Access control privileges

This topic describes the privileges that are available in the Snowflake access control model. Privileges are granted to roles, and roles are granted to users, to specify the operations that the users can perform on objects in the system.

All privileges (alphabetical)

The following privileges are available in the Snowflake access control model. The meaning of each privilege varies depending on the object type to which it is applied, and not all objects support all privileges:

Privilege

Object Type

Description

ALL [ PRIVILEGES ]

All

Grants all the privileges for the specified object type.

APPLY AGGREGATION POLICY

Global

Grants the ability to add and drop an aggregation policy on a table or view.

APPLYBUDGET

Database, Schema, Table, hybrid table, Iceberg table, Warehouse, Task, Pipe, Materialized View

Grants the ability to add or remove an object to or from a budget.

APPLY AUTHENTICATION POLICY

Global

Grants the ability to add or drop an authentication policy on the Snowflake account or a user in the Snowflake account.

APPLY MASKING POLICY

Global

Grants the ability to set a Column-level Security masking policy on a table or view column and to set a masking policy on a tag. This global privilege also allows executing the DESCRIBE operation on tables and views.

APPLY PACKAGES POLICY

Global

Grants the ability to add or drop a packages policy on the Snowflake account.

APPLY PASSWORD POLICY

Global

Grants the ability to add or drop a password policy on the Snowflake account or a user in the Snowflake account.

APPLY PROJECTION POLICY

Global

Grants the ability to add and drop a projection policy on a table or view.

APPLY ROW ACCESS POLICY

Global

Grants the ability to add and drop a row access policy on a table or view. This global privilege also allows executing the DESCRIBE operation on tables and views.

APPLY SESSION POLICY

Global

Grants the ability to set or unset a session policy on an account or user.

APPLY TAG

Global

Grants the ability to add or drop a tag on a Snowflake object.

ATTACH POLICY

Global

Grants the ability to activate a network policy by associating it with your account.

AUDIT

Global

Grants the ability to set the ENABLE_UNREDACTED_QUERY_SYNTAX_ERROR user parameter.

BIND SERVICE ENDPOINT

Global

Enables the ability to create a service that supports public endpoints. For more inforation about public endpoints, see Ingress: Using a service from outside Snowflake.

CREATE <object_type>

Global, Database, Schema

Grants the ability to create an object of <object_type> (e.g. CREATE TABLE grants the ability to create a table within a schema).

DELETE

Table, hybrid table, Iceberg table

Grants the ability to execute a DELETE command on the table.

EVOLVE SCHEMA

Table

Grants the ability for schema evolution to occur on a table when loading data.

EXECUTE ALERT

Global

Grants the ability to execute alerts owned by the role.

EXECUTE MANAGED TASK

Global

Grants the ability to create tasks that rely on serverless compute resources. Only required to create serverless tasks. The role that has the OWNERSHIP privilege on a task must have both the EXECUTE MANAGED TASK and the EXECUTE TASK privilege for the task to run.

EXECUTE TASK

Global

Grants the ability to run tasks owned by the role. For serverless tasks to run, the role that has the OWNERSHIP privilege on the task must also have the global EXECUTE MANAGED TASK privilege.

FAILOVER

Failover Group

Grants the ability to promote a secondary failover group to serve as the primary.

IMPORT SHARE

Global

Applies to data consumers. Grants the ability to view shares shared with your account. Also grants the ability to create databases from the shares; requires the global CREATE DATABASE privilege.

OVERRIDE SHARE RESTRICTIONS

Global

Grants the ability to set value for the SHARE_RESTRICTIONS parameter on a share which enables a Business Critical provider account to add a consumer account (with non-Business Critical edition) to a share. For more details, see Enabling sharing from a Business critical account to a non-business critical account.

IMPORTED PRIVILEGES

Database, Data Exchange

Grants the ability to enable roles other than the owning role to access a shared database or manage a Snowflake Marketplace / Data Exchange.

INSERT

Table, hybrid Table, Iceberg table

Grants the ability to execute an INSERT command on the table.

MANAGE ACCOUNT SUPPORT CASES

Global

Grants the ability to view, comment on, and manage all Support cases for the current account in Snowsight.

MANAGE GRANTS

Global

Grants the ability to grant or revoke privileges on any object as if the invoking role were the owner of the object.

MANAGE LISTING AUTOFULFILLMENT

Global

Grants the ability to publish listings to remote regions using Cross-Cloud Auto-Fulfillment and manage auto-fulfillment settings for listings.

MANAGE ORGANIZATION SUPPORT CASES

Global

Grants the ability to view, comment on, and manage all Support cases that were opened by the current user in Snowsight.

MANAGE USER SUPPORT CASES

Global

Grants the ability to view, comment on, and manage all Support cases for the current user in Snowsight.

MANAGE WAREHOUSES

Global

Grants the ability to perform operations that require the MODIFY, MONITOR, and OPERATE privileges on warehouses in the same account.

MODIFY

Resource Monitor, Warehouse, Data Exchange Listing, Database, Schema, Failover Group, Replication Group, Compute Pool

Grants the ability to change the settings or properties of an object (e.g. on a virtual warehouse, provides the ability to change the size of a virtual warehouse).

MODIFY LOG LEVEL

Global

Enables setting the level of log messages captured for stored procedures and UDFs in the current account. For more information, refer to LOG_LEVEL.

MODIFY SESSION LOG LEVEL

Global

Enables setting the level of log messages captured for stored procedures and UDFs invoked in the current session. For more information, refer to LOG_LEVEL.

MODIFY TRACE LEVEL

Global

Enables setting the level of trace events captured for stored procedures and UDFs in the current account. When tracing events, you must also set the LOG_LEVEL parameter to one of its supported values. For more information, refer to TRACE_LEVEL.

MODIFY SESSION TRACE LEVEL

Global

Enables setting the level of trace events captured for stored procedures and UDFs invoked in the current session. When tracing events, you must also set the LOG_LEVEL parameter to one of its supported values. For more information, refer to TRACE_LEVEL.

MONITOR

User, Resource Monitor, Warehouse, Database, Schema, Task, Failover Group, Replication Group, Alert, Compute Pool, Service, Dynamic table

Grants the ability to see details within an object (e.g. queries and usage within a warehouse).

