Granting privileges to other roles¶
Snowflake provides a set of privileges for working with listings in the Snowflake Marketplace or a Data Exchange.
Granting administrator privileges in a Data Exchange¶
By default, only an account administrator (a user with the ACCOUNTADMIN role) in the Data Exchange administrator account can manage a Data Exchange, which includes the following tasks:
Add or remove members.
Approve or deny listing approval requests.
Approve or deny provider profile approval requests.
Show categories.
To support delegating these tasks to other users, the IMPORTED PRIVILEGES privilege can be granted on a Data Exchange to other roles.
Granting the IMPORTED PRIVILEGES privilege to other roles¶
To grant the IMPORTED PRIVILEGES privilege on a Data Exchange to a role, use the ACCOUNTADMIN role and the GRANT <privileges> command.
Note
The WITH GRANT OPTION parameter does not support the IMPORTED PRIVILEGES privilege.
Syntax:
GRANT IMPORTED PRIVILEGES ON DATA EXCHANGE <exchange_name> TO <role_name>;
Where:
exchange_nameis the name of a Data Exchange.role_nameis the role to which the privilege is granted.
For example, grant imported privileges on the mydataexchange Data Exchange to a custom role called myrole:
USE ROLE ACCOUNTADMIN;
GRANT IMPORTED PRIVILEGES ON DATA EXCHANGE mydataexchange TO myrole;
Usage notes¶
This privilege is granted at the Data Exchange level. Therefore, users with the role can only administer the Data Exchange for which the privilege has been granted.
Only an account administrator in the Data Exchange administrator account can grant the privilege to another role.
When a role has been granted IMPORTED PRIVILEGES on a database created from a share, subsequent calls to the SHOW GRANTS command list the privilege as USAGE and not IMPORTED PRIVILEGES.
This privilege can only be used for a Data Exchange. In the Snowflake Marketplace, only Snowflake administrators can perform administrative tasks.
Granting provider privileges to other roles in the Snowflake Marketplace or a Data Exchange¶
Snowflake provides a set of privileges to allow providers to perform various tasks related to sharing data and apps with specific consumers, on the Snowflake Marketplace, or data in a Data Exchange.
Privilege |
Object Type |
Can be Granted by |
Description |
ACCOUNT |
ACCOUNTADMIN |
Grants the ability to create a listing or provider profile. |
|
ACCOUNT |
ACCOUNTADMIN |
Grants the ability to create a share. |
|
ACCOUNT |
ACCOUNTADMIN |
Grants the ability to view an inbound share shared with the account and create a database from the share. |
|
ACCOUNT |
ACCOUNTADMIN |
Grants the ability to purchase a paid listing. |
|
LISTING |
Role with the OWNERSHIP privilege on the listing. |
Grants the ability to modify listing properties. |
|
LISTING |
Role with the OWNERSHIP privilege on the listing. |
Grants the ability to view a listing. |
|
LISTING |
Role with the OWNERSHIP privilege on the listing. |
Transfer the OWNERSHIP privilege on the listing. |
|
PROVIDER PROFILE |
Role with the OWNERSHIP privilege on the profile. |
Grants the ability to modify properties for a provider profile. |
|
PROVIDER PROFILE |
Role with the OWNERSHIP privilege on the profile. |
Transfer the OWNERSHIP privilege on the profile. |
Account-level privileges¶
Snowflake provides the following privileges for working with shares, listings, and provider profiles at the account level in the Snowflake Marketplace or a Data Exchange:
Global CREATE DATA EXCHANGE LISTING privilege¶
If the global CREATE DATA EXCHANGE LISTING privilege is granted to a role, any user with the role can create a listing or provider profile. As the creator and therefore owner of the listing, the role can be used to perform all tasks on the listing, including:
Create listings.
Modify listings properties.
View listings.
View incoming listing requests.
Reject listing requests.
Submit listings for approval.
Publish a listings.
Create and view provider profiles.
If an account is a provider in more than one Data Exchange, a role with the global CREATE DATA EXCHANGE LISTING privilege can create listings in each of those Data Exchanges.
Note
A role that creates a listing becomes the owner of the listing. The OWNERSHIP privilege can be transferred using OWNERSHIP privilege on a listing to a different role by the owning role.
Only account administrators (users with the ACCOUNTADMIN role) can grant the global CREATE DATA EXCHANGE LISTING privilege to a role.
To grant the global CREATE DATA EXCHANGE LISTING privilege to a role in a Data Exchange, use the GRANT <privileges> [WITH GRANT OPTION] command.
For example, use the ACCOUNTADMIN role to grant the privilege:
USE ROLE ACCOUNTADMIN;
Then grant the privilege to a custom role, myrole:
GRANT CREATE DATA EXCHANGE LISTING ON ACCOUNT TO ROLE myrole;
Then grant the privilege to the role myrole with grant option:
GRANT CREATE DATA EXCHANGE LISTING ON ACCOUNT TO ROLE myrole WITH GRANT OPTION;
PURCHASE DATA EXCHANGE LISTING privilege¶
If the PURCHASE DATA EXCHANGE LISTING privilege is granted to a role, any user with the role can purchase a listing shared privately or on the Snowflake Marketplace.
