Granting Privileges to Other Roles

Snowflake provides a set of privileges for the Snowflake Data Marketplace or a Data Exchange.

These privileges can be granted to other roles (system-defined or custom). Then, users with the role can perform certain tasks in the Snowflake Data Marketplace or a Data Exchange.

In this Topic:

Granting Administrator Privileges in a Data Exchange

By default, only an account administrator (i.e. user with the ACCOUNTADMIN role) in the Data Exchange administrator account can manage a Data Exchange which includes the following tasks:

  • Add/remove members

  • Approve/deny listing approval requests

  • Approve/deny provider profile approval requests

  • Show categories

To support delegating these tasks to other users, the IMPORTED PRIVILEGES privilege can be granted on a Data Exchange to other roles (system-defined or custom)

Granting the IMPORTED PRIVILEGES Privilege to Other Roles

To grant the IMPORTED PRIVILEGES privilege on a Data Exchange to a role, use the ACCOUNTADMIN role and the GRANT GRANT <privileges> … TO ROLE command.

Note

The WITH GRANT OPTION parameter does not support the IMPORTED PRIVILEGES privilege.

Syntax:

grant imported privileges on data exchange <exchange_name> to <role_name>;

Where:

  • <exchange_name> is the name of a Data Exchange.

  • <role_name> is the role to which the privilege is granted.

For example, grant imported privileges on the mydataexchange Data Exchange to the SYSADMIN role:

use role accountadmin;

grant imported privileges on data exchange mydataexchange to sysadmin;

Usage Notes

  • This privilege is granted at the Data Exchange level; therefore, it allows performing the administrative tasks only for the Data Exchange on which it has been granted.

  • Only an account administrator in the Data Exchange administrator account can grant the privilege to another role.

  • When a role has been granted IMPORTED PRIVILEGES on a database created from a share, subsequent calls to the SHOW GRANTS command list the privilege as USAGE and not IMPORTED PRIVILEGES.

  • This privilege is intended for a Data Exchange. In the Snowflake Data Marketplace, only Snowflake administrators can perform administrative tasks.

Granting Provider Privileges to Other Roles in the Snowflake Marketplace or a Data Exchange

Snowflake provides a set of account, provider profile, and listing level privileges for performing tasks available to data providers in the Snowflake Data Marketplace or a Data Exchange.

These privileges can be granted to other roles, enabling the tasks to be delegated to other users.

Privilege

Object Type

Can be Granted by

Description

Global CREATE DATA EXCHANGE LISTING Privilege (In this topic)

ACCOUNT

ACCOUNTADMIN

Grants ability to create a listing or provider profile.

CREATE SHARE Privilege (In this topic)

ACCOUNT

ACCOUNTADMIN

Grants ability to create a share.

IMPORT SHARE Privilege (In this topic)

ACCOUNT

ACCOUNTADMIN

Grants ability to view an inbound share shared with the account and create a database from the share.

MODIFY Privilege on a Listing (In this topic)

LISTING

Listing Owner

Grants ability to modify listing properties.

USAGE Privilege on a Listing (In this topic)

LISTING

Listing Owner

Grants ability to show (i.e. view) a listing.

OWNERSHIP Privilege on a Listing (In this topic)

LISTING

Listing Owner

Transfers listing OWNERSHIP.

MODIFY Privilege on a Provider Profile (In this topic)

PROVIDER PROFILE

Profile Owner

Grants ability to modify properties for a provider profile.

OWNERSHIP Privilege on a Provider Profile (In this topic)

PROVIDER PROFILE

Profile Owner

Transfers OWNERSHIP of a provider profile.

Account Level Privileges

Snowflake provides the following privileges for working with shares, data listings, and provider profiles at the account level in the Snowflake Data Marketplace or a Data Exchange:

Global CREATE DATA EXCHANGE LISTING Privilege

If the global CREATE DATA EXCHANGE LISTING privilege is granted to a role, any user with the role can create a listing or provider profile. As the creator and, therefore owner of the listing, the role can be used to perform all tasks on the listing, including:

  • Create listings

  • Modify listings properties

  • View listings

  • View incoming listing access requests

  • Reject listing requests

  • Submit listings for approval/publishing listings

  • Create and view provider profiles

If an account is a provider in more than one Data Exchange, a role with the global CREATE DATA EXCHANGE LISTING privilege can create listings in each of those Data Exchanges.

Note

  • A role that creates a listing becomes the owner of the listing. The OWNERSHIP privilege can be transferred using OWNERSHIP Privilege on a Listing to a different role by the owning role.

  • Only account administrators (users with the ACCOUNTADMIN role) can grant the global CREATE DATA EXCHANGE LISTING privilege to a role.

To grant the global CREATE DATA EXCHANGE LISTING privilege to a role in a Data Exchange, use the GRANT <privileges> … TO ROLE [WITH GRANT OPTION] command.

For example:

use role accountadmin;

-- grant the privilege to the SYSADMIN role
grant create data exchange listing on account to role sysadmin;

-- grant the privilege to the SYSADMIN role with grant option
grant create data exchange listing on account to sysadmin with grant option;

CREATE SHARE Privilege

If the CREATE SHARE privilege is granted to a role, any user with the role can create a share. As the creator and, therefore owner, of the share, the role can also be used to perform all tasks on the share, including:

  • Granting or revoking privileges on objects to/from the share.

  • Adding or removing consumer accounts to/from the share.

For more information, see CREATE SHARE Privilege.

IMPORT SHARE Privilege

If the IMPORT SHARE privilege is granted to a role, any user with the role can perform the following tasks:

  • View all INBOUND shares (shared by provider accounts) and create databases for the shares.