MONITOR EXECUTION

Global

Grants the ability to monitor pipes (Snowpipe) or tasks in the account.

MONITOR SECURITY

Global

Grants the ability to call system functions pertaining to Customer-managed keys.

MONITOR USAGE

Global

Grants the ability to monitor account-level usage and historical information for databases and warehouses; for more details, see Enabling non-account administrators to monitor usage and billing history in the Classic Console. Additionally grants the ability to view managed accounts using SHOW MANAGED ACCOUNTS.

OPERATE

Warehouse, Task, Dynamic table, Alert, Compute Pool. Service

Grants the ability to start, stop, suspend, or resume a virtual warehouse. Grants the ability to suspend or resume a task. Grants the ability to suspend, resume, or refresh as Dynamic table. Grants the ability to suspend or resume a compute pool. Grants the ability to suspend or resume a Snowpark Container Services service, upgrade service, set, and upset service properties.

OWNERSHIP

All

Grants the ability to drop, alter, and grant or revoke access to an object. Required to rename an object and create a temporary object with the same name as the object itself. OWNERSHIP is a special privilege on an object that is automatically granted to the role that created the object, but can also be transferred using the GRANT OWNERSHIP command to a different role by the owning role or any role with the MANAGE GRANTS privilege.

PURCHASE DATA EXCHANGE LISTING

Global

Grants the ability to purchase a paid listing.

READ

Stage (internal only), Compute Pool, Image Repository

Grants the ability to perform any operations that require reading from an internal stage (GET, LIST, COPY INTO <table>, etc.). Grants the ability to download an image from an image repository. READ privilege on stage and image repository is required to create a Snowpark Container services service.

REFERENCES

Table, hybrid table, Iceberg table, External table, View

Grants the ability to view the structure of an object (but not the data). . . For tables, the privilege also grants the ability to reference the object as the unique/primary key table for a foreign key constraint.

REPLICATE

Replication Group, Failover Group

Grants the ability to refresh a secondary replication or failover group.

RESOLVE ALL

Global

Grants the ability to resolve all objects in the account, which outputs the object in the corresponding SHOW <objects> command.

SELECT

Table, hybrid table, Iceberg table, External table, View, Stream

Grants the ability to execute a SELECT statement on the table/view.

TRUNCATE

Table, hybrid table, Iceberg table

Grants the ability to execute a TRUNCATE TABLE command on the table.

UPDATE

Table, hybrid table, Iceberg table

Grants the ability to execute an UPDATE command on the table.

USAGE

Warehouse, Data Exchange Listing, Integration, Database, Schema, Stage (external only), File Format, Sequence, Stored Procedure, User-Defined Function, External Function, Compute Pool, Service

Grants the ability to execute a USE <object> command on the object. Also grants the ability to execute a SHOW <objects> command on the object. Usage on a compute pool is required to create a Snowpark Container Services service. Usage on Snowpark Container Services service is required to list endpoints in the service.

WRITE

Stage (internal only), image repository

Grants the ability to perform any operations that require writing to an internal stage (PUT, REMOVE, COPY INTO <location>, etc.). Grants the ability to upload an image to an image repository.

The remaining sections in this topic describe the specific privileges available for each type of object and their usage.

Global privileges (account-level privileges)

Privilege

Usage

Notes

APPLY AGGREGATION POLICY

Grants the ability to add and drop an aggregation policy on a table or view.

This global privilege also allows executing the DESCRIBE operation on tables and views.

APPLY AUTHENTICATION POLICY

Grants the ability to add or drop an authentication policy on the Snowflake account or a user in the Snowflake account.

APPLY MASKING POLICY

Grants the ability to set a Column-level Security masking policy on a table or view column and to set a masking policy on a tag.

This global privilege also allows executing the DESCRIBE operation on tables and views.

APPLY ROW ACCESS POLICY

Grants the ability to add and drop a row access policy on a table or view.

This global privilege also allows executing the DESCRIBE operation on tables and views.

APPLY PACKAGES POLICY

Grants the ability to add or drop a packages policy on the Snowflake account.

APPLY PASSWORD POLICY

Grants the ability to add or drop a password policy on the Snowflake account or a user in the Snowflake account.

APPLY PROJECTION POLICY

Grants the ability to add and drop a projection policy on a table or view.

This global privilege also allows executing the DESCRIBE operation on tables and views.

APPLY SESSION POLICY

Grants the ability to set or unset a session policy on an account or user.

ATTACH POLICY

Grants the ability to activate a network policy by associating it with your account.

AUDIT

Grants the ability to set the ENABLE_UNREDACTED_QUERY_SYNTAX_ERROR user parameter.

BIND SERVICE ENDPOINT

Enables the ability to create a service that supports public endpoints. For more inforation about public endpoints, see Ingress: Using a service from outside Snowflake

Must be granted by the ACCOUNTADMIN role.

CREATE ACCOUNT

Enables a data provider to create a new managed account (i.e. reader account). For more details, see Managing reader accounts.

Must be granted by the ACCOUNTADMIN role.

CREATE COMPUTE POOL

Enables creating a compute pool to run a Snowpark Container Services service.

Must be granted by the ACCOUNTADMIN role.

CREATE DATABASE

Enables creating a new database.

Must be granted by the ACCOUNTADMIN role.

CREATE EXTERNAL VOLUME

Enables creating a new external volume for Iceberg tables.

CREATE FAILOVER GROUP

Enables creating a new failover group.

Must be granted by the ACCOUNTADMIN role.

CREATE REPLICATION GROUP

Enables creating a new replication group.

Must be granted by the ACCOUNTADMIN role.

CREATE ROLE

Enables creating a new role.

CREATE USER

Enables creating a new user.

CREATE DATA EXCHANGE LISTING

Enables creating a new Data Exchange listing.

Must be granted by the ACCOUNTADMIN role.

CREATE INTEGRATION

Enables creating a new catalog, notification, security, or storage integration.

Must be granted by the ACCOUNTADMIN role.

CREATE NETWORK POLICY

Enables creating a new network policy.

CREATE SHARE

Enables a data provider to create a new share. For more details, see Enabling non-ACCOUNTADMIN roles to perform data sharing tasks.

Must be granted by the ACCOUNTADMIN role.

CREATE WAREHOUSE

Enables creating a new virtual warehouse.

