Access Control Privileges

This topic describes the privileges that are available in the Snowflake access control model. Privileges are granted to roles, and roles are granted to users, to specify the operations that the users can perform on objects in the system.

In this Topic:

All Privileges (Alphabetical)

The following privileges are available in the Snowflake access control model. The meaning of each privilege varies depending on the object type to which it is applied, and not all objects support all privileges:

Privilege

Object Type

Description

ALL [ PRIVILEGES ]

All

Grants all the privileges for the specified object type.

APPLY MASKING POLICY

Global

Grants ability to set a Column-level Security masking policy on a table or view column.

APPLY ROW ACCESS POLICY

Global

Grants ability to add and drop a row access policy on a table or view.

ATTACH POLICY

Global

Grants ability to activate a network policy by associating it with your account.

CREATE <object_type>

Global , Database , Schema

Grants ability to create an object of <object_type> (e.g. CREATE TABLE grants the ability to create a table within a schema).

CREATE ACCOUNT

Global

Grants ability to create managed accounts; currently applies only to data providers creating reader accounts for sharing data with consumers.

CREATE SHARE

Global

Grants ability to create shares; applies to data providers for sharing data with other accounts.

DELETE

Table

Grants ability to execute a DELETE command on the table.

EXECUTE TASK

Global

Grants ability to run any tasks owned by the role.

IMPORT SHARE

Global

Grants ability to view shares shared with your account and create databases from the shares; applies to data consumers.

OVERRIDE SHARE RESTRICTIONS

Global

Grants ability to set value for the SHARE_RESTRICTIONS parameter which enables a Business Critical provider account to add a consumer account (with Non-Business Critical edition) to a share. For more details, see Enabling Sharing from a Business Critical Account to a non-Business Critical Account.

IMPORTED PRIVILEGES

Database, Data Exchange

Grants ability to enable roles other than the owning role to access a shared database or manage a Snowflake Data Marketplace / Data Exchange.

INSERT

Table

Grants ability to execute an INSERT command on the table.

MANAGE GRANTS

Global

Grants ability to grant or revoke privileges on any object as if the invoking role were the owner of the object.

MODIFY

Resource Monitor , Warehouse , Data Exchange Listing , Database , Schema

Grants ability to change the settings or properties of an object (e.g. on a virtual warehouse, provides the ability to change the size of a virtual warehouse).

MONITOR

User , Resource Monitor , Warehouse , Database , Schema, Task

Grants ability to see details within an object (e.g. queries and usage within a warehouse).

MONITOR EXECUTION

Global

Grants ability to monitor pipes (Snowpipe) or tasks in the account.

MONITOR USAGE

Global

Grants ability to monitor account-level usage and historical information for databases and warehouses; for more details, see Enabling Non-Account Administrators to Monitor Usage and Billing History. Additionally grants ability to view managed accounts using SHOW MANAGED ACCOUNTS.

OPERATE

Warehouse , Task

Grants ability to start, stop, suspend, or resume a virtual warehouse. Grants ability to suspend or resume a task.

OWNERSHIP

All

Grants ability to delete, alter, and grant or revoke access to an object. Required to rename an object. OWNERSHIP is a special privilege on an object that is automatically granted to the role that created the object, but can also be transferred using the GRANT OWNERSHIP command to a different role by the owning role (or any role with the MANAGE GRANTS privilege).

REFERENCES

Table , External table, View

Grants ability to view the structure of an object (but not the data). . . For tables, the privilege also grants the ability to reference the object as the unique/primary key table for a foreign key constraint.

SELECT

Table , External table, View, Stream

Grants ability to execute a SELECT statement on the table/view.

TRUNCATE

Table

Grants ability to execute a TRUNCATE TABLE command on the table.

UPDATE

Table

Grants ability to execute an UPDATE command on the table.

USAGE

Warehouse , Data Exchange Listing , Database , Schema

Grants ability to execute a USE <object> command on the object; also grants ability to execute a SHOW <objects> command on the objects within a database or schema; however, a contained object is only listed in the output if the executing role also has at least one privilege on the object.