  • View all OUTBOUND shares owned by the role.

For more information, see IMPORT SHARE Privilege.

Listing Level Privileges

Snowflake provides the following privileges for data listings. These privileges can be granted by a listing owner (a user with the OWNERSHIP privilege) in the Snowflake Data Marketplace or a Data Exchange.

MODIFY Privilege on a Listing

If the MODIFY privilege on a listing is granted to a role, any user with the role can perform the following tasks for a listing:

  • Modify listings properties

  • View a listing

  • View incoming listing access requests

  • Submit listing for approval/publishing listings

  • Reject listing requests

Only the OWNER of the listing can grant this privilege. The MODIFY privilege can only be granted on a listing in the new Snowflake web interface.

To grant the MODIFY privilege on a listing in the Snowflake Data Marketplace:

  1. Log in to the new Snowflake web interface.

  2. Navigate to Data » Manage » Snowflake Data Marketplace » Listings.

  3. Click the listing title.

  4. In the listing details page, click the Settings tab.

  5. In the Privileges section, click the pencil icon next to the Modify Listing privilege.

  6. Click the Add Role button and add required roles.

  7. Click Save.

To grant the MODIFY privilege on a listing in a data exchange:

  1. Log in to the new Snowflake web interface.

  2. Navigate to Data » Shared Data » Shared By My Account.

  3. Click the listing title.

  4. In the listing details page, click the Settings tab.

  5. In the Privileges section, click the pencil icon next to the Modify Listing privilege.

  6. Click the Add Role button and add required roles.

  7. Click Save.

USAGE Privilege on a Listing

If the USAGE privilege on a listing is granted to a role, any user with the role can show (i.e. view) listings and incoming listing requests. Only the OWNER of the listing can grant this privilege.

Currently, the USAGE privilege can only be granted on a listing in the new Snowflake web interface.

To grant the USAGE privilege on a listing in the Snowflake Data Marketplace:

  1. Log in to the new Snowflake web interface.

  2. Navigate to Data » Manage » Snowflake Data Marketplace » Listings.

  3. Click the listing title.

  4. In the listing details page, click the Settings tab.

  5. In the Privileges section, click the pencil icon next to the View Listing privilege.

  6. Click the Add Role button and add required roles.

  7. Click Save.

To grant the USAGE privilege on a listing in a data exchange:

  1. Log in to the new Snowflake web interface.

  2. Navigate to Data » Shared Data » Shared By My Account.

  3. Click the listing title.

  4. In the listing details page, click the Settings tab.

  5. In the Privileges section, click the pencil icon next to the View Listing privilege.

  6. Click the Add Role button and add required roles.

  7. Click Save.

OWNERSHIP Privilege on a Listing

If the OWNERSHIP privilege on a listing is granted to a role, that role becomes the new OWNER of the listing. Only the OWNER of the listing can grant this privilege. OWNERSHIP is a special type of privilege that can only be granted from one role to another role; it cannot be revoked. For more details, see Access Control in Snowflake.

Important

When listing ownership is transferred, all existing grants get revoked. All roles that have been granted privileges immediately lose access to this listing, and their privileges are revoked. The new listing owner must re-grant these privileges.

Currently, the OWNERSHIP privilege can only be granted on a listing in the new Snowflake web interface.

To grant the OWNERSHIP privilege on a listing in the Snowflake Data Marketplace:

  1. Log in to the new Snowflake web interface.

  2. Navigate to Data » Manage » Snowflake Data Marketplace » Listings.

  3. Click the listing title.

  4. In the listing details page, click the Settings tab.

  5. In the Privileges section, click the pencil icon next to the OWNERSHIP privilege.

  6. Click the Add Role button and add required roles.

  7. Click Save.

To grant the OWNERSHIP privilege on a listing in a data exchange:

  1. Log in to the new Snowflake web interface.

  2. Navigate to Data » Shared Data » Shared By My Account.

  3. Click the listing title.

  4. In the listing details page, click the Settings tab.

  5. In the Privileges section, click the pencil icon next to the OWNERSHIP privilege.

  6. Click the Add Role button and add required roles.

  7. Click Save.

Provider Profile Level Privileges

Snowflake provides the following privileges for provider profiles. These privileges can be granted by a provider profile owner (a user with the OWNERSHIP privilege) in the Snowflake Data Marketplace or a Data Exchange:

Note

MODIFY Privilege on a Provider Profile

If the MODIFY privilege is granted to a role on a provider profile, any user with the role can view and modify provider profile properties. Only the OWNER of the provider profile can grant this privilege.

The MODIFY privilege can be granted through the web interface or using SQL:

Web Interface

In the new Snowflake web interface, click Data » Manage » Provider Profile » View » Manage » Manage Profile Editors.

SQL

Execute the GRANT <privileges> … TO ROLE [WITH GRANT OPTION] command.

For example:

-- grant the privilege to the SYSADMIN role
grant modify on data exchange profile "<provider_profile_name>" to role sysadmin;

OWNERSHIP Privilege on a Provider Profile

If the OWNERSHIP privilege on a provider profile is granted to a role, that role becomes the new OWNER of the profile. Only the OWNER of the provider profile can grant this privilege. OWNERSHIP is a special type of privilege that can only be granted from one role to another role; it cannot be revoked. For more details, see Access Control in Snowflake.

To grant the OWNERSHIP privilege on a provider profile to a role, use the GRANT <privileges> … TO ROLE [WITH GRANT OPTION] command. At this time, the privilege cannot be granted via the new Snowflake interface.

For example:

-- grant the privilege to the SYSADMIN role
grant ownership on data exchange profile "<provider_profile_name>" to role sysadmin;