EXECUTE ALERT

Grants the ability to execute alerts owned by the role.

Must be granted by the ACCOUNTADMIN role.

EXECUTE MANAGED TASK

Grants the ability to create tasks that rely on serverless compute resources. Only required for serverless tasks. The role that has the OWNERSHIP privilege on a task must have both the EXECUTE MANAGED TASK and the EXECUTE TASK privilege for the task to run.

Must be granted by the ACCOUNTADMIN role.

EXECUTE TASK

Grants the ability to run tasks owned by the role. For serverless tasks to run, the role that has the OWNERSHIP privilege on the task must also have the global EXECUTE MANAGED TASK privilege.

Must be granted by the ACCOUNTADMIN role.

IMPORT SHARE

Enables a data consumer to view shares shared with their account. Also grants the ability to create databases from shares; requires the global CREATE DATABASE privilege. For more details, see Enabling non-ACCOUNTADMIN roles to perform data sharing tasks.

Must be granted by the ACCOUNTADMIN role.

MANAGE ACCOUNT SUPPORT CASES

Grants the ability to view, comment on, and manage all Support cases for the current account in Snowsight.

MANAGE GRANTS

Enables granting or revoking privileges on objects for which the role is not the owner.

Must be granted by the SECURITYADMIN role (or higher).

MANAGE ORGANIZATION SUPPORT CASES

Grants the ability to view, comment on, and manage all Support cases that were opened by the current user in Snowsight.

MANAGE USER SUPPORT CASES

Grants the ability to view, comment on, and manage all Support cases for the current user in Snowsight.

MANAGE WAREHOUSES

Grants the ability to perform operations that require MODIFY, MONITOR, and OPERATE privileges on warehouses in the same account.

Must be granted by the ACCOUNTADMIN role.

MANAGE LISTING AUTOFULFILLMENT

Grants the ability to publish listings to remote regions using Cross-Cloud Auto-Fulfillment and manage auto-fulfillment settings for listings.

Must be granted by the ACCOUNTADMIN role after that role has been delegated privileges by the ORGADMIN role.

MODIFY LOG LEVEL

Enables setting the level of log messages captured for stored procedures and UDFs in the current account.

For more information, refer to LOG_LEVEL.

MODIFY SESSION LOG LEVEL

Enables setting the level of log messages captured for stored procedures and UDFs invoked in the current session.

For more information, refer to LOG_LEVEL.

MODIFY TRACE LEVEL

Enables setting the level of trace events captured for stored procedures and UDFs in the current account.

When tracing events, you must also set the LOG_LEVEL parameter to one of its supported values. For more information, refer to TRACE_LEVEL.

MODIFY SESSION TRACE LEVEL

Enables setting the level of trace events captured for stored procedures and UDFs invoked in the current session.

When tracing events, you must also set the LOG_LEVEL parameter to one of its supported values. For more information, refer to TRACE_LEVEL.

MONITOR EXECUTION

Grants the ability to monitor any pipes or tasks in the account.

Must be granted by the ACCOUNTADMIN role. The USAGE privilege is also required on each database and schema that stores these objects.

MONITOR SECURITY

Grants the ability to call system functions pertaining to Customer-managed keys.

MONITOR USAGE

Grants the ability to monitor account-level usage and historical information for databases and warehouses; for more details, see Enabling non-account administrators to monitor usage and billing history in the Classic Console. Additionally grants the ability to view managed accounts using SHOW MANAGED ACCOUNTS.

Must be granted by the ACCOUNTADMIN role.

OVERRIDE SHARE RESTRICTIONS

Grants the ability to set value for the SHARE_RESTRICTIONS parameter on a share which enables a Business Critical provider account to add a consumer account (with non-Business Critical edition) to a share.

For more details, see Enabling sharing from a Business critical account to a non-business critical account.

PURCHASE DATA EXCHANGE LISTING

Grants the ability to purchase a paid listing.

See Paying for listings.

RESOLVE ALL

Grants the ability to resolve all objects in the account, which outputs the object in the corresponding SHOW <objects> command.

ALL [ PRIVILEGES ]

Grants all global privileges.

User privileges

Privilege

Usage

MONITOR

Grants the ability to view the login history for the user.

OWNERSHIP

Grants full control over a user/role. Only a single role can hold this privilege on a specific object at a time.

ALL [ PRIVILEGES ]

Grants all privileges, except OWNERSHIP, on the user.

Role privileges

Privilege

Usage

OWNERSHIP

Grants full control over a role. Only a single role can hold this privilege on a specific object at a time. Note that the owner role does not inherit any permissions granted to the owned role. To inherit permissions from a role, that role must be granted to another role, creating a parent-child relationship in a role hierarchy.

Resource monitor privileges

Privilege

Usage

MODIFY

Enables altering any properties of a resource monitor, such as changing the monthly credit quota.

MONITOR

Enables viewing a resource monitor.

ALL [ PRIVILEGES ]

Grants all privileges, except OWNERSHIP, on the resource monitor.

Virtual warehouse privileges

Privilege

Usage

APPLYBUDGET

Enables adding or removing a warehouse from a budget.

MODIFY

Enables altering any properties of a warehouse, including changing its size. . . Required to assign a warehouse to a resource monitor. Note that only the ACCOUNTADMIN role can assign warehouses to resource monitors.

MONITOR

Enables viewing current and past queries executed on a warehouse as well as usage statistics on that warehouse.

OPERATE

Enables changing the state of a warehouse (stop, start, suspend, resume). In addition, enables viewing current and past queries executed on a warehouse and aborting any executing queries.

USAGE

Enables using a virtual warehouse and, as a result, executing queries on the warehouse. If the warehouse is configured to auto-resume when a SQL statement (e.g. query) is submitted to it, the warehouse resumes automatically and executes the statement.

OWNERSHIP

Grants full control over a warehouse. Only a single role can hold this privilege on a specific object at a time.

ALL [ PRIVILEGES ]

Grants all privileges, except OWNERSHIP, on the warehouse.

Tip

The granting of the global MANAGE WAREHOUSES privilege is equivalent to granting the MODIFY, MONITOR, and OPERATE privileges on all warehouses in an account. You can grant this privilege to a role whose purpose includes managing a warehouse to simplify your Snowflake access control management.

