SNOWFLAKE database roles¶

When an account is provisioned, the SNOWFLAKE database is automatically imported. The database is an example of Snowflake using Secure Data Sharing to provide object metadata and other usage metrics for your organization and accounts.

Access to schema objects in the SNOWFLAKE database is controlled by different database roles. The following sections describe each SNOWFLAKE database role, its associated privileges, and the associated schema objects the role is granted access to.

ACCOUNT_USAGE schema¶

ACCOUNT_USAGE schemas have four defined SNOWFLAKE database roles, each granted the SELECT privilege on specific views.

Role	Purpose and Description
OBJECT_VIEWER	The OBJECT_VIEWER role provides visibility into object metadata.
USAGE_VIEWER	The USAGE_VIEWER role provides visibility into historical usage information.
GOVERNANCE_VIEWER	The GOVERNANCE_VIEWER role provides visibility into policy related information.
SECURITY_VIEWER	The SECURITY_VIEWER role provides visibility into security based information.

ACCOUNT_USAGE Views by Database Role¶

The OBJECT_VIEWER, USAGE_VIEWER, GOVERNANCE_VIEWER, and SECURITY_VIEWER roles have the SELECT privilege to query Account Usage views in the shared SNOWFLAKE database.

A checkmark (i.e. ✔) indicates the role is granted the SELECT privilege on the view.

View	OBJECT_VIEWER Role	USAGE_VIEWER Role	GOVERNANCE_VIEWER Role	SECURITY_VIEWER Role
COLUMNS view	✔
COMPLETE_TASK_GRAPHS view	✔
DATABASES view	✔
ELEMENT_TYPES view	✔
FIELDS view	✔
FILE_FORMATS view	✔
FUNCTIONS view	✔
HYBRID_TABLES view	✔
INDEXES view	✔
INDEX_COLUMNS view	✔
OBJECT_DEPENDENCIES view	✔
PIPES view	✔
PROCEDURES view	✔
REFERENTIAL_CONSTRAINTS view	✔
SCHEMATA view	✔
SEMANTIC_DIMENSIONS view	✔
SEMANTIC_FACTS view	✔
SEMANTIC_METRICS view	✔
SEMANTIC_RELATIONSHIPS view	✔
SEMANTIC_TABLES view	✔
SEMANTIC_VIEWS view	✔
SEQUENCES view	✔
SERVICES view	✔
STAGES view	✔
TABLE_CONSTRAINTS view	✔
TABLES view	✔
TAGS view	✔		✔
VIEWS view	✔
APPLICATION_DAILY_USAGE_HISTORY view		✔
AUTOMATIC_CLUSTERING_HISTORY view		✔
BLOCK_STORAGE_HISTORY view		✔
CLASS_INSTANCES view		✔
CLASSES view		✔
COPY_FILES_HISTORY view		✔
COPY_HISTORY view		✔
CORTEX_ANALYST_USAGE_HISTORY view		✔
CORTEX_DOCUMENT_PROCESSING_USAGE_HISTORY view		✔
CORTEX_FINE_TUNING_USAGE_HISTORY view		✔
CORTEX_FUNCTIONS_QUERY_USAGE_HISTORY view		✔
CORTEX_FUNCTIONS_USAGE_HISTORY view		✔
CORTEX_SEARCH_SERVING_USAGE_HISTORY view		✔
CORTEX_SEARCH_DAILY_USAGE_HISTORY view		✔
DATA_QUALITY_MONITORING_USAGE_HISTORY view		✔
DATA_TRANSFER_HISTORY view		✔
DATABASE_STORAGE_USAGE_HISTORY view		✔
DOCUMENT_AI_USAGE_HISTORY view		✔
DYNAMIC_TABLE_REFRESH_HISTORY view		✔
EVENT_USAGE_HISTORY view		✔
EXTERNAL_ACCESS_HISTORY view		✔
HYBRID_TABLE_USAGE_HISTORY view		✔
INTERNAL_DATA_TRANSFER_HISTORY view		✔
LOAD_HISTORY view		✔
MATERIALIZED_VIEW_REFRESH_HISTORY view		✔
METERING_DAILY_HISTORY view		✔
METERING_HISTORY view		✔
PIPE_USAGE_HISTORY view		✔
QUERY_ATTRIBUTION_HISTORY view		✔	✔
REPLICATION_USAGE_HISTORY view		✔
REPLICATION_GROUP_REFRESH_HISTORY view		✔
REPLICATION_GROUP_USAGE_HISTORY view		✔
SEARCH_OPTIMIZATION_BENEFITS view		✔
SEARCH_OPTIMIZATION_HISTORY view		✔
SERVERLESS_ALERT_HISTORY view		✔
SERVERLESS_TASK_HISTORY view		✔
SNOWPARK_CONTAINER_SERVICES_HISTORY view		✔
STAGE_STORAGE_USAGE_HISTORY view		✔
STORAGE_USAGE view		✔
TABLE_DML_HISTORY view		✔
TABLE_PRUNING_HISTORY view		✔
TABLE_STORAGE_METRICS view		✔
TASK_HISTORY view		✔
WAREHOUSE_EVENTS_HISTORY view		✔
WAREHOUSE_LOAD_HISTORY view		✔
WAREHOUSE_METERING_HISTORY view		✔
ACCESS_HISTORY view			✔
AGGREGATE_ACCESS_HISTORY view			✔
AGGREGATE_QUERY_HISTORY view			✔
AGGREGATION_POLICIES view			✔
DATA_CLASSIFICATION_LATEST view			✔
DATA_METRIC_FUNCTION_REFERENCES view		✔	✔
JOIN_POLICIES view			✔
MASKING_POLICIES view			✔
QUERY_ACCELERATION_ELIGIBLE view			✔
QUERY_HISTORY view			✔
POLICY_REFERENCES view			✔	✔
PRIVACY_BUDGETS view			✔
PRIVACY_POLICIES view			✔
PROJECTION_POLICIES view			✔
ROW_ACCESS_POLICIES view			✔
TAG_REFERENCES view			✔
GRANTS_TO_ROLES view				✔
GRANTS_TO_USERS view				✔
LOGIN_HISTORY view				✔
NETWORK_POLICIES view				✔
NETWORK_RULES view				✔
NETWORK_RULE_REFERENCES view				✔
OUTBOUND_PRIVATELINK_ENDPOINTS view				✔
PASSWORD_POLICIES view				✔
ROLES view				✔
SECRETS view				✔
SESSION_POLICIES view				✔
SESSIONS view				✔
USERS view				✔

