SHOW CALLER GRANTS¶

Lists the caller grants being used to implement restricted caller’s rights.

Syntax¶

SHOW CALLER GRANTS
{
{ ON <object_type> <object_name> | ON ACCOUNT }
| TO { ROLE | DATABASE ROLE }  <owner_name>
}
Copy

Parameters¶

ON object_type object_name or . ON ACCOUNT

Specifies whether to list the caller grants on a specific object or list all caller grants involving the account.

Use the singular form of object_type, for example, TABLE or WAREHOUSE.

TO ROLE <owner_name> or . TO DATABASE ROLE <owner_name>

Specifies an executable owner, which lists all caller grants that have been granted to that owner.

Output¶

The output of the command includes the following columns, which describe the properties and metadata of the object:

Column

Description

created_on

Date and time when the caller grant was granted.

privilege

Privilege that executables owned by grantee_name can run with.

granted_on

Type of object that is subject to the caller grant, regardless of whether it was granted directly on an object or on all objects of that type.

name

If the caller grant was granted directly on a specific object, specifies the name of the object.

is_inherited

If TRUE, the caller grant was granted to all objects of a certain type using a GRANT INHERITED CALLER or GRANT ALL INHERITED CALLER PRIVILEGES statement.

If FALSE, the caller grant was granted directly on the name object.

inherited_from

If the caller grant was granted to all objects of a certain type using a GRANT INHERITED CALLER or GRANT ALL INHERITED CALLER PRIVILEGES statement, indicates the level at which it was granted. One of ACCOUNT, DATABASE, or SCHEMA.

inherited_from_database

If inherited_from is a database (including an application or application package), specifies the name of the database. If inherited_from is a schema, specifies the name of the database that contains the schema.

inherited_from_schema

If inherited_from is a schema, specifies the name of the schema.

granted_to

Type of executable owner to which the caller grant was granted. One of ROLE or DATABASE ROLE.

grantee_name

Name of the executable owner to which the caller grant was granted.

Access control requirements¶

Anyone can execute a SHOW CALLER GRANTS TO … command to list caller grants that have been granted to a specific executable owner.

Executing a SHOW CALLER GRANTS ON … command requires the following privilege:

Privilege

Object

Notes

Any privilege

Specified object

You need at least one privilege on the object specified in the SHOW CALLER GRANTS command.

For instructions on creating a custom role with a specified set of privileges, see Creating custom roles.

For general information about roles and privilege grants for performing SQL actions on securable objects, see Overview of Access Control.

Usage notes¶

  • When executing a SHOW CALLER GRANTS ON … statement, different rows of the output can indicate different things. For example, one row could indicate a caller grant was granted directly on an object while another row indicates that the object was specified with an IN clause in the GRANT statement. For more information, see List caller grants.

  • When a user executes SHOW CALLER GRANTS, the results only contain objects to which they have at least one privilege. For more information, see Conditional output.

  • To post-process the output of this command, you can use the RESULT_SCAN function, which treats the output as a table that can be queried.

Examples¶

List caller grants that have been granted on the table t1.

SHOW CALLER GRANTS ON TABLE t1;
Copy

List all of the caller grants that have been granted for the current account. This includes grants directly on the account (GRANT CALLER … ON ACCOUNT) and grants to all objects in an account (GRANT INHERITED CALLER … IN ACCOUNT).

SHOW CALLER GRANTS ON ACCOUNT;
Copy

List all of the caller grants that have been granted to the database role db.owner_role.

SHOW CALLER GRANTS TO DATABASE ROLE db.owner_role;
Copy