For details, refer to Delegating warehouse management.

For instructions on creating a custom role with a specified set of privileges, see Creating custom roles.

For general information about roles and privilege grants for performing SQL actions on securable objects, see Overview of Access Control.

Connection privileges

Only the ACCOUNTADMIN role owns connections. The OWNERSHIP privilege cannot be granted to another role.

External volume privileges

Privilege

Usage

USAGE

Enables referencing the external volume when executing other commands that use the external volume, and grants the ability to view details for an external volume in a SHOW or DESCRIBE command.

OWNERSHIP

Grants full control over an external volume. Only a single role can hold this privilege on a specific object at a time.

Failover group privileges

Privilege

Usage

MODIFY

Enables altering any properties of a failover group.

MONITOR

Enables viewing details of a failover group.

OWNERSHIP

Grants full control over a failover group. Only a single role can hold this privilege on a specific object at a time.

FAILOVER

Enables promoting a secondary failover group to serve as primary failover group.

REPLICATE

Enables refreshing a secondary failover group.

ALL [ PRIVILEGES ]

Grants all privileges, except OWNERSHIP, on the failover group.

Replication group privileges

Privilege

Usage

MODIFY

Enables altering any properties of a replication group.

MONITOR

Enables viewing details of a replication group.

OWNERSHIP

Grants full control over a replication group. Only a single role can hold this privilege on a specific object at a time.

REPLICATE

Enables refreshing a secondary replication group.

ALL [ PRIVILEGES ]

Grants all privileges, except OWNERSHIP, on the replication group.

Integration privileges

Privilege

Usage

USAGE

Enables referencing the integration when executing other commands that use the integration. For more information, see access control requirements for CREATE STAGE and CREATE EXTERNAL ACCESS INTEGRATION.

USE_ANY_ROLE

Allows the External OAuth client or user to switch roles only if this privilege is granted to the client or user. Configure the External OAuth security integration to use the EXTERNAL_OAUTH_ANY_ROLE_MODE parameter using CREATE SECURITY INTEGRATION or ALTER SECURITY INTEGRATION.

OWNERSHIP

Grants full control over an integration. Only a single role can hold this privilege on a specific object at a time.

ALL [ PRIVILEGES ]

Grants all privileges, except OWNERSHIP, on the integration.

Authentication Policy Privileges

Privilege

Usage

OWNERSHIP

Transfers ownership of an authentication policy, which grants full control over the authentication policy. Required to alter most properties of an authentication policy.

Network Rule Privileges

Privilege

Usage

OWNERSHIP

Grants full control over the network rule.

Network policy privileges

Privilege

Usage

OWNERSHIP

Grants full control over the network policy. Only a single role can hold this privilege on a specific object at a time.

Packages policy privileges

Privilege

Usage

OWNERSHIP

Transfers ownership of a packages policy, which grants full control over the packages policy. Required to alter most properties of a packages policy.

USAGE

Grants the ability to view the contents of a packages policy in a SHOW or DESCRIBE command.

Password policy privileges

Privilege

Usage

OWNERSHIP

Transfers ownership of a password policy, which grants full control over the password policy. Required to alter most properties of a password policy.

Session policy privileges

Privilege

Usage

OWNERSHIP

Transfers ownership of a session policy, which grants full control over the session policy. Required to alter most properties of a session policy.

Data exchange privileges

Privilege

Usage

IMPORTED PRIVILEGES

Enables roles other than the owning role to manage a Data Exchange.

Listing privileges

Note

You must use Snowsight to manage listing-level privileges. See Granting privileges to other roles.

Privilege

Usage

MODIFY

Enables roles other than the owning role to modify a listing.

USAGE

Enables viewing a listing.

OWNERSHIP

Grants full control over a listing. Only a single role can hold this privilege on a specific object at a time.

ALL [ PRIVILEGES ]

Grants all privileges, except OWNERSHIP, on a listing.

Share privileges

Privilege

Usage

OWNERSHIP

Grants full control over a share. Only a single role can hold this privilege on a specific object at a time. Cannot be transferred.

Database privileges

Privilege

Usage

APPLYBUDGET

Enables adding or removing a database from a budget.

MODIFY

Enables altering any settings of a database.

MONITOR

Enables performing the DESCRIBE command on the database.

USAGE

Enables using a database, including returning the database details in the SHOW DATABASES command output. Additional privileges are required to view or take actions on objects in a database.

REFERENCE_USAGE

Enables using an object (e.g. secure view in a share) when the object references another object in a different database. Grant the privilege on the other database to the share. You cannot grant this privilege on a database to any kind of role. For details, refer to GRANT <privilege> … TO SHARE and Sharing data from multiple databases.

CREATE DATABASE ROLE

Enables creating a new database role in a database.

CREATE SCHEMA

Enables creating a new schema in a database, including cloning a schema.

IMPORTED PRIVILEGES

Enables roles other than the owning role to access a shared database; applies only to shared databases.

OWNERSHIP

Grants full control over the database. Only a single role can hold this privilege on a specific object at a time.

ALL [ PRIVILEGES ]

Grants all privileges, except OWNERSHIP, on a database.

Note

  • Changing the properties of a database requires the OWNERSHIP privilege for the database.

    Updating the COMMENT property only requires the MODIFY privilege for the database.

  • If any database privilege is granted to a role, that role can take SQL actions on objects in a schema using fully-qualified names. The role must have the USAGE privilege on the schema as well as the required privilege or privileges on the object. To make a database the active database in a user session, the USAGE privilege on the database is required.

  • An account-level role (i.e. r1) with the OWNERSHIP privilege on the database can grant the CREATE DATABASE ROLE privilege to a different account-level role (i.e. r2). Similarly, r1 can also revoke the CREATE DATABASE ROLE privilege from another account-level role..

    In this scenario, r2 must have the USAGE privilege on the database to create a new database role in that database.

  • When you create a database role, the USAGE privilege on the database that contains the database role is automatically granted to the database role.

Schema privileges

Privilege

Usage

APPLYBUDGET

Enables adding or removing a schema from a budget.

MODIFY

Enables altering any settings of a schema.

MONITOR

Enables performing the DESCRIBE command on the schema.