The remaining sections in this topic describe the specific privileges available for each type of object and their usage.

Global Privileges

Privilege

Usage

Notes

APPLY MASKING POLICY

Grants ability to set a Column-level Security masking policy on a table or view column.

APPLY ROW ACCESS POLICY

ATTACH POLICY

Grants ability to activate a network policy by associating it with your account.

CREATE USER

Enables creating a new user.

CREATE ROLE

Enables creating a new role.

MANAGE GRANTS

Enables modifying grants on objects for which the role is not the owner.

Must be granted by the SYSADMIN role (or higher).

CREATE WAREHOUSE

Enables creating a new virtual warehouse.

CREATE DATA EXCHANGE LISTING

Enables creating a new Data Exchange listing.

Must be granted by the ACCOUNTADMIN role.

CREATE DATABASE

Enables creating a new database or create a clone of an existing database.

Must be granted by the SYSADMIN role (or higher).

CREATE INTEGRATION

Enables creating a new notification, security, or storage integration.

Must be granted by the ACCOUNTADMIN role.

CREATE NETWORK POLICY

Enables creating a new network policy.

EXECUTE TASK

Grants ability to run any tasks owned by the role.

Must be granted by the ACCOUNTADMIN role.

MONITOR EXECUTION

Grants ability to monitor any pipes or tasks in the account.

Must be granted by the ACCOUNTADMIN role. The USAGE privilege is also required on each database and schema that stores these objects.

CREATE SHARE

Enables a data provider to create a new share. For more details, see Enabling non-ACCOUNTADMIN Roles to Perform Data Sharing Tasks.

Must be granted by the ACCOUNTADMIN role.

IMPORT SHARE

Enables a data consumer to view shares shared with their account and create databases from the shares. For more details, see Enabling non-ACCOUNTADMIN Roles to Perform Data Sharing Tasks.

Must be granted by the ACCOUNTADMIN role.

OVERRIDE SHARE RESTRICTIONS

Grants ability to set value for the SHARE_RESTRICTIONS parameter which enables a Business Critical provider account to add a consumer account (with Non-Business Critical edition) to a share.

For more details, see Enabling Sharing from a Business Critical Account to a non-Business Critical Account.

CREATE ACCOUNT

Enables a data provider to create a new managed account (i.e. reader account). For more details, see Managing Reader Accounts.

Must be granted by the ACCOUNTADMIN role.

MONITOR USAGE

Grants ability to monitor account-level usage and historical information for databases and warehouses; for more details, see Enabling Non-Account Administrators to Monitor Usage and Billing History. Additionally grants ability to view managed accounts using SHOW MANAGED ACCOUNTS.

Must be granted by the ACCOUNTADMIN role.

ALL [ PRIVILEGES ]

Grants all global privileges.

User Privileges

Privilege

Usage

OWNERSHIP

Grants full control over a user/role.

MONITOR

Grants ability to view the login history for the user.

Role Privileges

Privilege

Usage

OWNERSHIP

Grants full control over a user/role. Note that the owner role does not inherit any permissions granted to the owned role. To inherit permissions from a role, that role must be granted to another role, creating a a parent-child relationship in a role hierarchy.

Resource Monitor Privileges

Privilege

Usage

MODIFY

Enables altering any properties of a resource monitor, such as changing the monthly credit quota.

MONITOR

Enables viewing a resource monitor.

Virtual Warehouse Privileges

Privilege

Usage

MODIFY

Enables altering any properties of a warehouse, including changing its size. . . Required to assign a warehouse to a resource monitor. Note that only the ACCOUNTADMIN role can assign warehouses to resource monitors.

MONITOR

Enables viewing current and past queries executed on a warehouse as well as usage statistics on that warehouse.

OPERATE

Enables changing the state of a warehouse (stop, start, suspend, resume) as well as abort any executing queries.

USAGE

Enables using a virtual warehouse and, as a result, executing queries on the warehouse.

ALL [ PRIVILEGES ]

Grants all privileges, except OWNERSHIP, on the warehouse.

