Granting Privileges to Other Roles

Snowflake provides a set of privileges for the Snowflake Marketplace or a Data Exchange.

These privileges can be granted to other roles (system-defined or custom). Then, users with the role can perform certain tasks in the Snowflake Marketplace or a Data Exchange.

Granting Administrator Privileges in a Data Exchange

By default, only an account administrator (i.e. user with the ACCOUNTADMIN role) in the Data Exchange administrator account can manage a Data Exchange which includes the following tasks:

  • Add/remove members

  • Approve/deny listing approval requests

  • Approve/deny provider profile approval requests

  • Show categories

To support delegating these tasks to other users, the IMPORTED PRIVILEGES privilege can be granted on a Data Exchange to other roles (system-defined or custom)

Granting the IMPORTED PRIVILEGES Privilege to Other Roles

To grant the IMPORTED PRIVILEGES privilege on a Data Exchange to a role, use the ACCOUNTADMIN role and the GRANT GRANT <privileges> command.

Note

The WITH GRANT OPTION parameter does not support the IMPORTED PRIVILEGES privilege.

Syntax:

grant imported privileges on data exchange <exchange_name> to <role_name>;
Copy

Where:

  • <exchange_name> is the name of a Data Exchange.

  • <role_name> is the role to which the privilege is granted.

For example, grant imported privileges on the mydataexchange Data Exchange to the SYSADMIN role:

use role accountadmin;

grant imported privileges on data exchange mydataexchange to sysadmin;
Copy

Usage Notes

  • This privilege is granted at the Data Exchange level; therefore, it allows performing the administrative tasks only for the Data Exchange on which it has been granted.

  • Only an account administrator in the Data Exchange administrator account can grant the privilege to another role.

  • When a role has been granted IMPORTED PRIVILEGES on a database created from a share, subsequent calls to the SHOW GRANTS command list the privilege as USAGE and not IMPORTED PRIVILEGES.

  • This privilege is intended for a Data Exchange. In the Snowflake Marketplace, only Snowflake administrators can perform administrative tasks.

Granting Provider Privileges to Other Roles in the Snowflake Marketplace or a Data Exchange

Snowflake provides a set of account, provider profile, and listing level privileges for performing tasks available to data providers in the Snowflake Marketplace or a Data Exchange.

These privileges can be granted to other roles, enabling the tasks to be delegated to other users.

Privilege

Object Type

Can be Granted by

Description

Global CREATE DATA EXCHANGE LISTING Privilege (In this topic)

ACCOUNT

ACCOUNTADMIN

Grants the ability to create a listing or provider profile.

CREATE SHARE Privilege (In this topic)

ACCOUNT

ACCOUNTADMIN

Grants the ability to create a share.

IMPORT SHARE Privilege (In this topic)

ACCOUNT

ACCOUNTADMIN

Grants the ability to view an inbound share shared with the account and create a database from the share.

MODIFY Privilege on a Listing (In this topic)

LISTING

Listing Owner

Grants the ability to modify listing properties.

USAGE Privilege on a Listing (In this topic)

LISTING

Listing Owner

Grants the ability to show (i.e. view) a listing.

OWNERSHIP Privilege on a Listing (In this topic)

LISTING

Listing Owner

Transfers listing OWNERSHIP.

MODIFY Privilege on a Provider Profile (In this topic)

PROVIDER PROFILE

Profile Owner

Grants the ability to modify properties for a provider profile.

OWNERSHIP Privilege on a Provider Profile (In this topic)

PROVIDER PROFILE

Profile Owner

Transfers OWNERSHIP of a provider profile.

Account Level Privileges

Snowflake provides the following privileges for working with shares, data listings, and provider profiles at the account level in the Snowflake Marketplace or a Data Exchange:

Global CREATE DATA EXCHANGE LISTING Privilege

If the global CREATE DATA EXCHANGE LISTING privilege is granted to a role, any user with the role can create a listing or provider profile. As the creator and, therefore owner of the listing, the role can be used to perform all tasks on the listing, including:

  • Create listings

  • Modify listings properties

  • View listings

  • View incoming listing access requests

  • Reject listing requests

  • Submit listings for approval/publishing listings

  • Create and view provider profiles

If an account is a provider in more than one Data Exchange, a role with the global CREATE DATA EXCHANGE LISTING privilege can create listings in each of those Data Exchanges.

Note

  • A role that creates a listing becomes the owner of the listing. The OWNERSHIP privilege can be transferred using OWNERSHIP Privilege on a Listing to a different role by the owning role.

  • Only account administrators (users with the ACCOUNTADMIN role) can grant the global CREATE DATA EXCHANGE LISTING privilege to a role.

To grant the global CREATE DATA EXCHANGE LISTING privilege to a role in a Data Exchange, use the GRANT <privileges> [WITH GRANT OPTION] command.

For example:

use role accountadmin;

-- grant the privilege to the SYSADMIN role
grant create data exchange listing on account to role sysadmin;

-- grant the privilege to the SYSADMIN role with grant option
grant create data exchange listing on account to sysadmin with grant option;
Copy

CREATE SHARE Privilege

If the CREATE SHARE privilege is granted to a role, any user with the role can create a share. As the creator and, therefore owner, of the share, the role can also be used to perform all tasks on the share, including:

  • Granting or revoking privileges on objects to/from the share.

  • Adding or removing consumer accounts to/from the share.

For more information, see Enabling non-ACCOUNTADMIN Roles to Perform Data Sharing Tasks.

IMPORT SHARE Privilege

If the IMPORT SHARE privilege is granted to a role, any user with the role can perform the following tasks:

  • View all INBOUND shares (shared by provider accounts) and create databases for the shares.

