Granting Privileges to Other Roles¶
Snowflake provides a set of privileges for the Snowflake Data Marketplace or a Data Exchange.
These privileges can be granted to other roles (system-defined or custom). Then, users with the role can perform certain tasks in the Snowflake Data Marketplace or a Data Exchange.
In this Topic:
Granting Administrator Privileges in a Data Exchange¶
By default, only an account administrator (i.e. user with the ACCOUNTADMIN role) in the Data Exchange administrator account can manage a Data Exchange which includes the following tasks:
Add/remove members
Approve/deny listing approval requests
Approve/deny provider profile approval requests
Show categories
To support delegating these tasks to other users, the IMPORTED PRIVILEGES privilege can be granted on a Data Exchange to other roles (system-defined or custom)
Granting the IMPORTED PRIVILEGES Privilege to Other Roles¶
To grant the IMPORTED PRIVILEGES privilege on a Data Exchange to a role, use the ACCOUNTADMIN role and the GRANT GRANT <privileges> … TO ROLE command.
Note
The WITH GRANT OPTION parameter does not support the IMPORTED PRIVILEGES privilege.
Syntax:
grant imported privileges on data exchange <exchange_name> to <role_name>;
Where:
<exchange_name>is the name of a Data Exchange.<role_name>is the role to which the privilege is granted.
For example, grant imported privileges on the mydataexchange Data Exchange to the SYSADMIN role:
use role accountadmin;
grant imported privileges on data exchange mydataexchange to sysadmin;
Usage Notes¶
This privilege is granted at the Data Exchange level; therefore, it allows performing the administrative tasks only for the Data Exchange on which it has been granted.
Only an account administrator in the Data Exchange administrator account can grant the privilege to another role.
When a role has been granted IMPORTED PRIVILEGES on a database created from a share, subsequent calls to the SHOW GRANTS command list the privilege as USAGE and not IMPORTED PRIVILEGES.
This privilege is intended for a Data Exchange. In the Snowflake Data Marketplace, only Snowflake administrators can perform administrative tasks.
Granting Provider Privileges to Other Roles in the Snowflake Marketplace or a Data Exchange¶
Snowflake provides a set of account, provider profile, and listing level privileges for performing tasks available to data providers in the Snowflake Data Marketplace or a Data Exchange.
These privileges can be granted to other roles, enabling the tasks to be delegated to other users.
Privilege |
Object Type |
Can be Granted by |
Description |
|---|---|---|---|
Global CREATE DATA EXCHANGE LISTING Privilege (In this topic) |
ACCOUNT |
ACCOUNTADMIN |
Grants ability to create a listing or provider profile. |
CREATE SHARE Privilege (In this topic) |
ACCOUNT |
ACCOUNTADMIN |
Grants ability to create a share. |
IMPORT SHARE Privilege (In this topic) |
ACCOUNT |
ACCOUNTADMIN |
Grants ability to view an inbound share shared with the account and create a database from the share. |
MODIFY Privilege on a Listing (In this topic) |
LISTING |
Listing Owner |
Grants ability to modify listing properties. |
USAGE Privilege on a Listing (In this topic) |
LISTING |
Listing Owner |
Grants ability to show (i.e. view) a listing. |
OWNERSHIP Privilege on a Listing (In this topic) |
LISTING |
Listing Owner |
Transfers listing OWNERSHIP. |
MODIFY Privilege on a Provider Profile (In this topic) |
PROVIDER PROFILE |
Profile Owner |
Grants ability to modify properties for a provider profile. |
OWNERSHIP Privilege on a Provider Profile (In this topic) |
PROVIDER PROFILE |
Profile Owner |
Transfers OWNERSHIP of a provider profile. |
Account Level Privileges¶
Snowflake provides the following privileges for working with shares, data listings, and provider profiles at the account level in the Snowflake Data Marketplace or a Data Exchange:
Global CREATE DATA EXCHANGE LISTING Privilege¶
If the global CREATE DATA EXCHANGE LISTING privilege is granted to a role, any user with the role can create a listing or provider profile. As the creator and, therefore owner of the listing, the role can be used to perform all tasks on the listing, including:
Create listings
Modify listings properties
View listings
View incoming listing access requests
Reject listing requests
Submit listings for approval/publishing listings
Create and view provider profiles
If an account is a provider in more than one Data Exchange, a role with the global CREATE DATA EXCHANGE LISTING privilege can create listings in each of those Data Exchanges.
Note
A role that creates a listing becomes the owner of the listing. The OWNERSHIP privilege can be transferred using OWNERSHIP Privilege on a Listing to a different role by the owning role.
