New privilege MANAGE SHARE TARGET replaces CREATE SHARE to add accounts to shares

Attention

This behavior change is in the 2024_07 bundle.

For the current status of the bundle, refer to Bundle History.

Snowflake introduces a new privilege called MANAGE SHARE TARGET. The MANAGE SHARE TARGET privilege is granted on an account to a role. A role granted this privilege can be used to add or remove the targets of any share in the account where the role has the privilege. A share target refers to an account or user granted access to the shared data. Think of these targets as the “target audience” for the share. This new privilege enhances security and control by allowing organizations to assign specific privileges based on job roles.

Before the change:

  • The existing CREATE SHARE privilege is used to both create shares and manage share targets (add accounts to a share).

  • If a role is granted CREATE SHARE privilege, the role can both create shares and manage share targets.

After the change:

  • The existing CREATE SHARE privilege is used only to create shares, not manage share targets.

  • The MANAGE SHARE TARGET privilege is used to manage share targets (add and remove accounts that can access a share).

  • After this behavior change bundle is enabled, roles with CREATE SHARE will automatically receive MANAGE SHARE TARGET to ensure compatibility.

Prepare for the change

You will be impacted by this change if you previously granted CREATE SHARE to a non-ACCOUNTADMIN role to manage share targets. Customers should review and update any automations that rely on CREATE SHARE for managing accounts.

USAGE

GRANT MANAGE SHARE TARGET ON ACCOUNT TO ROLE <role-name>;
GRANT ROLE <role-name> TO USER <user_name>;

USE ROLE <role-name>;
ALTER SHARE <data_share_name> ADD ACCOUNTS = '<account_name_1>', '<account_name_2>';
Copy

Ref: 1734