Granting Privileges to Other Roles

Snowflake provides a set of privileges for Data Exchange/Data Marketplace which are granted to the ACCOUNTADMIN role by default.

These privileges can be granted to other roles (system-defined or custom). Then, users with the role can perform certain tasks in the Data Exchange/Data Marketplace.

In this Topic:

Granting Data Exchange Administrator Privileges

By default, only an account administrator (i.e. user with the ACCOUNTADMIN role) in the Data Exchange administrator account can manage a Data Exchange/Data Marketplace which includes the following tasks:

  • Add/remove members

  • Approve/deny listing approval requests

  • Approve/deny provider profile approval requests

  • Show categories

To support delegating these tasks to other users, the IMPORTED PRIVILEGES privilege can be granted on a Data Exchange to other roles (system-defined or custom).

Granting the IMPORTED PRIVILEGES Privilege on a Data Exchange to Another Role

To grant the IMPORTED PRIVILEGES privilege on a Data Exchange to a role, use the ACCOUNTADMIN role and the GRANT GRANT <privileges> … TO ROLE command.

Syntax:

grant imported privileges on data exchange <exchange_name> to <role_name>;

Where:

  • <exchange_name> is the name of the Data Exchange.

  • <role_name> is the role to which the privilege is granted.

For example, grant imported privileges on the mydataexchange Data Exchange to the SYSADMIN role:

use role accountadmin;

grant imported privileges on data exchange mydataexchange to sysadmin;

Usage Notes

  • This privilege is granted at the Data Exchange level; therefore, it allows performing the administrative tasks only for the Data Exchange on which it has been granted.

  • Only an account administrator in the Data Exchange administrator account can grant the privilege to another role.

  • Only Snowflake can perform administrative tasks in the Snowflake Data Marketplace.

Granting Provider Privileges to Other Roles

Snowflake provides a set of account or listing level privileges for performing tasks related to listings.

By default, these privileges are granted only to the ACCOUNTADMIN role in the provider account in Data Exchange/Data Marketplace, ensuring that only account administrators can perform these tasks. However, the privileges can be granted to other roles, enabling the tasks to be delegated to other users in the Data Exchange/Data Marketplace.

Privilege

Object Type

Description

Global CREATE DATA EXCHANGE LISTING Privilege (In this topic)

ACCOUNT

Grants ability to create a listing or provider profile.

MODIFY Privilege on a Data Exchange Listing (In this topic)

LISTING

Grants ability to modify listing properties.

USAGE Privilege on a Data Exchange Listing (In this topic)

LISTING

Grants ability to show (i.e. view) a listing.

OWNERSHIP Privilege on a Data Exchange Listing (In this topic)

LISTING

Transfers listing OWNERSHIP.

CREATE SHARE Privilege

ACCOUNT

Grants ability to create a share.

Global CREATE DATA EXCHANGE LISTING Privilege

If the global CREATE DATA EXCHANGE LISTING privilege is granted to a role, any user with the role can create a listing or provider profile. As the creator and, therefore owner of the listing, the role can also be used to perform all tasks on the listing, including:

  • Create listings

  • Modify listings properties

  • View listings

  • View incoming listing access requests

  • Reject listing requests

  • Submit listings for approval/publishing listings

  • Create and view provider profiles

The global CREATE DATA EXCHANGE LISTING privilege extends across all Data Exchanges this account is part of. A role with this privilege can create listings in any Data Exchange/Data Marketplace in which the account is a provider.

The OWNERSHIP privilege can be transferred using OWNERSHIP Privilege on a Data Exchange Listing to a different role by the owning role.

Note

  • A role owns (i.e. has the OWNERSHIP privilege) on the Data Exchange listings it creates.

  • Only account administrators (users with the ACCOUNTADMIN role) can grant the global CREATE DATA EXCHANGE LISTING privilege to a role.

To grant the global CREATE DATA EXCHANGE LISTING privilege to a role in a Data Exchange, use the GRANT <privileges> … TO ROLE [WITH GRANT OPTION] command.

For example:

use role accountadmin;

-- grant the privilege to the SYSADMIN role
grant create data exchange listing on account to role sysadmin;

-- grant the privilege to the SYSADMIN role with grant option
grant create data exchange listing on account to sysadmin with grant option;

MODIFY Privilege on a Data Exchange Listing

If the MODIFY privilege is granted on a Data Exchange listing to a role, any user with the role can perform the following tasks:

  • Modify listings properties

  • View a listing

  • View incoming listing access requests

  • Submit listing for approval/publishing listings

  • Reject listing requests

Only the OWNER of the listing can grant this privilege.

To grant the MODIFY privilege on a Data Exchange listing to a role:

Note

Currently, the MODIFY privilege can only be granted on a Data Exchange listing in the new Snowflake web interface.

  1. Log in to the new Snowflake web interface as an ACCOUNTADMIN.

  2. Navigate to Data » Manage » Listings » Privileges.

  3. In the Modify Listing section, click Edit.

  4. Add required roles.

USAGE Privilege on a Data Exchange Listing

If the USAGE privilege is granted on a Data Exchange listing to a role, any user with the role can show (i.e. view) listings and incoming listing requests in the Data Exchange/Data Marketplace. Only the OWNER of the listing can grant this privilege.

To grant the USAGE privilege on a Data Exchange listing to a role:

Note

Currently, the USAGE privilege can only be granted on a Data Exchange listing in the new Snowflake web interface.

  1. Log in to the new Snowflake web interface as an ACCOUNTADMIN.

  2. Navigate to Data » Manage » Listings » Privileges.

  3. In the View Listing section, click Edit.

  4. Add required roles.

OWNERSHIP Privilege on a Data Exchange Listing

If the OWNERSHIP privilege on a Data Exchange listing is granted to a role, that role becomes the new OWNER of the listing. OWNERSHIP is a special type of privilege that can only be granted from one role to another role; it cannot be revoked. For more details, see Access Control in Snowflake.

Important

When listing ownership is transferred, all existing grants get revoked. All roles that have been granted privileges immediately lose access to this listing, and their privileges are revoked. The new listing owner must re-grant these privileges.

To grant the OWNERSHIP privilege on a Data Exchange listing to a role:

Note

Currently, the OWNERSHIP privilege can only be granted on a Data Exchange listing in the new Snowflake web interface.

  1. Log in to the new Snowflake web interface as an ACCOUNTADMIN.

  2. Navigate to Data » Manage » Listings » Privileges.

  3. In the Ownership section, click Edit.

  4. Add required roles.