Only account administrators (users with the ACCOUNTADMIN role) can grant the global CREATE DATA EXCHANGE LISTING privilege to a role.
To grant the global CREATE DATA EXCHANGE LISTING privilege to a role in a Data Exchange, use the GRANT <privileges> … TO ROLE [WITH GRANT OPTION] command.
For example:
use role accountadmin;
-- grant the privilege to the SYSADMIN role
grant create data exchange listing on account to role sysadmin;
-- grant the privilege to the SYSADMIN role with grant option
grant create data exchange listing on account to sysadmin with grant option;
Listing Level Privileges¶
Snowflake provides the following privileges for data listings. These privileges can be granted by a listing owner (a user with the OWNERSHIP privilege) in the Snowflake Data Marketplace or a Data Exchange:
MODIFY Privilege on a Listing¶
If the MODIFY privilege on a listing is granted to a role, any user with the role can perform the following tasks for a listing:
Modify listings properties
View a listing
View incoming listing access requests
Submit listing for approval/publishing listings
Reject listing requests
Only the OWNER of the listing can grant this privilege. Currently, the MODIFY privilege can only be granted on a listing in the new Snowflake web interface.
To grant the MODIFY privilege on a listing to a role:
Log in to the new Snowflake web interface as an ACCOUNTADMIN.
Navigate to Data » Manage » Listings » Privileges.
In the Modify Listing section, click Edit.
Add required roles.
USAGE Privilege on a Listing¶
If the USAGE privilege on a listing is granted to a role, any user with the role can show (i.e. view) listings and incoming listing requests. Only the OWNER of the listing can grant this privilege.
Currently, the USAGE privilege can only be granted on a listing in the new Snowflake web interface.
To grant the USAGE privilege on a listing to a role:
Log in to the new Snowflake web interface as an ACCOUNTADMIN.
Navigate to Data » Manage » Listings » Privileges.
In the View Listing section, click Edit.
Add required roles.
OWNERSHIP Privilege on a Listing¶
If the OWNERSHIP privilege on a listing is granted to a role, that role becomes the new OWNER of the listing. Only the OWNER of the listing can grant this privilege. OWNERSHIP is a special type of privilege that can only be granted from one role to another role; it cannot be revoked. For more details, see Access Control in Snowflake.
Important
When listing ownership is transferred, all existing grants get revoked. All roles that have been granted privileges immediately lose access to this listing, and their privileges are revoked. The new listing owner must re-grant these privileges.
Currently, the OWNERSHIP privilege can only be granted on a listing in the new Snowflake web interface.
To grant the OWNERSHIP privilege on a Data Exchange listing to a role:
Log in to the new Snowflake web interface as an ACCOUNTADMIN.
Navigate to Data » Manage » Listings » Privileges.
In the Ownership section, click Edit.
Add required roles.
Provider Profile Level Privileges¶
Snowflake provides the following privileges for provider profiles. These privileges can be granted by a provider profile owner (a user with the OWNERSHIP privilege) in the Snowflake Data Marketplace or a Data Exchange:
Note
To create a profile, use the Global CREATE DATA EXCHANGE LISTING Privilege global privilege (In this document).
Any role in the provider account can view all profiles. This privilege does not need to be explicitly granted.
MODIFY Privilege on a Provider Profile¶
If the MODIFY privilege is granted to a role on a provider profile, any user with the role can view and modify provider profile properties. Only the OWNER of the provider profile can grant this privilege.
The MODIFY privilege can be granted through the web interface or using SQL:
- Web Interface
In the new Snowflake web interface, click Data » Manage » Provider Profile » View » Manage » Manage Profile Editors.
- SQL
Execute the GRANT <privileges> … TO ROLE [WITH GRANT OPTION] command.
For example:
-- grant the privilege to the SYSADMIN role grant modify on data exchange profile "<provider_profile_name>" to role sysadmin;
OWNERSHIP Privilege on a Provider Profile¶
If the OWNERSHIP privilege on a provider profile is granted to a role, that role becomes the new OWNER of the profile. Only the OWNER of the provider profile can grant this privilege. OWNERSHIP is a special type of privilege that can only be granted from one role to another role; it cannot be revoked. For more details, see Access Control in Snowflake.
To grant the OWNERSHIP privilege on a provider profile to a role, use the GRANT <privileges> … TO ROLE [WITH GRANT OPTION] command. At this time, the privilege cannot be granted via the new Snowflake interface.
For example:
-- grant the privilege to the SYSADMIN role
grant ownership on data exchange profile "<provider_profile_name>" to role sysadmin;