Enable non-ACCOUNTADMIN roles to perform data sharing tasks¶
This topic lists the minimum privileges required to perform SQL actions related to shares.
By default, the privileges required to create and manage shares are granted only to the ACCOUNTADMIN role, ensuring that only account administrators can perform these tasks. However, the privileges can also be granted to other roles, enabling the tasks to be delegated to other users in the account.
For instructions on creating a custom role with a specified set of privileges, see Creating custom roles.
For general information about roles and privilege grants for performing SQL actions on securable objects, see Overview of Access Control.
Note
If you grant sharing privileges to other users in the account, make sure that the user profiles for those other users includes a first name, last name, and an email address. To modify the user profile in Snowsight, see Add user details to your user profile.
Data providers¶
Data providers can choose either of the following options to add objects to a share:
Option 1: Create a database role in a database, grant privileges on objects to the database role, and then grant the database role to the share.
Option 2: Grant privileges on the database and database objects directly to the share.
For more information on these options, see How to share database objects.
The minimum privileges required to create and manage shares in a data provider or data consumer account depend on which option was used.
- Option 1:
Action
Privilege
Object
Notes
Create shares.
CREATE SHARE
Account
Only the ACCOUNTADMIN role has this privilege by default. The privilege can be granted to additional roles as needed.
Create database roles in a database.
CREATE DATABASE ROLE
Database
Only the database owner role (i.e. the role that has the OWNERSHIP privilege on the database) has this privilege by default. The privilege can be granted to additional roles as needed.
- Option 2:
Action
Privilege
Object
Notes
Create shares.
CREATE SHARE
Account
Only the ACCOUNTADMIN role has this privilege by default. The privilege can be granted to additional roles as needed.
Grant or revoke privileges on objects to or from a share.
OWNERSHIP
Share
This role must also have, at a minimum, the following privileges on the database objects with the grant option:
USAGE on the database
USAGE on the schema
SELECT on any tables, external tables, secure views, or secure materialized views
USAGE on any secure UDFs
The USAGE privilege on the parent database and schema are required to perform operations on any object in a schema.
Attention
Granting CREATE SHARE to other roles makes managing shares more flexible, but also allows users with these roles to expose any objects they own (or on which they have the necessary privileges) to other accounts. This is particularly important to note if you are sharing data from an account that contains sensitive or proprietary data.
Take this into consideration before granting CREATE SHARE to other roles.
Data consumers¶
In a consumer account, the global IMPORT SHARE privilege enables viewing the inbound shares shared with the account. The privilege also permits creating databases from inbound shares if the role is also granted the global CREATE DATABASE privilege.
Granting the privilege to another role¶
To grant the global IMPORT SHARE privilege to a non-ACCOUNTADMIN role in a consumer account, use the ACCOUNTADMIN role and the GRANT <privileges> … TO ROLE command.
For example, to grant the privilege to the SYSADMIN role:
USE ROLE ACCOUNTADMIN;
GRANT IMPORT SHARE ON ACCOUNT TO SYSADMIN;