READER_ACCOUNT_USAGE schema¶

The READER_USAGE_VIEWER SNOWFLAKE database role is granted SELECT privilege on all READER_ACCOUNT_USAGE views. As reader accounts are created by clients, the READER_USAGE_VIEWER role is expected to be granted to those roles used to monitor reader account use.

View
LOGIN_HISTORY view
QUERY_HISTORY view
RESOURCE_MONITORS view
STORAGE_USAGE view
WAREHOUSE_METERING_HISTORY view

ORGANIZATION_USAGE schema¶

The ORGANIZATION_USAGE_VIEWER, ORGANIZATION_BILLING_VIEWER, and ORGANIZATION_ACCOUNTS_VIEWER SNOWFLAKE database roles are granted the SELECT privilege on Organization Usage views in the shared SNOWFLAKE database.

View	ORGANIZATION_BILLING_VIEWER Role	ORGANIZATION_USAGE_VIEWER Role	ORGANIZATION_ACCOUNTS_VIEWER Role
ACCOUNTS view			✔
CONTRACT_ITEMS view	✔
LISTING_AUTO_FULFILLMENT_USAGE_HISTORY view	✔
RATE_SHEET_DAILY view	✔
REMAINING_BALANCE_DAILY view	✔
USAGE_IN_CURRENCY_DAILY view	✔
MARKETPLACE_DISBURSEMENT_REPORT View	✔
DATA_TRANSFER_DAILY_HISTORY view		✔
DATA_TRANSFER_HISTORY view		✔
DATABASE_STORAGE_USAGE_HISTORY view		✔
AUTOMATIC_CLUSTERING_HISTORY view		✔
MARKETPLACE_PAID_USAGE_DAILY View		✔
MATERIALIZED_VIEW_REFRESH_HISTORY view		✔
METERING_DAILY_HISTORY view		✔
MONETIZED_USAGE_DAILY View		✔
PIPE_USAGE_HISTORY view		✔
QUERY_ACCELERATION_HISTORY view		✔
REPLICATION_GROUP_USAGE_HISTORY view		✔
REPLICATION_USAGE_HISTORY view		✔
SEARCH_OPTIMIZATION_HISTORY view		✔
STAGE_STORAGE_USAGE_HISTORY view		✔
STORAGE_DAILY_HISTORY view		✔
WAREHOUSE_METERING_HISTORY view		✔

CORE schema¶

The CORE_VIEWER SNOWFLAKE database role is granted to the PUBLIC role in all Snowflake accounts containing a shared SNOWFLAKE database. The USAGE privilege is granted to all Snowflake-defined functions and bundles in the CORE schema.