USAGE

Enables using a schema, including returning the schema details in the SHOW SCHEMAS command output. . . To execute SHOW <objects> commands for objects (tables, views, stages, file formats, sequences, pipes, or functions) in the schema, a role must have at least one privilege granted on the object.

CREATE AUTHENTICATION POLICY

Enables creating a new authentication policy in a schema.

CREATE TABLE

Enables creating a new table in a schema, including cloning a table. Note that this privilege is not required to create temporary tables, which are scoped to the current user session and are automatically dropped when the session ends.

CREATE DYNAMIC TABLE

Enables creating a new dynamic table in a schema.

CREATE EXTERNAL TABLE

Enables creating a new external table in a schema.

CREATE HYBRID TABLE

Enables creating a new Hybird Table in a schema.

CREATE ICEBERG TABLE

Enables creating a new Iceberg table in a schema.

CREATE VIEW

Enables creating a new view in a schema.

CREATE MASKING POLICY

Enables creating a new masking policy in a schema.

CREATE MATERIALIZED VIEW

Enables creating a new materialized view in a schema.

CREATE NETWORK RULE

Enables creating a new network rule in a schema.

CREATE ROW ACCESS POLICY

Enables creating a new row access policy in a schema.

CREATE SECRET

Enables creating a new secret in the current/specified schema or replaces an existing secret.

CREATE SESSION POLICY

Enables creating a new session policy in a schema.

CREATE STAGE

Enables creating a new stage in a schema, including cloning a stage.

CREATE STREAMLIT

Enables creating a new Streamlit app in a schema.

CREATE FILE FORMAT

Enables creating a new file format in a schema, including cloning a file format.

CREATE SEQUENCE

Enables creating a new sequence in a schema, including cloning a sequence.

CREATE FUNCTION

Enables creating a new UDF or external function in a schema.

CREATE PACKAGES POLICY

Enables creating a new packages policy in a schema.

CREATE PASSWORD POLICY

Enables creating a new password policy in a schema.

CREATE PIPE

Enables creating a new pipe in a schema.

CREATE STREAM

Enables creating a new stream in a schema, including cloning a stream.

CREATE TAG

Enables creating a new tag key in a schema.

CREATE TASK

Enables creating a new task in a schema, including cloning a task.

CREATE PROCEDURE

Enables creating a new stored procedure in a schema.

CREATE ALERT

Enables creating a new alert in a schema.

CREATE SNOWFLAKE.CORE.BUDGET

Enables creating new budget on a schema.

CREATE SNOWFLAKE.ML.FORECAST

Enables creating new forecast model instances on a schema.

CREATE SNOWFLAKE.ML.ANOMALY_DETECTION

Enables creating new anomaly detection model instances on a schema.

CREATE MODEL

Enables creating a machine learning model on a schema.

ADD SEARCH OPTIMIZATION

Enables adding search optimization to a table in a schema.

OWNERSHIP

Grants full control over the schema. Only a single role can hold this privilege on a specific object at a time.

ALL [ PRIVILEGES ]

Grants all privileges, except OWNERSHIP, on a schema.

Note

  • Changing the properties of a schema, including comments, requires the OWNERSHIP privilege for the database.

  • Operating on a schema also requires the USAGE privilege on the parent database.

Table privileges

Privilege

Usage

SELECT

Enables executing a SELECT statement on a table and classifying a table.

INSERT

Enables executing an INSERT command on a table. Also enables using the ALTER TABLE command with a RECLUSTER clause to manually recluster a table with a clustering key.

UPDATE

Enables executing an UPDATE command on a table.

TRUNCATE

Enables executing a TRUNCATE TABLE command on a table.

DELETE

Enables executing a DELETE command on a table.

EVOLVE SCHEMA

Enables schema evolution to occur on a table when loading data.

REFERENCES

Enables referencing a table as the unique/primary key table for a foreign key constraint. Also enables viewing the structure of a table (but not the data) via the DESCRIBE or SHOW command or by querying the Information Schema.

APPLYBUDGET

Enables adding or removing a table from a budget.

OWNERSHIP

Grants full control over the table. Required to alter most properties of a table, with the exception of reclustering. Only a single role can hold this privilege on a specific object at a time.

ALL [ PRIVILEGES ]

Grants all privileges, except OWNERSHIP, on a table.

Note

  • Operating on a table also requires the USAGE privilege on the parent database and schema.

  • A role must be granted or inherit the OWNERSHIP privilege on the object to create a temporary object that has the same name as the object that already exists in the schema.

Dynamic table privileges

Privilege

Usage

SELECT

Enables executing a SELECT statement on a dynamic table.

OPERATE

Enables altering the properties of a dynamic table.

If you do not have this privilege on a dynamic table, you cannot use the ALTER DYNAMIC TABLE command, which enables you to:

MONITOR

Enables accessing the metadata for a dynamic table through Snowsight and SQL commands and functions.

If you do not have the MONITOR privilege on a dynamic table, you cannot do the following:

  • Call the DYNAMIC_TABLE_GRAPH_HISTORY table function to view graph history of that dynamic table.

  • Call the DYNAMIC_TABLE_REFRESH_HISTORY table function to view refresh history for that dynamic table.

  • View that dynamic table in the output of the SHOW DYNAMIC TABLES command.

  • View that dynamic table’s metadata in the output of the DESCRIBE DYNAMIC TABLE command or the Snowsight dynamic tables details page.

    • If you have the MONITOR privilege but do not have the SELECT privilege, the following fields are hidden: text, warehouse, scheduling_state, last_suspended_on, and suspend_reason_code (only hidden in Snowsight).

OWNERSHIP

Grants full control over the dynamic table. Only a single role can hold this privilege on a specific object at a time.

Required to drop a dynamic table.

ALL [ PRIVILEGES ]

Grants all privileges, except OWNERSHIP, on the dynamic table.

Event table privileges

Privilege

Usage

SELECT

Enables executing a SELECT statement on an event table.

INSERT

In conjunction with OWNERSHIP of the account, grants the ability to associate an account with an event table.

ALL [ PRIVILEGES ]

Grants all privileges, except OWNERSHIP, on the event table.

OWNERSHIP

Transfers ownership of an event table, which grants full control over the event table. . . Required to alter the event table. . . In conjunction with OWNERSHIP of the account, grants the ability to associate an account with an event table.

