SHOW CALLER GRANTS¶
Lists the caller grants being used to implement restricted caller’s rights.
Syntax¶
SHOW CALLER GRANTS
{
{ ON <object_type> <object_name> | ON ACCOUNT }
| TO { ROLE | DATABASE ROLE } <owner_name>
}
Parameters¶
ON object_type object_name
or .ON ACCOUNT
Specifies whether to list the caller grants on a specific object or list all caller grants involving the account.
Use the singular form of
object_type
, for example,TABLE
orWAREHOUSE
.TO ROLE <owner_name>
or .TO DATABASE ROLE <owner_name>
Specifies an executable owner, which lists all caller grants that have been granted to that owner.
Output¶
The output of the command includes the following columns, which describe the properties and metadata of the object:
Column |
Description |
---|---|
|
Date and time when the caller grant was granted. |
|
Privilege that executables owned by |
|
Type of object that is subject to the caller grant, regardless of whether it was granted directly on an object or on all objects of that type. |
|
If the caller grant was granted directly on a specific object, specifies the name of the object. |
|
If If |
|
If the caller grant was granted to all objects of a certain type using a GRANT INHERITED CALLER or GRANT ALL INHERITED
CALLER PRIVILEGES statement, indicates the level at which it was granted. One of |
|
If |
|
If |
|
Type of executable owner to which the caller grant was granted. One of |
|
Name of the executable owner to which the caller grant was granted. |
Access control requirements¶
Anyone can execute a SHOW CALLER GRANTS TO … command to list caller grants that have been granted to a specific executable owner.
Executing a SHOW CALLER GRANTS ON … command requires the following privilege:
Privilege |
Object |
Notes |
---|---|---|
Any privilege |
Specified object |
You need at least one privilege on the object specified in the SHOW CALLER GRANTS command. |
For instructions on creating a custom role with a specified set of privileges, see Creating custom roles.
For general information about roles and privilege grants for performing SQL actions on securable objects, see Overview of Access Control.
Usage notes¶
When executing a SHOW CALLER GRANTS ON … statement, different rows of the output can indicate different things. For example, one row could indicate a caller grant was granted directly on an object while another row indicates that the object was specified with an IN clause in the GRANT statement. For more information, see List caller grants.
When a user executes SHOW CALLER GRANTS, the results only contain objects to which they have at least one privilege. For more information, see Conditional output.
To post-process the output of this command, you can use the RESULT_SCAN function, which treats the output as a table that can be queried.
Examples¶
List caller grants that have been granted on the table t1
.
SHOW CALLER GRANTS ON TABLE t1;
List all of the caller grants that have been granted for the current account. This includes grants directly on the account (GRANT CALLER … ON ACCOUNT) and grants to all objects in an account (GRANT INHERITED CALLER … IN ACCOUNT).
SHOW CALLER GRANTS ON ACCOUNT;
List all of the caller grants that have been granted to the database role db.owner_role
.
SHOW CALLER GRANTS TO DATABASE ROLE db.owner_role;