OWNERSHIP

Transfers ownership of a warehouse, which gives full control over the warehouse.

Integration Privileges

Privilege

Usage

USAGE

Enables referencing the storage integration when creating a stage (using CREATE STAGE) or modifying a stage (using ALTER STAGE).

USE_ANY_ROLE

Allows the External OAuth client or user to switch roles only if this privilege is granted to the client or user. Configure the External OAuth security integration to use the EXTERNAL_OAUTH_ANY_ROLE_MODE parameter using CREATE SECURITY INTEGRATION or ALTER SECURITY INTEGRATION.

ALL [ PRIVILEGES ]

Grants all privileges, except OWNERSHIP, on the integration.

OWNERSHIP

Transfers ownership of an integration, which gives full control over the integration.

Network Policy Privileges

Privilege

Usage

OWNERSHIP

Transfers ownership of a network policy, which gives full control over the network policy.

Data Exchange Privileges

Privilege

Usage

IMPORTED PRIVILEGES

Enables roles other than the owning role to manage a Snowflake Data Marketplace or Data Exchange.

Data Exchange Listing Privileges

Note

Currently, privileges on Data Exchange listings can only be granted in the Snowflake web interface. For instructions, see Granting Privileges to Other Roles.

Privilege

Usage

MODIFY

Enables roles other than the owning role to modify a Snowflake Data Marketplace or Data Exchange listing.

USAGE

Enables viewing a Snowflake Data Marketplace or Data Exchange listing.

OWNERSHIP

Transfers ownership of a Snowflake Data Marketplace or Data Exchange listing, which grants full control over the listing.

ALL [ PRIVILEGES ]

Grants all privileges, except OWNERSHIP, on a Snowflake Data Marketplace or Data Exchange listing.

Database Privileges

Privilege

Usage

MODIFY

Enables altering any settings of a database.

MONITOR

Enables performing the DESCRIBE command on the database.

USAGE

Enables using a database. Additional privileges are required to view or take actions on objects in a database.

CREATE SCHEMA

Enables creating a new schema in a database, including cloning a schema.

IMPORTED PRIVILEGES

Enables roles other than the owning role to access a shared database; applies only to shared databases.

ALL [ PRIVILEGES ]

Grants all privileges, except OWNERSHIP, on a database.

OWNERSHIP

Transfers ownership of a database, which grants full control over the database.

Note

  • Changing the properties of a database, including comments, requires the OWNERSHIP privilege for the database.

  • If any database privilege is granted to a role, that role can take SQL actions on objects in a schema using fully-qualified names. The role must have the USAGE privilege on the schema as well as the required privilege or privileges on the object. To make a database the active database in a user session, the USAGE privilege on the database is required.

Schema Privileges

Privilege

Usage

MODIFY

Enables altering any settings of a schema.

MONITOR

Enables performing the DESCRIBE command on the schema.

USAGE

Enables using a schema, including executing SHOW SCHEMAS commands to list the schema details in a database. . . To execute SHOW <objects> commands for objects (tables, views, stages, file formats, sequences, pipes, or functions) in the schema, a role must have at least one privilege granted on the object.

CREATE TABLE

Enables creating a new table in a schema, including cloning a table. Note that this privilege is not required to create temporary tables, which are scoped to the current user session and are automatically deleted when the session ends.

CREATE EXTERNAL TABLE

Enables creating a new external table in a schema.

CREATE VIEW

Enables creating a new view in a schema.

CREATE MATERIALIZED VIEW

Enables creating a new materialized view in a schema.

CREATE MASKING POLICY

Enables creating a new Column-level Security masking policy in a schema.

CREATE ROW ACCESS POLICY

Enables creating a new Row Access Policies row access policy in a schema.

CREATE STAGE

Enables creating a new stage in a schema, including cloning a stage.

CREATE FILE FORMAT

Enables creating a new file format in a schema, including cloning a file format.

CREATE SEQUENCE

Enables creating a new sequence in a schema, including cloning a sequence.

CREATE FUNCTION

Enables creating a new UDF or external function in a schema.

CREATE PIPE

Enables creating a new pipe in a schema.

CREATE STREAM

Enables creating a new stream in a schema, including cloning a stream.

CREATE TASK

Enables creating a new task in a schema, including cloning a task.

CREATE PROCEDURE

Enables creating a new stored procedure in a schema.

ALL [ PRIVILEGES ]

Grants all privileges, except OWNERSHIP, on a schema.

OWNERSHIP

Transfers ownership of a schema, which grants full control over the schema.

Note

  • Changing the properties of a schema, including comments, requires the OWNERSHIP privilege for the database.

  • Operating on a schema also requires the USAGE privilege on the parent database.

Table Privileges

Privilege

Usage

SELECT

Enables executing a SELECT statement on a table.

INSERT

Enables executing an INSERT command on a table. Also enables using the ALTER TABLE command with a RECLUSTER clause to manually recluster a table with a clustering key.

UPDATE

Enables executing an UPDATE command on a table.

TRUNCATE

Enables executing a TRUNCATE TABLE command on a table.

DELETE

Enables executing a DELETE command on a table.

REFERENCES

Enables referencing a table as the unique/primary key table for a foreign key constraint. Also enables viewing the structure of a table (but not the data) via the DESCRIBE or SHOW command or by querying the Information Schema.

ALL [ PRIVILEGES ]

Grants all privileges, except OWNERSHIP, on a table.

OWNERSHIP

Transfers ownership of a table, which grants full control over the table. Required to alter most properties a table, with the exception of reclustering.

Note

Operating on a table also requires the USAGE privilege on the parent database and schema.

External Table Privileges

Privilege

Usage

SELECT

Enables executing a SELECT statement on an external table.

REFERENCES

Enables viewing the structure of an external table (but not the data) via the DESCRIBE or SHOW command or by querying the Information Schema.

ALL [ PRIVILEGES ]

Grants all privileges, except OWNERSHIP, on an external table.

OWNERSHIP

Transfers ownership of an external table, which grants full control over the external table; required to refresh an external table.

Note

Operating on an external table also requires the USAGE privilege on the parent database and schema.

View Privileges

The following privileges apply to both standard and materialized views.

Privilege

Usage

SELECT

Enables executing a SELECT statement on a view.

REFERENCES

Enables viewing the structure of a view (but not the data) via the DESCRIBE or SHOW command or by querying the Information Schema.

ALL [ PRIVILEGES ]

Grants all privileges, except OWNERSHIP, on a view.

OWNERSHIP

Transfers ownership of a view, which grants full control over the view. Required to alter a view.

Note

A user who has SELECT privilege on a view does not also need SELECT privilege on the tables that the view uses. This means that you can use a view to give a role access to only a subset of a table. For example, you can create a view that accesses medical billing information but not medical diagnosis information in the same table, and you can then grant privileges on that view to a custom ACCOUNTANT role so that accountants can look at the billing information without seeing the patient diagnoses.

Operating on a view also requires the USAGE privilege on the parent database and schema.

Stage Privileges

Privilege

Usage

USAGE

Enables using an external stage object in a SQL statement; not applicable to internal stages.

READ

Enables performing any operations that require reading from an internal stage (GET, LIST, COPY INTO <table>, etc.); not applicable to external stages.

WRITE

Enables performing any operations that require writing to an internal stage (PUT, REMOVE, COPY INTO <location>, etc.); not applicable for external stages.

ALL [ PRIVILEGES ]

Grants all applicable privileges, except OWNERSHIP, on the stage (internal or external).

OWNERSHIP

Transfers ownership of a stage, which grants full control over the stage.

Note

  • When granting both the READ and WRITE privileges for an internal stage, the READ privilege must be granted before or at the same time as the WRITE privilege.

  • When revoking both the READ and WRITE privileges for an internal stage, the WRITE privilege must be revoked before or at the same time as the READ privilege.

  • Operating on a stage also requires the USAGE privilege on the parent database and schema.