Note

Operating on an event table also requires the USAGE privilege on the parent database and schema.

External table privileges

Privilege

Usage

SELECT

Enables executing a SELECT statement on an external table and classifying an external table.

REFERENCES

Enables viewing the structure of an external table (but not the data) via the DESCRIBE or SHOW command or by querying the Information Schema.

OWNERSHIP

Grants full control over the external table; required to refresh an external table. Only a single role can hold this privilege on a specific object at a time. Note that in a managed access schema, only the schema owner (i.e. the role with the OWNERSHIP privilege on the schema) or a role with the MANAGE GRANTS privilege can grant or revoke privileges on objects in the schema, including future grants.

ALL [ PRIVILEGES ]

Grants all privileges, except OWNERSHIP, on an external table.

Note

Operating on an external table also requires the USAGE privilege on the parent database and schema.

Hybrid table privileges

Privilege

Usage

SELECT

Enables executing a SELECT statement on a hybrid table.

INSERT

Enables executing an INSERT command on a hybrid table.

UPDATE

Enables executing an UPDATE command on a hybrid table.

TRUNCATE

Enables executing a TRUNCATE TABLE command on a hybrid table.

DELETE

Enables executing a DELETE command on a hybrid table.

REFERENCES

Enables referencing a hybrid table as the unique/primary key table for a foreign key constraint. Also enables viewing the structure of a hybrid table (but not the data) via the DESCRIBE or SHOW command or by querying the Information Schema.

APPLYBUDGET

Enables adding or removing a hybrid table from a budget.

OWNERSHIP

Grants full control over the hybrid table. Required to alter most properties of an hybrid table. Only a single role can hold this privilege on a specific object at a time.

ALL [ PRIVILEGES ]

Grants all privileges, except OWNERSHIP, on a hybrid table.

Note

  • Operating on a hybrid table also requires the USAGE privilege on the parent database and schema.

  • The following privileges have no effect when granted on a hybrid table that uses a catalog integration: INSERT, UPDATE, DELETE. Hybrid tables that use a catalog integration are read-only.

Iceberg table privileges

Privilege

Usage

SELECT

Enables executing a SELECT statement on an Iceberg table.

INSERT

Enables executing an INSERT command on an Iceberg table.

UPDATE

Enables executing an UPDATE command on an Iceberg table.

TRUNCATE

Enables executing a TRUNCATE TABLE command on an Iceberg table.

DELETE

Enables executing a DELETE command on an Iceberg table.

REFERENCES

Enables referencing an Iceberg table as the unique/primary key table for a foreign key constraint. Also enables viewing the structure of an Iceberg table (but not the data) via the DESCRIBE or SHOW command or by querying the Information Schema.

APPLYBUDGET

Enables adding or removing an Iceberg table from a budget.

OWNERSHIP

Grants full control over the Iceberg table. Required to alter most properties of an Iceberg table. Only a single role can hold this privilege on a specific object at a time.

ALL [ PRIVILEGES ]

Grants all privileges, except OWNERSHIP, on an Iceberg table.

Note

  • Operating on an Iceberg table also requires the USAGE privilege on the parent database and schema.

  • The following privileges have no effect when granted on an Iceberg table that uses a catalog integration: INSERT, UPDATE, DELETE. Iceberg tables that use a catalog integration are read-only.

View privileges

Privilege

Usage

SELECT

Enables executing a SELECT statement on a view and classifying a view. . . This privilege is sufficient to query a view; the SELECT privilege on the objects from which the view is created is not required.

REFERENCES

Enables viewing the structure of a view (but not the data) via the DESCRIBE or SHOW command or by querying the Information Schema.

OWNERSHIP

Grants full control over the view. Required to alter a view. Only a single role can hold this privilege on a specific object at a time. Note that in a managed access schema, only the schema owner (i.e. the role with the OWNERSHIP privilege on the schema) or a role with the MANAGE GRANTS privilege can grant or revoke privileges on objects in the schema, including future grants.

ALL [ PRIVILEGES ]

Grants all privileges, except OWNERSHIP, on a view.

Note

  • Table DML privileges such as INSERT, UPDATE, and DELETE can be granted on views; however, because views are read-only, these privileges have no effect.

  • Operating on a view also requires the USAGE privilege on the parent database and schema.

  • A role must be granted or inherit the OWNERSHIP privilege on the object to create a temporary object that has the same name as the object that already exists in the schema.

Materialized view privileges

Privilege

Usage

SELECT

Enables executing a SELECT statement on a view and classifying a materialized view. . . Note that this privilege is sufficient to query a view. The SELECT privilege on the underlying objects for a view is not required.

REFERENCES

Enables viewing the structure of a view (but not the data) via the DESCRIBE or SHOW command or by querying the Information Schema.

APPLYBUDGET

Enables adding or removing a materialized view from a budget.

OWNERSHIP

Grants full control over the view. Required to alter a view. Only a single role can hold this privilege on a specific object at a time. Note that in a managed access schema, only the schema owner (i.e. the role with the OWNERSHIP privilege on the schema) or a role with the MANAGE GRANTS privilege can grant or revoke privileges on objects in the schema, including future grants.

ALL [ PRIVILEGES ]

Grants all privileges, except OWNERSHIP, on a view.

Note

  • Table DML privileges such as INSERT, UPDATE, and DELETE can be granted on views; however, because views are read-only, these privileges have no effect.

  • Operating on a view also requires the USAGE privilege on the parent database and schema.

  • A role must be granted or inherit the OWNERSHIP privilege on the object to create a temporary object that has the same name as the object that already exists in the schema.

Stage privileges

Privilege

Usage

USAGE

Enables using an external stage object in a SQL statement; not applicable to internal stages.

READ

Enables performing any operations that require reading from an internal stage (GET, LIST, COPY INTO <table>, etc.); not applicable to external stages.

WRITE

Enables performing any operations that require writing to an internal stage (PUT, REMOVE, COPY INTO <location>, etc.); not applicable for external stages.

OWNERSHIP

Grants full control over the stage. Only a single role can hold this privilege on a specific object at a time. Note that in a managed access schema, only the schema owner (i.e. the role with the OWNERSHIP privilege on the schema) or a role with the MANAGE GRANTS privilege can grant or revoke privileges on objects in the schema, including future grants.