  • View all OUTBOUND shares owned by the role.

For more information, see Enabling non-ACCOUNTADMIN Roles to Perform Data Sharing Tasks.

Listing Level Privileges

Snowflake provides the following privileges for data listings. These privileges can be granted by a listing owner (a user with the OWNERSHIP privilege) in the Snowflake Marketplace or a Data Exchange.

MODIFY Privilege on a Listing

If the MODIFY privilege on a listing is granted to a role, any user with the role can perform the following tasks for a listing:

  • Modify listings properties

  • View a listing

  • View incoming listing access requests

  • Submit listing for approval/publishing listings

  • Reject listing requests

Only the OWNER of the listing can grant this privilege. The MODIFY privilege can only be granted on a listing in Snowsight, the Snowflake web interface.

To grant the MODIFY privilege on a listing in the Snowflake Marketplace:

  1. Log in to Snowsight.

  2. Navigate to Data » Provider Studio.

  3. Select the Listings tab.

  4. Click anywhere in the row containing the listing to modify.

  5. In the listing details page, select the Settings tab.

  6. In the Privileges section, click the pencil icon next to the Modify Listing privilege.

  7. Click the Add Role button and add required roles.

  8. Click Save.

To grant the MODIFY privilege on a listing in a data exchange:

  1. Log in to Snowsight.

  2. Navigate to Data » Private Sharing.

  3. Selec the Shared By My Account tab.

  4. Click anywhere in the row containing the listing to modify.

  5. In the listing details page, select the Settings tab.

  6. In the Privileges section, click the pencil icon next to the Modify Listing privilege.

  7. Click the Add Role button and add required roles.

  8. Click Save.

USAGE Privilege on a Listing

If the USAGE privilege on a listing is granted to a role, any user with the role can show (i.e. view) listings and incoming listing requests. Only the OWNER of the listing can grant this privilege.

To grant the USAGE privilege on a listing in the Snowflake Marketplace:

  1. Log in to Snowsight.

  2. Navigate to Data » Provider Studio.

  3. Select the Listings tab.

  4. Click anywhere in the row containing the listing to modify.

  5. In the listing details page, select the Settings tab.

  6. In the Privileges section, click the pencil icon next to the View Listing privilege.

  7. Click the Add Role button and add required roles.

  8. Click Save.

To grant the USAGE privilege on a listing in a data exchange:

  1. Log in to Snowsight.

  2. Navigate to Data » Private Sharing.

  3. Select the Shared By My Account tab.

  4. Click anywhere in the row containing the listing to modify.

  5. In the listing details page, select the Settings tab.

  6. In the Privileges section, click the pencil icon next to the View Listing privilege.

  7. Click the Add Role button and add required roles.

  8. Click Save.

OWNERSHIP Privilege on a Listing

If the OWNERSHIP privilege on a listing is granted to a role, that role becomes the new OWNER of the listing. Only the OWNER of the listing can grant this privilege. OWNERSHIP is a special type of privilege that can only be granted from one role to another role; it cannot be revoked. For more details, see Overview of Access Control.

Important

When listing ownership is transferred, all existing grants get revoked. All roles that have been granted privileges immediately lose access to this listing, and their privileges are revoked. The new listing owner must re-grant these privileges.

To grant the OWNERSHIP privilege on a listing in the Snowflake Marketplace:

  1. Log in to Snowsight.

  2. Navigate to Data » Provider Studio.

  3. Select the Listings tab.

  4. Click anywhere in the row containing the listing to modify.

  5. In the listing details page, select the Settings tab.

  6. In the Privileges section, click the pencil icon next to the OWNERSHIP privilege.

  7. Click the Add Role button and add required roles.

  8. Click Save.

To grant the OWNERSHIP privilege on a listing in a data exchange:

  1. Log in to Snowsight.

  2. Navigate to Data » Private Sharing.

  3. Select the Shared By My Account tab.

  4. Click anywhere in the row containing the listing to modify.

  5. In the listing details page, click the Settings tab.

  6. In the Privileges section, click the pencil icon next to the OWNERSHIP privilege.

  7. Click the Add Role button and add required roles.

  8. Click Save.

Provider Profile Level Privileges

Snowflake provides the following privileges for provider profiles. These privileges can be granted by a provider profile owner (a user with the OWNERSHIP privilege) in the Snowflake Marketplace or a Data Exchange:

Note

MODIFY Privilege on a Provider Profile

If the MODIFY privilege is granted to a role on a provider profile, any user with the role can view and modify provider profile properties. Only the OWNER of the provider profile can grant this privilege.

The MODIFY privilege can be granted through the web interface or using SQL:

Snowsight

Click Data » Private Sharing » Manage Exchanges » Select an Exchange » Select a Provider Profile » Manage » Manage Profile Editors.

SQL

Execute the GRANT <privileges> [WITH GRANT OPTION] command.

For example:

-- grant the privilege to the SYSADMIN role
grant modify on data exchange profile "<provider_profile_name>" to role sysadmin;
Copy

OWNERSHIP Privilege on a Provider Profile

If the OWNERSHIP privilege on a provider profile is granted to a role, that role becomes the new OWNER of the profile. Only the OWNER of the provider profile can grant this privilege. OWNERSHIP is a special type of privilege that can only be granted from one role to another role; it cannot be revoked. For more details, see Overview of Access Control.

To grant the OWNERSHIP privilege on a provider profile to a role, use the GRANT <privileges> [WITH GRANT OPTION] command. At this time, the privilege cannot be granted via the new Snowflake interface.

For example:

-- grant the privilege to the SYSADMIN role
grant ownership on data exchange profile "<provider_profile_name>" to role sysadmin;
Copy