Granting Privileges to Other Roles¶
Snowflake provides a set of privileges for Data Exchange/Data Marketplace which are granted to the ACCOUNTADMIN role by default.
These privileges can be granted to other roles (system-defined or custom). Then, users with the role can perform certain tasks in the Data Exchange/Data Marketplace.
In this Topic:
Granting Data Exchange Administrator Privileges¶
By default, only an account administrator (i.e. user with the ACCOUNTADMIN role) in the Data Exchange administrator account can manage a Data Exchange/Data Marketplace which includes the following tasks:
Add/remove members
Approve/deny listing approval requests
Approve/deny provider profile approval requests
Show categories
To support delegating these tasks to other users, the IMPORTED PRIVILEGES privilege can be granted on a Data Exchange to other roles (system-defined or custom).
Granting the IMPORTED PRIVILEGES Privilege on a Data Exchange to Another Role¶
To grant the IMPORTED PRIVILEGES privilege on a Data Exchange to a role, use the ACCOUNTADMIN role and the GRANT GRANT <privileges> … TO ROLE command.
Syntax:
grant imported privileges on data exchange <exchange_name> to <role_name>;
Where:
<exchange_name>
is the name of the Data Exchange.<role_name>
is the role to which the privilege is granted.
For example, grant imported privileges on the mydataexchange
Data Exchange to the SYSADMIN role:
use role accountadmin;
grant imported privileges on data exchange mydataexchange to sysadmin;
Usage Notes¶
This privilege is granted at the Data Exchange level; therefore, it allows performing the administrative tasks only for the Data Exchange on which it has been granted.
Only an account administrator in the Data Exchange administrator account can grant the privilege to another role.
Only Snowflake can perform administrative tasks in the Snowflake Data Marketplace.
Granting Provider Privileges to Other Roles¶
Snowflake provides a set of account or listing level privileges for performing tasks related to listings.
By default, these privileges are granted only to the ACCOUNTADMIN role in the provider account in Data Exchange/Data Marketplace, ensuring that only account administrators can perform these tasks. However, the privileges can be granted to other roles, enabling the tasks to be delegated to other users in the Data Exchange/Data Marketplace.
Privilege |
Object Type |
Description |
---|---|---|
Global CREATE DATA EXCHANGE LISTING Privilege (In this topic) |
ACCOUNT |
Grants ability to create a listing or provider profile. |
MODIFY Privilege on a Data Exchange Listing (In this topic) |
LISTING |
Grants ability to modify listing properties. |
USAGE Privilege on a Data Exchange Listing (In this topic) |
LISTING |
Grants ability to show (i.e. view) a listing. |
OWNERSHIP Privilege on a Data Exchange Listing (In this topic) |
LISTING |
Transfers listing OWNERSHIP. |
ACCOUNT |
Grants ability to create a share. |
Global CREATE DATA EXCHANGE LISTING Privilege¶
If the global CREATE DATA EXCHANGE LISTING privilege is granted to a role, any user with the role can create a listing or provider profile. As the creator and, therefore owner of the listing, the role can also be used to perform all tasks on the listing, including:
Create listings
Modify listings properties
View listings
View incoming listing access requests
Reject listing requests
Submit listings for approval/publishing listings
Create and view provider profiles
The global CREATE DATA EXCHANGE LISTING privilege extends across all Data Exchanges this account is part of. A role with this privilege can create listings in any Data Exchange/Data Marketplace in which the account is a provider.
The OWNERSHIP privilege can be transferred using OWNERSHIP Privilege on a Data Exchange Listing to a different role by the owning role.
Note
A role owns (i.e. has the OWNERSHIP privilege) on the Data Exchange listings it creates.
Only account administrators (users with the ACCOUNTADMIN role) can grant the global CREATE DATA EXCHANGE LISTING privilege to a role.
To grant the global CREATE DATA EXCHANGE LISTING privilege to a role in a Data Exchange, use the GRANT <privileges> … TO ROLE [WITH GRANT OPTION] command.
For example:
use role accountadmin;
-- grant the privilege to the SYSADMIN role
grant create data exchange listing on account to role sysadmin;
-- grant the privilege to the SYSADMIN role with grant option
grant create data exchange listing on account to sysadmin with grant option;
MODIFY Privilege on a Data Exchange Listing¶
If the MODIFY privilege is granted on a Data Exchange listing to a role, any user with the role can perform the following tasks:
Modify listings properties
View a listing
View incoming listing access requests
Submit listing for approval/publishing listings
Reject listing requests
Only the OWNER of the listing can grant this privilege.
To grant the MODIFY privilege on a Data Exchange listing to a role:
Note
Currently, the MODIFY privilege can only be granted on a Data Exchange listing in the new Snowflake web interface.
Log in to the new Snowflake web interface as an ACCOUNTADMIN.
Navigate to Data » Manage » Listings » Privileges.
In the Modify Listing section, click Edit.
Add required roles.
USAGE Privilege on a Data Exchange Listing¶
If the USAGE privilege is granted on a Data Exchange listing to a role, any user with the role can show (i.e. view) listings and incoming listing requests in the Data Exchange/Data Marketplace. Only the OWNER of the listing can grant this privilege.
To grant the USAGE privilege on a Data Exchange listing to a role:
Note
Currently, the USAGE privilege can only be granted on a Data Exchange listing in the new Snowflake web interface.
Log in to the new Snowflake web interface as an ACCOUNTADMIN.
Navigate to Data » Manage » Listings » Privileges.
In the View Listing section, click Edit.
Add required roles.
OWNERSHIP Privilege on a Data Exchange Listing¶
If the OWNERSHIP privilege on a Data Exchange listing is granted to a role, that role becomes the new OWNER of the listing. OWNERSHIP is a special type of privilege that can only be granted from one role to another role; it cannot be revoked. For more details, see Access Control in Snowflake.
Important
When listing ownership is transferred, all existing grants get revoked. All roles that have been granted privileges immediately lose access to this listing, and their privileges are revoked. The new listing owner must re-grant these privileges.
To grant the OWNERSHIP privilege on a Data Exchange listing to a role:
Note
Currently, the OWNERSHIP privilege can only be granted on a Data Exchange listing in the new Snowflake web interface.
Log in to the new Snowflake web interface as an ACCOUNTADMIN.
Navigate to Data » Manage » Listings » Privileges.
In the Ownership section, click Edit.
Add required roles.