SNOWFLAKE Database Roles¶
When an account is provisioned, the SNOWFLAKE database is automatically imported. The database is an example of Snowflake using Secure Data Sharing to provide object metadata and other usage metrics for your organization and accounts.
Access to schema objects in the SNOWFLAKE database is controlled by different database roles. The following sections describe each SNOWFLAKE database role, its associated privileges, and the associated schema objects the role is granted access to.
ACCOUNT_USAGE Schema¶
ACCOUNT_USAGE schemas have four defined SNOWFLAKE database roles, each granted the SELECT privilege on specific views.
Role |
Purpose and Description |
---|---|
OBJECT_VIEWER |
The OBJECT_VIEWER role provides visibility into object metadata. |
USAGE_VIEWER |
The USAGE_VIEWER role provides visibility into historical usage information. |
GOVERNANCE_VIEWER |
The GOVERNANCE_VIEWER role provides visibility into policy related information. |
SECURITY_VIEWER |
The SECURITY_VIEWER role provides visibility into security based information. |
ACCOUNT_USAGE Views by Database Role¶
The OBJECT_VIEWER, USAGE_VIEWER, GOVERNACE_VIEWER, and SECURITY_VIEWER roles have the SELECT privilege to query Account Usage views in the shared SNOWFLAKE database.
A checkmark (i.e. ✔) indicates the role is granted the SELECT privilege on the view.
View |
OBJECT_VIEWER Role |
USAGE_VIEWER Role |
GOVERNANCE_VIEWER Role |
SECURITY_VIEWER Role |
---|---|---|---|---|
✔ |
||||
✔ |
||||
✔ |
||||
✔ |
||||
✔ |
||||
✔ |
✔ |
|||
✔ |
✔ |
|||
✔ |
||||
✔ |
✔ |
|||
✔ |
||||
✔ |
||||
✔ |
||||
✔ |
||||
✔ |
✔ |
|||
✔ |
||||
✔ |
||||
✔ |
||||
✔ |
||||
✔ |
||||
✔ |
||||
✔ |
||||
✔ |
||||
✔ |
||||
✔ |
||||
✔ |
||||
✔ |
||||
✔ |
||||
✔ |
||||
✔ |
||||
✔ |
||||
✔ |
||||
✔ |
||||
✔ |
||||
✔ |
||||
✔ |
||||
✔ |
||||
✔ |
||||
✔ |
||||
✔ |
||||
✔ |
||||
✔ |
✔ |
|||
✔ |
||||
✔ |
||||
✔ |
||||
✔ |
||||
✔ |
||||
✔ |
||||
✔ |
||||
✔ |
||||
✔ |
||||
✔ |
||||
✔ |
READER_ACCOUNT_USAGE Schema¶
The READER_USAGE_VIEWER SNOWFLAKE database role is granted SELECT privilege on all READER_ACCOUNT_USAGE views. As reader accounts are created by clients, the READER_USAGE_VIEWER role is expected to be granted to those roles used to monitor reader account use.
View |
---|
ORGANIZATION_USAGE Schema¶
The ORGANIZATION_USAGE_VIEWER and ORGANIZATION_BILLING_VIEWER SNOWFLAKE database roles are granted the SELECT privilege on Organization Usage views in the shared SNOWFLAKE database.
View |
ORGANIZATION_BILLING_VIEWER Role |
ORGANIZATION_USAGE_VIEWER Role |
---|---|---|
✔ |
||
✔ |
||
✔ |
||
✔ |
||
✔ |
||
✔ |
||
✔ |
||
✔ |
||
✔ |
||
✔ |
||
✔ |
||
✔ |
||
✔ |
||
✔ |
||
✔ |
||
✔ |
||
✔ |
||
✔ |
||
✔ |
CORE Schema¶
The CORE_VIEWER SNOWFLAKE database role is granted to the PUBLIC role in all Snowflake accounts containing a shared SNOWFLAKE database. The USAGE privilege is granted to all Snowflake-defined functions and bundles in the CORE schema.
Tag objects¶
The GOVERNANCE_ADMIN Snowflake database role is granted the APPLY privilege on the PRIVACY_CATEGORY
and SEMANTIC_CATEGORY
system tags (e.g. apply on tag privacy_category to role governance_admin
).
This grant allows users with the GOVERNANCE_ADMIN role to apply these tags to objects that the GOVERNANCE_ADMIN owns (i.e. has the OWNERSHIP privilege on the object).
For more information, see:
ALERT Schema¶
The ALERT_VIEWER SNOWFLAKE database role is granted the USAGE privilege on the functions defined in this schema.
ML Schema¶
The ML_USER SNOWFLAKE database role is granted to the PUBLIC role in all Snowflake accounts that contain a shared SNOWFLAKE database and will allow customers to access and use machine learning features released in the future.
Using SNOWFLAKE Database Roles¶
Administrators can use the GRANT DATABASE ROLE to assign a SNOWFLAKE database role to another role, which can then be granted to a user. This would allow the user to access a specific subset of views in the SNOWFLAKE database.
In this following example a role is created which can be used to view SNOWFLAKE database object metadata, and does the following:
Creates a custom role.
Grants the OBJECT_VIEWER role to the custom role.
Grants the custom role to a user.
To create and grant the custom role, do the following:
Create the
CAN_VIEWMD
role, using CREATE ROLE that will be used to grant access to object metadata.Only users with the USERADMIN system role or higher, or another role with the CREATE ROLE privilege on the account, can create roles.
CREATE ROLE CAN_VIEWMD COMMENT = 'This role can view metadata per SNOWFLAKE database role definitions';
Grant the OBJECT_VIEWER role to the CAN_VIEWMD role.
Only users with the OWNERSHIP role can grant SNOWFLAKE database roles. For additional information, refer to GRANT DATABASE ROLE.
GRANT DATABASE ROLE OBJECT_VIEWER TO ROLE CAN_VIEWMD;
Assign
CAN_VIEWMD
role to usersmith
.Only users with the SECURITYADMIN role can grant roles to users. For additional options, refer to GRANT ROLE.
GRANT ROLE CAN_VIEWMD TO USER smith;