Enabling non-ACCOUNTADMIN Roles to Perform Data Sharing Tasks¶
Snowflake provides two global/account privileges for performing all tasks related to shares:
- CREATE SHARE
In a provider account, enables creating and managing shares (for sharing data with consumer accounts).
- IMPORT SHARE
In a consumer account, enables viewing the inbound shares shared with the account and creating databases from the shares.
By default, these privileges are granted only to the ACCOUNTADMIN role, ensuring that only account administrators can perform these tasks. However, the privileges can be granted to other roles, enabling the tasks to be delegated to other users in the account.
Granting CREATE SHARE to other roles makes managing shares more flexible, but also allows users with these roles to expose any objects they own (or on which they have the necessary privileges) to other accounts. This is particularly important to note if you are sharing data from an account that contains sensitive or proprietary data.
Please take this into consideration before granting CREATE SHARE to other roles.
In this Topic: