SHOW CALLER GRANTS¶

Lists the caller grants being used to implement restricted caller’s rights.

Syntax¶

SHOW CALLER GRANTS
{
{ ON <object_type> <object_name> | ON ACCOUNT }
| TO { ROLE | DATABASE ROLE }  <owner_name>
}

Copy

Parameters¶

ON object_type object_name or . ON ACCOUNT

Specifies whether to list the caller grants on a specific object or list all caller grants involving the account.

Use the singular form of object_type, for example, TABLE or WAREHOUSE.

TO ROLE <owner_name> or . TO DATABASE ROLE <owner_name>

Specifies an executable owner, which lists all caller grants that have been granted to that owner.

Output¶

The output of the command includes the following columns, which describe the properties and metadata of the object:

Column	Description
`created_on`	Date and time when the caller grant was granted.
`privilege`	Privilege that executables owned by `grantee_name` can run with.
`granted_on`	Type of object that is subject to the caller grant, regardless of whether it was granted directly on an object or on all objects of that type.
`name`	If the caller grant was granted directly on a specific object, specifies the name of the object.
`is_inherited`	If `TRUE`, the caller grant was granted to all objects of a certain type using a GRANT INHERITED CALLER or GRANT ALL INHERITED CALLER PRIVILEGES statement. If `FALSE`, the caller grant was granted directly on the `name` object.
`inherited_from`	If the caller grant was granted to all objects of a certain type using a GRANT INHERITED CALLER or GRANT ALL INHERITED CALLER PRIVILEGES statement, indicates the level at which it was granted. One of `ACCOUNT`, `DATABASE`, or `SCHEMA`.
`inherited_from_database`	If `inherited_from` is a database (including an application or application package), specifies the name of the database. If `inherited_from` is a schema, specifies the name of the database that contains the schema.
`inherited_from_schema`	If `inherited_from` is a schema, specifies the name of the schema.
`granted_to`	Type of executable owner to which the caller grant was granted. One of `ROLE` or `DATABASE ROLE`.
`grantee_name`	Name of the executable owner to which the caller grant was granted.

Access control requirements¶

Anyone can execute a SHOW CALLER GRANTS TO … command to list caller grants that have been granted to a specific executable owner.

Executing a SHOW CALLER GRANTS ON … command requires the following privilege:

Privilege	Object	Notes
Any privilege	Specified object	You need at least one privilege on the object specified in the SHOW CALLER GRANTS command.

For instructions on creating a custom role with a specified set of privileges, see Creating custom roles.

For general information about roles and privilege grants for performing SQL actions on securable objects, see Overview of Access Control.

Usage notes¶

When executing a SHOW CALLER GRANTS ON … statement, different rows of the output can indicate different things. For example, one row could indicate a caller grant was granted directly on an object while another row indicates that the object was specified with an IN clause in the GRANT statement. For more information, see List caller grants.
When a user executes SHOW CALLER GRANTS, the results only contain objects to which they have at least one privilege. For more information, see Conditional output.

To post-process the output of this command, you can use the RESULT_SCAN function, which treats the output as a table that can be queried.

Examples¶

List caller grants that have been granted on the table t1.

SHOW CALLER GRANTS ON TABLE t1;

Copy

List all of the caller grants that have been granted for the current account. This includes grants directly on the account (GRANT CALLER … ON ACCOUNT) and grants to all objects in an account (GRANT INHERITED CALLER … IN ACCOUNT).

SHOW CALLER GRANTS ON ACCOUNT;

Copy

List all of the caller grants that have been granted to the database role db.owner_role.

SHOW CALLER GRANTS TO DATABASE ROLE db.owner_role;

Copy