File Format Privileges

Privilege

Usage

USAGE

Enables using a file format in a SQL statement.

ALL [ PRIVILEGES ]

Grants all privileges, except OWNERSHIP, on the file format.

OWNERSHIP

Transfers ownership of a file format, which grants full control over the file format. Required to alter a file format.

Note

Operating on file formats also requires the USAGE privilege on the parent database and schema.

Pipe Privileges

Pipe objects are created and managed to load data using Snowpipe.

Privilege

Usage

MONITOR

Enables viewing details for the pipe (using DESCRIBE PIPE or SHOW PIPES).

OPERATE

Enables viewing details for the pipe (using DESCRIBE PIPE or SHOW PIPES), pausing or resuming the pipe, and refreshing the pipe.

OWNERSHIP

Transfers ownership of a pipe, which grants full control over the pipe.

Note

Operating on pipes also requires the USAGE privilege on the parent database and schema.

Stream Privileges

Privilege

Usage

SELECT

Enables executing a SELECT statement on a stream.

OWNERSHIP

Transfers ownership of a stream, which grants full control over the stream.

ALL [ PRIVILEGES ]

Grants all privileges, except OWNERSHIP, on the stream.

Task Privileges

Privilege

Usage

MONITOR

Enables viewing details for the task (using DESCRIBE TASK or SHOW TASKS).

OPERATE

Enables viewing details for the task (using SHOW TASKS) and resuming or suspending the task.

OWNERSHIP

Transfers ownership of a task, which grants full control over the task.

Masking Policy Privileges

Privilege

Usage

APPLY

Enables applying the Column-level Security masking policy unset and set operations.

OWNERSHIP

Transfers ownership of a Column-level Security masking policy, which grants full control over the masking policy. Required to alter most properties of a masking policy.

Note

Operating on a masking policy also requires the USAGE privilege on the parent database and schema.

Row Access Policy Privileges

Privilege

Usage

APPLY

Enables the add and drop operations for the Row Access Policies row access policy on a table or view.

OWNERSHIP

Transfers ownership of a row access policy, which grants full control over the row access policy. Required to alter most properties of a row access policy.

Note

Operating on a row access policy also requires the USAGE privilege on the parent database and schema.

Sequence Privileges

Privilege

Usage

USAGE

Enables using a sequence in a SQL statement.

ALL [ PRIVILEGES ]

Grants all privileges, except OWNERSHIP, on the sequence.

OWNERSHIP

Transfers ownership of a sequence, which grants full control over the sequence; required to alter the sequence.

Note

Operating on a sequence also requires the USAGE privilege on the parent database and schema.

Stored Procedure Privileges

Privilege

Usage

USAGE

Enables calling a stored procedure.

ALL [ PRIVILEGES ]

Grants all privileges, except OWNERSHIP, on the stored procedure.

OWNERSHIP

Transfers ownership of a stored procedure, which grants full control over the stored procedure; required to alter the stored procedure.

Note

  • Operating on a stored procedure also requires the USAGE privilege on the parent database and schema.

  • If a stored procedure runs with caller’s rights, the user who calls the stored procedure must have privileges on the database objects (e.g. tables) accessed by the stored procedure. For details, see Understanding Caller’s Rights and Owner’s Rights Stored Procedures.

User-Defined Function (UDF) and External Function Privileges

Privilege

Usage

USAGE

Enables calling a UDF or external function.

ALL [ PRIVILEGES ]

Grants all privileges, except OWNERSHIP, on the UDF or external function.

OWNERSHIP

Transfers ownership of a UDF or external function, which grants full control over the object; required to alter the UDF or external function.

Note

  • Operating on a UDF or external function also requires the USAGE privilege on the parent database and schema.

  • The owner of a UDF must have privileges on the objects accessed by the function; the user who calls a UDF does not need those privileges. For details, see Security/Privilege Requirements for SQL UDFs.

  • The owner of an external function must have the USAGE privilege on the API integration object associated with the external function. For details, see Access Control in the documentation on external functions.