Data Exchange/Data Marketplace Privileges

Snowflake provides a set of privileges for Data Exchange/Data Marketplace which are granted to the ACCOUNTADMIN role by default.

These privileges can be granted to other roles (system-defined or custom). Then, users with the role can perform certain tasks in the Data Exchange/Data Marketplace.

In this Topic:

Granting Admin Privileges to Other Roles

By default, only the ACCOUNTADMIN within the Data Exchange/Data Marketplace Admin account can manage a Data Exchange/Data Marketplace which includes the following tasks:

  • Add/ remove members

  • Approve/deny listing approval requests

  • Approve/deny provider profile approval requests

  • Show categories

To support delegating these tasks to other users, the IMPORTED PRIVILEGES ON DATA EXCHANGE Data Exchange/Data Marketplace privilege can be granted to other roles (system-defined or custom).

Granting the IMPORTED PRIVILEGES ON DATA EXCHANGE Privilege to Another Role

To grant IMPORTED PRIVILEGES ON DATA EXCHANGE to a role in a Data Exchange/Data Marketplace, use the ACCOUNTADMIN role and the GRANT GRANT <privileges> … TO ROLE command.

Syntax:

grant imported privileges on data exchange <exchange_name> to <role_name>;

Where:

<exchange_name> is the name of the Snowflake Data Marketplace or Data Exchange. <role_name> is the role to which the privilege is granted.

For example:

use role accountadmin;

-- grant the privilege to the SYSADMIN role
grant imported privileges on data exchange my-data-exchange to sysadmin;

Considerations

  • This privilege is granted at the Data Exchange/Data Marketplace level; therefore, it allows performing the administrative tasks only for the Data Exchange or Data Marketplace on which it has been granted.

  • Only the Data Exchange/Data Marketplace Admin account (with the ACCOUNTADMIN role) can grant the privilege to another role.

Granting Provider Privileges to Other Roles

Snowflake provides a set of account or listing level privileges for performing tasks related to listings.

By default, these privileges are granted only to the ACCOUNTADMIN role in the provider account in Data Exchange/Data Marketplace, ensuring that only account administrators can perform these tasks. However, the privileges can be granted to other roles, enabling the tasks to be delegated to other users in the Data Exchange/Data Marketplace.

Privilege

Object Type

Description

CREATE DATA EXCHANGE LISTING ON ACCOUNT Privilege (In this topic)

ACCOUNT

Grants ability to create a listing or provider profile.

MODIFY ON DATA EXCHANGE LISTING Privilege (In this topic)

LISTING

Grants ability to modify listing properties.

USAGE ON DATA EXCHANGE LISTING Privilege (In this topic)

LISTING

Grants ability to show (i.e. view) a listing.

OWNERSHIP ON DATA EXCHANGE LISTING Privilege (In this topic)

LISTING

Transfers listing OWNERSHIP.

CREATE SHARE Privilege

SHARE

Grants ability to create a share.

CREATE DATA EXCHANGE LISTING ON ACCOUNT Privilege

If the CREATE DATA EXCHANGE LISTING ON ACCOUNT privilege is granted to a role, any user with the role can create a listing or provider profile. As the creator and, therefore owner of the listing, the role can also be used to perform all tasks on the listing, including:

  • Create listings

  • Modify listings properties

  • View listings

  • View incoming listing access requests

  • Reject listing requests

  • Submit listings for approval/publishing listings

  • Create and view provider profiles

The CREATE DATA EXCHANGE LISTING ON ACCOUNT privilege extends across all Data Exchanges this account is part of. A role with this privilege can create listings in any Data Exchange/Data Marketplace in which the account is a provider.

The OWNERSHIP privilege can be transferred using OWNERSHIP ON DATA EXCHANGE LISTING Privilege to a different role by the owning role.

Note

A role has OWNERSHIP on the listings they create. If the CREATE DATA EXCHANGE LISTING ON ACCOUNT privilege is granted to more than one role, they do not own listings created by the other role.

To grant CREATE DATA EXCHANGE LISTING ON ACCOUNT to a role in a Data Exchange/Data Marketplace, use the ACCOUNTADMIN role and the GRANT <privileges> … TO ROLE [WITH GRANT OPTION] command.

For example:

use role accountadmin;

-- grant the privilege to the SYSADMIN role
grant create data exchange listing on account to role sysadmin;

-- grant the privilege to the SYSADMIN role with grant option
grant create data exchange listing on account to sysadmin with grant option;

MODIFY ON DATA EXCHANGE LISTING Privilege

If the MODIFY ON DATA EXCHANGE LISTING privilege is granted to a role, any user with the role can perform the following tasks:

  • Modify listings properties

  • View a listing

  • View incoming listing access requests

  • Submit listing for approval/publishing listings

  • Reject listing requests

Only the OWNER of the listing can grant this privilege.

To grant MODIFY ON DATA EXCHANGE LISTING to a role in Data Exchange/Data Marketplace:

Note

At this time, granting the MODIFY ON DATA EXCHANGE LISTING privilege cannot be done using SQL.

  1. Log in to the new Snowflake web interface as an ACCOUNTADMIN.

  2. Navigate to Data » Manage » Listings » Privileges.

  3. In the Modify Listing section, click Edit.

  4. Add required roles.

USAGE ON DATA EXCHANGE LISTING Privilege

If the USAGE ON DATA EXCHANGE LISTING privilege is granted to a role, any user with the role can show (i.e. view) listings and incoming listing requests in the Data Exchange/Data Marketplace. Only the OWNER of the listing can grant this privilege.

To grant USAGE ON DATA EXCHANGE LISTING to a role:

Note

At this time, granting the USAGE ON DATA EXCHANGE LISTING privilege cannot be done using SQL.

  1. Log in to the new Snowflake web interface as an ACCOUNTADMIN.

  2. Navigate to Data » Manage » Listings » Privileges.

  3. In the View Listing section, click Edit.

  4. Add required roles.

OWNERSHIP ON DATA EXCHANGE LISTING Privilege

If the OWNERSHIP ON THE DATA EXCHANGE LISTING privilege is granted to a role, any user with the role becomes the OWNER of the listing. OWNERSHIP is a special type of privilege that can only be granted from one role to another role; it cannot be revoked. For more details, see Access Control in Snowflake.

Important

When listing ownership is transferred, all existing grants get revoked. All roles that have been granted privileges immediately lose access to this listing, and their privileges are revoked. The new listing owner must re-grant these privileges.

To grant OWNERSHIP ON THE DATA EXCHANGE LISTING to a role:

Note

At this time, granting the OWNERSHIP ON THE DATA EXCHANGE LISTING privilege cannot be done using SQL.

  1. Log in to the new Snowflake web interface as an ACCOUNTADMIN.

  2. Navigate to Data » Manage » Listings » Privileges.

  3. In the Ownership section, click Edit.

  4. Add required roles.