select one of the following: Entire organization: Anyone in the organization can access the listing. If Entire organization is selected and cross-cloud auto-fulfillment is enabled on your account, then you’ll be prompted to review the auto-fulfillment refresh settings for the listing. Selected accounts and roles: Only selected accounts and roles can access. No accounts or roles are pre-approved: (Default) Data product will only be available by request.
Accounts	If Selected accounts and roles is selected, select one or more accounts. Optional. Select + Add another account to add second and subsequent accounts. By default, all roles in the selected accounts can access the listing. Select Selected roles to grant access only to specific roles each selected account.

Field

Description

Who can access this data product?

Select one of the following:

Entire organization: Anyone in the organization can access the listing.

If Entire organization is selected and cross-cloud auto-fulfillment is enabled on your account, then you’ll be prompted to review the auto-fulfillment refresh settings for the listing.
Selected accounts and roles: Only selected accounts and roles can access.
No accounts or roles are pre-approved: (Default) Data product will only be available by request.

Accounts

If Selected accounts and roles is selected, select one or more accounts.

Optional. Select + Add another account to add second and subsequent accounts.

By default, all roles in the selected accounts can access the listing. Select Selected roles to grant access only to specific roles each selected account.

Complete the Allow discovery section:

Field	Description
Who else can discover the listing and request access?	Select one of: Entire organization: (Default) Anyone in the organization can discover listing and request access. This field is selected and disabled if Entire organization is specified for in the Grant access section. Selected accounts and roles: Only selected accounts and roles can discover listing and request access. Not discoverable by users without access: Only users with access can discover this listing.
Accounts	If Select accounts and roles is selected, select one or more accounts. Optional. Select + Add another account to add second and subsequent accounts and grant access to specific roles.
Selected user roles	If Selected roles is selected, enter one or more roles to grant access.

Field

Description

Who else can discover the listing and request access?

Select one of:

Entire organization: (Default) Anyone in the organization can discover listing and request access. This field is selected and disabled if Entire organization is specified for in the Grant access section.
Selected accounts and roles: Only selected accounts and roles can discover listing and request access.
Not discoverable by users without access: Only users with access can discover this listing.

Accounts

If Select accounts and roles is selected, select one or more accounts.

Optional. Select + Add another account to add second and subsequent accounts and grant access to specific roles.

Selected user roles

If Selected roles is selected, enter one or more roles to grant access.

If Allow discovery is Selected accounts and roles, then select Set up request approval flow.
- In the Set up request approval flow dialog, select one of the following options in the How should the request approval happen? list:
  - Manage requests in Snowflake: Enter the email address of the request approver and optionally specify additional roles that can approve requests.
  - Manage requests outside of Snowflake: Enter an email address for the request approver or enter a URL that points to an internal ticketing system.
  Note
  
  The Set up request approval flow button isn’t available if the data product is accessible by the entire organization or if the data product is not discoverable by users without access.

Provide a title, and review the generated Uniform Listing Locator (ULL).

Changing a listings title is optional but recommended. For more information, see Uniform Listing Locator.
1. Select Untitled Listing.
2. For Listing title, enter a descriptive title for your data product.
3. Select Save or Cancel.
Complete the listing.

Enter addition information about listing page to guide consumers, such as description, data dictionary, usage examples, attributes and more.

Note that Support Contact is required.
Select Publish to make the listing available in the Internal Marketplace.

If you exit without publishing, the listing is saved as a draft that’s ready for review or for the addition of descriptive metadata.

Create an organizational listing from the share with the required attributes included in YAML (entered in $$ delimiters).

This part of the manifest yaml specifies the accounts that will be able to use the organizational listing:

organization_targets:
  access:

Copy

This example creates a listing using the required settings in the manifest YAML. It targets one role in one account in one region and includes support and approver contacts:

Note

support_contact is required. approver_contact is required if a discovery target is provided.

USE ROLE <organizational_listing_role>;

CREATE ORGANIZATION LISTING <organization_listing_name>
SHARE <share_name> AS
$$
title: "My title"
description: "One region, all accounts"
organization_profile: "INTERNAL"
organization_targets:
  discovery:
  - account: "<account_name>"
    roles:
    - "<role>"

  access:
  - account: "<account_name>"
    roles:
    - "<role>"

support_contact: "support@somedomain.com"
approver_contact: "approver@somedomain.com"
locations:
  access_regions:
  - name: "PUBLIC.<snowflake_region>"
$$;

Copy

For a complete list of all fields and values for an organizational listing see Organization listing manifest reference. For additional examples, see Set who can discover and access an organizational listing.