Budget class¶

The BUDGET_CREATOR Snowflake database role is granted the USAGE privilege on the SNOWFLAKE.CORE schema and the BUDGET class in the schema. This grant allows users with the BUDGET_CREATOR role to create instances of the BUDGET class.

For more information, see Create a custom role to create budgets.

Tag objects¶

The CORE_VIEWER database role is granted the APPLY privilege each Data Classification system tag: SNOWFLAKE.CORE.PRIVACY_CATEGORY and SNOWFLAKE.CORE.SEMANTIC_CATEGORY. These grants allow users with a role that is granted the CORE_VIEWER database role to assign these system tags to columns.

For details, see:

ALERT schema¶

The ALERT_VIEWER SNOWFLAKE database role is granted the USAGE privilege on the functions defined in this schema.

ML schema¶

The ML_USER SNOWFLAKE database role is granted to the PUBLIC role in all Snowflake accounts that contain a shared SNOWFLAKE database and allows customers to access and use ML functions.

MONITORING schema¶

The MONITORING_VIEWER database role has the SELECT privilege on all views in the MONITORING schema.

The MONITORING_VIEWER database role is granted to the PUBLIC role in all Snowflake accounts containing a shared SNOWFLAKE database.

CORTEX schema¶

By default, the CORTEX_USER role is granted to the PUBLIC role. The PUBLIC role is automatically granted to all users and roles, so this allows all users in your account to use the Snowflake Cortex LLM functions.

If you don’t want all users to have this privilege, you can revoke access to the PUBLIC role and grant access to specific roles. For details, see Cortex LLM Functions required privileges.

SNOWFLAKE.CLASSIFICATION_ADMIN database role¶

The SNOWFLAKE.CLASSIFICATION_ADMIN database role allows a data engineer or steward to create an instance of the CLASSIFICATION_PROFILE class. A classification profile is used to implement automatic sensitive data classification.

SNOWFLAKE.COPILOT_USER database role¶

The SNOWFLAKE.COPILOT_USER database role allows customers to access Snowflake Copilot features. Initially, this database role is granted to the PUBLIC role. The PUBLIC role is automatically granted to all users and roles, so this allows all users in your account to use Snowflake Copilot. If you want to limit access to Snowflake Copilot features, you can revoke access to the PUBLIC role and grant access to specific roles. For details, see Access control requirements.

Using SNOWFLAKE database roles¶

Administrators can use the GRANT DATABASE ROLE to assign a SNOWFLAKE database role to another role, which can then be granted to a user. This would allow the user to access a specific subset of views in the SNOWFLAKE database.

In this following example a role is created which can be used to view SNOWFLAKE database object metadata, and does the following:

Creates a custom role.
Grants the OBJECT_VIEWER role to the custom role.
Grants the custom role to a user.

To create and grant the custom role, do the following:

Create the CAN_VIEWMD role, using CREATE ROLE that will be used to grant access to object metadata.

Only users with the USERADMIN system role or higher, or another role with the CREATE ROLE privilege on the account, can create roles.
```
CREATE ROLE CAN_VIEWMD COMMENT = 'This role can view metadata per SNOWFLAKE database role definitions';
```
Copy
Grant the OBJECT_VIEWER role to the CAN_VIEWMD role.

Only users with the OWNERSHIP role can grant SNOWFLAKE database roles. For additional information, refer to GRANT DATABASE ROLE.
```
GRANT DATABASE ROLE OBJECT_VIEWER TO ROLE CAN_VIEWMD;
```
Copy
Assign CAN_VIEWMD role to user smith.

Only users with the SECURITYADMIN role can grant roles to users. For additional options, refer to GRANT ROLE.
```
GRANT ROLE CAN_VIEWMD TO USER smith;
```
Copy