Schema:: ACCOUNT_USAGE

GRANTS_TO_ROLES view¶

This Account Usage view can be used to query access control privileges that have been granted to a role.

Columns¶

Column Name	Data Type	Description
CREATED_ON	TIMESTAMP_LTZ	Date and time (in the UTC time zone) when the privilege is granted to the role.
MODIFIED_ON	TIMESTAMP_LTZ	Date and time (in the UTC time zone) when the privilege is updated.
PRIVILEGE	VARCHAR	Name of the privilege added to the role.
GRANTED_ON	VARCHAR	Object kind, such as `TABLE` or `DATABASE`, on which the privilege is granted.
NAME	VARCHAR	Name of the object on which the privilege is granted.
TABLE_CATALOG	VARCHAR	Name of the database for the current table or the name of the database that stores the instance of a class.
TABLE_SCHEMA	VARCHAR	Name of the schema for the current table or the name of the schema that stores the instance of a class.
GRANTED_TO	VARCHAR	Either `ROLE`, `DATABASE_ROLE`, `INSTANCE_ROLE`, `APPLICATION_ROLE`, or `APPLICATION`.
GRANTEE_NAME	VARCHAR	Identifier for the recipient role, the role to which the privilege is granted, or the name of the Snowflake Native App object.
GRANT_OPTION	BOOLEAN	`TRUE / FALSE`. If set to `TRUE`, the recipient role can grant the privilege to other roles.
GRANTED_BY	VARCHAR	Indicates the role that authorized a privilege grant to the grantee. `GRANTED_BY` displays empty for privileges granted by the SNOWFLAKE system role.
DELETED_ON	TIMESTAMP_LTZ	Date and time (in the UTC time zone) when the privilege is revoked.
GRANTED_BY_ROLE_TYPE	VARCHAR	Either `APPLICATION`, `ROLE` or `DATABASE_ROLE`.
OBJECT_INSTANCE	VARCHAR	The fully-qualified name of the object that contains the instance role for a particular class in the format `database.schema.class`.

Usage notes¶

Latency for the view may be up to 120 minutes (2 hours).

The view does not contain grants to database roles from databases created from shares.
The view does not contain grants on dropped objects.
The view is updated periodically to include support for new objects. You can use a SHOW GRANTS TO ROLE command to list all the grants to a particular role.
The GRANTED_BY column indicates the role that authorized a privilege grant to the grantee. The authorization role is known as the grantor.

When you grant privileges on an object to a role using GRANT <privileges>, the following authorization rules determine which role is listed as the grantor of the privilege:
1. If an active role is the object owner (i.e. has the OWNERSHIP privilege on the object), that role is the grantor.
2. If an active role holds the specified permission with the grant option authorized (i.e., the privilege was granted to the active role with the WITH GRANT OPTION clause of the GRANT <privileges>, where <role_name> is one of the active roles). If so, the role that holds the privilege with the grant option authorized is the grantor role. Note that if multiple active roles meet this criterion, it is non-deterministic which of the roles becomes the grantor role.
3. If an active role holds the global MANAGE GRANTS privilege, the grantor role is the object owner, not the role that held the MANAGE GRANTS privilege. That is, the MANAGE GRANTS privilege allows a role to impersonate the object owner for the purposes of granting privileges on that object.
The GRANTED_BY column displays empty for privileges granted by the Snowflake SYSTEM role. Certain internal operations are performed with this role. Grants of privileges authorized by the SYSTEM role cannot be modified by customers.