GRANT CALLER¶
Grants caller grants to a role. If an executable owned by the role runs with restricted caller’s rights, it can only run with the caller’s privileges specified by the caller grants.
Variations of the GRANT CALLER command are as follows:
GRANT CALLER — Grant caller grants on a specific object. Each caller grant created by the statement allows the executable to run with a specified privilege.
GRANT ALL CALLER PRIVILEGES — Grant caller grants on a specific object. The caller grants created by the statement allow the executable to run with all of the caller’s privileges.
GRANT INHERITED CALLER — Grant caller grants on all current and future objects of the same type when they share a common schema, database, or account. Each caller grant created by the statement allows the executable to run with a specified privilege.
GRANT ALL INHERITED CALLER PRIVILEGES — Grant caller grants on all current and future objects of the same type when they share a common schema, database, or account. The caller grants created by the statement allow the executable to run with all of the caller’s privileges.
Syntax¶
GRANT CALLER <object_privilege> [ , <object_privilege> ... ]
ON <object_type> <object_name>
TO { ROLE | DATABASE ROLE } <grantee_name>
GRANT ALL CALLER PRIVILEGES
ON <object_type> <object_name>
TO { ROLE | DATABASE ROLE } <grantee_name>
GRANT INHERITED CALLER <object_privilege> [ , <object_privilege> ... ]
ON ALL <object_type_plural>
IN { ACCOUNT | DATABASE <db_name> | SCHEMA <schema_name> | APPLICATION <app_name> | APPLICATION PACKAGE <app_pkg_name> }
TO { ROLE | DATABASE ROLE } <grantee_name>
GRANT ALL INHERITED CALLER PRIVILEGES
ON ALL <object_type_plural>
IN { ACCOUNT | DATABASE <db_name> | SCHEMA <schema_name> | APPLICATION <app_name> | APPLICATION PACKAGE <app_pkg_name> }
TO { ROLE | DATABASE ROLE } <grantee_name>
Parameters¶
object_privilege [ , object_privilege ... ]The object privileges that executables can run with. For a list of privileges for a specific object type, see Access control privileges.
Use a comma-delimited list to specify more than one object privilege.
ON object_type object_nameAllows an executable to run with the specified
object_privilegewhen accessing the specified object (object_name). Use the singular form ofobject_type, for example,TABLEorWAREHOUSE.ON ALL object_type_plural IN ACCOUNTor .ON ALL object_type_pluarl IN DATABASE db_nameor .ON ALL object_type_plural IN SCHEMA schema_nameor .ON ALL object_type_plural IN APPLICATION app_nameor .ON ALL object_type_plural IN APPLICATION PACKAGE app_pkg_nameAllows an executable to run with object-level privileges when accessing an object of the specified type. Use the plural form of the object type, for example,
TABLESorWAREHOUSES.You can use the GRANT statement to control access to all objects in the current account, or just objects in the specified database, schema, application, or application package.
TO ROLE grantee_nameor .TO DATABASE ROLE grantee_nameOwner of the executables that you want to secure with caller grants.
If you specify a database role, privileges are limited to objects in the same database as the database role.
Access control requirements¶
A role used to execute this SQL command must have the following privileges at a minimum:
Privilege |
Object |
Notes |
|---|---|---|
MANAGE CALLER GRANTS |
Account |
The account-level MANAGE CALLER GRANTS privilege pertains to caller grants only. It does not allow you to grant privileges to roles. |
Any privilege |
All specified objects |
You need at least one privilege on the objects specified in the caller grant. For example, granting a caller grant on a table requires that you have at least one privilege on that table. |
For instructions on creating a custom role with a specified set of privileges, see Creating custom roles.
For general information about roles and privilege grants for performing SQL actions on securable objects, see Overview of Access Control.
Examples¶
Executables owned by owner_role that access a v1 view can run with the SELECT privilege on the view:
GRANT CALLER SELECT ON VIEW v1 TO owner_role;
Executables owned by owner_role that access any table in the db.sch schema can run with the caller’s SELECT and INSERT privileges.
GRANT INHERITED CALLER SELECT, INSERT ON ALL TABLES IN SCHEMA db.sch TO ROLE owner_role;
Executables owned by owner_role that access schemas in the current account can run with all of the caller’s privileges on the schemas.
GRANT ALL INHERITED CALLER PRIVILEGES ON ALL SCHEMAS IN ACCOUNT TO ROLE owner_role;
Executables owned by the db.r database role that access the db.sch1.t1 table can run with the SELECT privilege on the table.
GRANT CALLER SELECT ON TABLE db.sch1.t1 TO DATABASE ROLE db.r;
Executables owned by owner_role that access the my_db database can run with all of the caller’s privileges on the database.
GRANT ALL CALLER PRIVILEGES ON DATABASE my_db TO ROLE owner_role;