ALL [ PRIVILEGES ]

Grants all applicable privileges, except OWNERSHIP, on the stage (internal or external).

Note

  • When granting both the READ and WRITE privileges for an internal stage, the READ privilege must be granted before or at the same time as the WRITE privilege.

  • When revoking both the READ and WRITE privileges for an internal stage, the WRITE privilege must be revoked before or at the same time as the READ privilege.

  • Operating on a stage also requires the USAGE privilege on the parent database and schema.

  • A role must be granted or inherit the OWNERSHIP privilege on the object to create a temporary object that has the same name as the object that already exists in the schema.

File format privileges

Privilege

Usage

USAGE

Enables using a file format in a SQL statement.

OWNERSHIP

Grants full control over the file format. Required to alter a file format. Only a single role can hold this privilege on a specific object at a time. Note that in a managed access schema, only the schema owner (i.e. the role with the OWNERSHIP privilege on the schema) or a role with the MANAGE GRANTS privilege can grant or revoke privileges on objects in the schema, including future grants.

ALL [ PRIVILEGES ]

Grants all privileges, except OWNERSHIP, on the file format.

Note

  • Operating on file formats also requires the USAGE privilege on the parent database and schema.

  • A role must be granted or inherit the OWNERSHIP privilege on the object to create a temporary object that has the same name as the object that already exists in the schema.

Pipe privileges

Pipe objects are created and managed to load data using Snowpipe.

Privilege

Usage

APPLYBUDGET

Enables adding or removing a pipe from a budget.

MONITOR

Enables viewing details for the pipe (using DESCRIBE PIPE or SHOW PIPES).

OPERATE

Enables viewing details for the pipe (using DESCRIBE PIPE or SHOW PIPES), pausing or resuming the pipe, and refreshing the pipe.

OWNERSHIP

Grants full control over the pipe. Only a single role can hold this privilege on a specific object at a time. Note that in a managed access schema, only the schema owner (i.e. the role with the OWNERSHIP privilege on the schema) or a role with the MANAGE GRANTS privilege can grant or revoke privileges on objects in the schema, including future grants.

ALL [ PRIVILEGES ]

Grants all privileges, except OWNERSHIP, on the pipe.

Note

Operating on pipes also requires the USAGE privilege on the parent database and schema.

Database role privileges

Privilege

Usage

OWNERSHIP

Grants full control over a database role. Only a single role can hold this privilege on a specific object at a time. Note that the owner role does not inherit any permissions granted to the owned database role. To inherit permissions from a database role, that database role must be granted to another role, creating a parent-child relationship in a role hierarchy.

Stream privileges

Privilege

Usage

SELECT

Enables executing a SELECT statement on a stream.

OWNERSHIP

Grants full control over the stream. Only a single role can hold this privilege on a specific object at a time. Note that in a managed access schema, only the schema owner (i.e. the role with the OWNERSHIP privilege on the schema) or a role with the MANAGE GRANTS privilege can grant or revoke privileges on objects in the schema, including future grants.

ALL [ PRIVILEGES ]

Grants all privileges, except OWNERSHIP, on the stream.

Task privileges

Privilege

Usage

APPLYBUDGET

Enables adding or removing a task from a budget.

MONITOR

Enables viewing details for the task (using DESCRIBE TASK or SHOW TASKS).

OPERATE

Enables viewing details for the task (using DESCRIBE TASK or SHOW TASKS) and resuming or suspending the task.

OWNERSHIP

Grants full control over the task. Only a single role can hold this privilege on a specific object at a time. Note that in a managed access schema, only the schema owner (i.e. the role with the OWNERSHIP privilege on the schema) or a role with the MANAGE GRANTS privilege can grant or revoke privileges on objects in the schema, including future grants.

ALL [ PRIVILEGES ]

Grants all privileges, except OWNERSHIP, on the task.

Secret privileges

Privilege

Usage

READ

Enables a UDF or stored procedure that uses a secret to access the credentials the are stored in the secret. For details, see Creating a secret to represent credentials.

USAGE

Enables using a secret.

OWNERSHIP

Transfers ownership of a secret, which grants full control over the secret. Required to alter most properties of a secret or drop a secret from the system.

Aggregation policy privileges

Privilege

Usage

APPLY

Enables executing the unset and set operations for an aggregation policy on a table or view.

Note that granting the global APPLY AGGREGATION POLICY privilege (i.e. APPLY AGGREGATION POLICY on ACCOUNT) enables executing the DESCRIBE operation on tables and views.

OWNERSHIP

Grants full control over the aggregation policy. Required to alter most properties of an aggregation policy. Only a single role can hold this privilege on a specific object at a time. Note that in a managed access schema, only the schema owner (i.e. the role with the OWNERSHIP privilege on the schema) or a role with the MANAGE GRANTS privilege can grant or revoke privileges on objects in the schema, including future grants.

Note

Operating on an aggregation policy also requires the USAGE privilege on the parent database and schema.

Masking policy privileges

Privilege

Usage

APPLY

Enables executing the unset and set operations for a masking policy on a column.

Note that granting the global APPLY MASKING POLICY privilege (i.e. APPLY MASKING POLICY on ACCOUNT) enables executing the DESCRIBE operation on tables and views.

For syntax examples, see Masking policy privileges.

OWNERSHIP

Grants full control over the masking policy. Required to alter most properties of a masking policy. Only a single role can hold this privilege on a specific object at a time. Note that in a managed access schema, only the schema owner (i.e. the role with the OWNERSHIP privilege on the schema) or a role with the MANAGE GRANTS privilege can grant or revoke privileges on objects in the schema, including future grants.

Note

Operating on a masking policy also requires the USAGE privilege on the parent database and schema.

Projection policy privileges

Privilege

Usage

APPLY

Enables executing the unset and set operations for a projection policy on a column.

Note that granting the global APPLY PROJECTION POLICY privilege (i.e. APPLY PROJECTION POLICY on ACCOUNT) enables executing the DESCRIBE operation on tables and views.

OWNERSHIP

Grants full control over the projection policy. Required to alter most properties of a projection policy. Only a single role can hold this privilege on a specific object at a time. Note that in a managed access schema, only the schema owner (i.e. the role with the OWNERSHIP privilege on the schema) or a role with the MANAGE GRANTS privilege can grant or revoke privileges on objects in the schema, including future grants.

Note

Operating on a projection policy also requires the USAGE privilege on the parent database and schema.

Row access policy privileges

Privilege

Usage

APPLY

Enables executing the add and drop operations for the row access policy on a table or view.

Note that granting the global APPLY ROW ACCESS POLICY privilege (i.e. APPLY ROW ACCESS POLICY on ACCOUNT) enables executing the DESCRIBE operation on tables and views.

For syntax examples, see Summary of DDL commands, operations, and privileges.

OWNERSHIP

Grants full control over the row access policy. Required to alter most properties of a row access policy. Only a single role can hold this privilege on a specific object at a time. Note that in a managed access schema, only the schema owner (i.e. the role with the OWNERSHIP privilege on the schema) or a role with the MANAGE GRANTS privilege can grant or revoke privileges on objects in the schema, including future grants.

Note

Operating on a row access policy also requires the USAGE privilege on the parent database and schema.

Tag privileges

Privilege

Usage

APPLY

Enables executing the add and drop operations for the tag on a Snowflake object.

READ

Enables a data sharing consumer to view shared tag assignments using a SHOW TAGS command. The data sharing provider grants this privilege to a database role or directly to the share.

OWNERSHIP

Grants full control over the tag. Required to alter most properties of a tag. Only a single role can hold this privilege on a specific object at a time. Note that in a managed access schema, only the schema owner (i.e. the role with the OWNERSHIP privilege on the schema) or a role with the MANAGE GRANTS privilege can grant or revoke privileges on objects in the schema, including future grants.

Note

Tags are stored at the schema level.

Operating on a tag requires the USAGE privilege on the parent database and schema.

Sequence privileges

Privilege

Usage

USAGE

Enables using a sequence in a SQL statement.

ALL [ PRIVILEGES ]

Grants all privileges, except OWNERSHIP, on the sequence.

OWNERSHIP

Grants full control over the sequence; required to alter the sequence. Only a single role can hold this privilege on a specific object at a time. Note that in a managed access schema, only the schema owner (i.e. the role with the OWNERSHIP privilege on the schema) or a role with the MANAGE GRANTS privilege can grant or revoke privileges on objects in the schema, including future grants.

Note

Operating on a sequence also requires the USAGE privilege on the parent database and schema.

Stored procedure privileges

Privilege

Usage

USAGE

Enables calling a stored procedure.

ALL [ PRIVILEGES ]

Grants all privileges, except OWNERSHIP, on the stored procedure.

OWNERSHIP

Grants full control over the stored procedure; required to alter the stored procedure. Only a single role can hold this privilege on a specific object at a time. Note that in a managed access schema, only the schema owner (i.e. the role with the OWNERSHIP privilege on the schema) or a role with the MANAGE GRANTS privilege can grant or revoke privileges on objects in the schema, including future grants.

Note

  • Operating on a stored procedure also requires the USAGE privilege on the parent database and schema.

  • If a stored procedure runs with caller’s rights, the user who calls the stored procedure must have privileges on the database objects (e.g. tables) accessed by the stored procedure. For details, see Understanding Caller’s Rights and Owner’s Rights Stored Procedures.

User-defined function (UDF) and external function privileges

Privilege

Usage

USAGE

Enables calling a UDF or external function.

ALL [ PRIVILEGES ]

Grants all privileges, except OWNERSHIP, on the UDF or external function.

OWNERSHIP

Grants full control over the UDF or external function; required to alter the UDF or external function. Only a single role can hold this privilege on a specific object at a time. Note that in a managed access schema, only the schema owner (i.e. the role with the OWNERSHIP privilege on the schema) or a role with the MANAGE GRANTS privilege can grant or revoke privileges on objects in the schema, including future grants.

Note

  • Operating on a UDF or external function also requires the USAGE privilege on the parent database and schema.

  • The owner of a UDF must have privileges on the objects accessed by the function; the user who calls a UDF does not need those privileges. For details, see Security/Privilege Requirements for SQL UDFs.

  • The owner of an external function must have the USAGE privilege on the API integration object associated with the external function. For details, see Access Control in the documentation on external functions.

Alert privileges

Privilege

Usage

MONITOR

Enables viewing details for the alert (using DESCRIBE ALERT or SHOW ALERTS).

OPERATE

Enables viewing details for the alert (using DESCRIBE ALERT or SHOW ALERTS) and resuming or suspending the alert (using ALTER ALERT).

OWNERSHIP

Grants full control over the alert. Only a single role can hold this privilege on a specific object at a time. Note that in a managed access schema, only the schema owner (i.e. the role with the OWNERSHIP privilege on the schema) or a role with the MANAGE GRANTS privilege can grant or revoke privileges on objects in the schema, including future grants.

ALL [ PRIVILEGES ]

Grants all privileges, except OWNERSHIP, on the alert.

Compute Pool Privileges

Privilege

Usage

OPERATE

Enables suspending or resuming a compute pool.

MODIFY

Enables altering compute pool and setting properties.

USAGE

Enables running a service or a job. It enables communicating with the service (create a service function, use public endpoints, and connect from another service).

MONITOR

Enables viewing compute pool usage (number of services and jobs running), properties, and listing compute pool in the account for which the role has access privileges.

OWNERSHIP

Grants full control over the compute pool. Only a single role can hold this privilege on a specific compute pool object at a time.

Image Repository Privileges

Privilege

Usage

OWNERSHIP

Enables full control over the image repository. The role with this privilege can also delete an image repository.

READ

Enable listing and downloading images from an image repository.

WRITE

Enables listing and downloading images from a repository. Also enables pushing images in the repository.

Service Privileges

Privilege

Usage

OPERATE

Enable suspending or resuming a service, upgrading service, and modifying service properties.

OWNERSHIP

Enables full control over the service. The role with this privilege can also remove a service from a schema.

MONITOR

Enable monitoring a service and getting runtime status.

USAGE

Enables listing endpoints in a service.

Job Privileges

The user who created a job can monitor and get runtime status for the job. Jobs do not support granting privileges to other users or roles.

Streamlit Privileges

Privilege

Usage

USAGE

Enables viewing and running a Streamlit app.

Model Privileges

Privilege

Usage

USAGE

Enables displaying information about a model and invoking its methods.