For more information about purchasing listings, see Becoming a consumer of listings.
For more information about this privilege, see Enabling non-ACCOUNTADMIN roles to perform data sharing tasks.
Listing-level privileges¶
Snowflake provides the following privileges for listings. You can only grant these privileges using the role granted the OWNERSHIP privilege on the listing.
MODIFY privilege on a listing¶
If the MODIFY privilege on a listing is granted to a role, any user with the role can perform the following tasks for a listing:
Modify listing properties.
View a listing.
View incoming listing access requests.
Submit a listing for approval.
Publish a listing.
Reject listing requests.
Only the role with the OWNERSHIP privilege on the listing can grant this privilege. The MODIFY privilege can only be granted on a listing by using Snowsight.
To grant the MODIFY privilege on a listing shared with specific consumers or published on the Snowflake Marketplace:
Sign in to Snowsight.
Navigate to Data Products » Provider Studio.
Select Listings.
Locate the listing that you want to modify and select the row to open the listing details.
In the listing details page, select Settings.
In the Privileges section, select the pencil icon next to the Modify Listing privilege.
Select Add Role and add required roles.
Save your changes.
To grant the MODIFY privilege on a listing in a data exchange:
Sign in to Snowsight.
Navigate to Data Products » Private Sharing.
Select Shared By My Account.
Locate the listing that you want to modify and select the row to open the listing details.
In the listing details page, select Settings.
In the Privileges section, select the pencil icon next to the Modify Listing privilege.
Select Add Role and add required roles.
Save your changes.
USAGE privilege on a listing¶
If the USAGE privilege on a listing is granted to a role, any user with the role can view listings and incoming listing requests. Only the role with the OWNERSHIP privilege on the listing can grant this privilege.
To grant the USAGE privilege on a listing shared with specific consumers or published on the Snowflake Marketplace:
Sign in to Snowsight.
Navigate to Data Products » Provider Studio.
Select Listings.
Locate the listing that you want to modify and select the row to open the listing details.
In the listing details page, select Settings.
In the Privileges section, select the pencil icon next to the Modify Listing privilege.
Select Add Role and add required roles.
Save your changes.
To grant the USAGE privilege on a listing in a data exchange:
Sign in to Snowsight.
Navigate to Data Products » Private Sharing.
Select Shared By My Account.
Locate the listing that you want to modify and select the row to open the listing details.
In the listing details page, select Settings.
In the Privileges section, select the pencil icon next to the Modify Listing privilege.
Select Add Role and add required roles.
Save your changes.
OWNERSHIP privilege on a listing¶
If the OWNERSHIP privilege on a listing is granted to a role, that role becomes the new OWNER of the listing. Only the OWNER of the listing can grant this privilege. OWNERSHIP is a special type of privilege that can only be granted from one role to another role; it cannot be revoked. For more details, see Overview of Access Control.
Important
When listing ownership is transferred, all existing grants get revoked. All roles that have been granted privileges immediately lose access to this listing, and their privileges are revoked. The new listing owner must re-grant these privileges.
To grant the OWNERSHIP privilege on a listing shared with specific consumers or published on the Snowflake Marketplace:
Sign in to Snowsight.
Navigate to Data Products » Provider Studio.
Select Listings.
Locate the listing that you want to modify and select the row to open the listing details.
In the listing details page, select Settings.
In the Privileges section, select the pencil icon next to the Modify Listing privilege.
Select Add Role and add required roles.
Save your changes.
To grant the OWNERSHIP privilege on a listing in a data exchange:
Sign in to Snowsight.
Navigate to Data Products » Private Sharing.
Select Shared By My Account.
Locate the listing that you want to modify and select the row to open the listing details.
In the listing details page, select Settings.
In the Privileges section, select the pencil icon next to the Modify Listing privilege.
Select Add Role and add required roles.
Save your changes.
Provider profile level privileges¶
Snowflake provides the following privileges for provider profiles. Only the role with the OWNERSHIP privilege on the provider profile can grant this privilege.
Note
To create a profile, use the Global CREATE DATA EXCHANGE LISTING privilege global privilege.
Any role in the provider account can view all profiles. This task does not require granting a privilege.
MODIFY privilege on a provider profile¶
If the MODIFY privilege is granted to a role on a provider profile, any user with the role can view and modify provider profile properties. Only the role with the OWNERSHIP privilege on the provider profile can grant this privilege.
The MODIFY privilege can be granted through the web interface or using SQL:
- Snowsight:
Select Data Products » Private Sharing » Manage Exchanges » Select an Exchange » Select a Provider Profile » Manage » Manage Profile Editors.
- SQL:
Execute the GRANT <privileges> [WITH GRANT OPTION] command.
For example, to grant the privilege to the custom role
myrole:GRANT MODIFY ON DATA EXCHANGE PROFILE "<provider_profile_name>" TO ROLE myrole;
OWNERSHIP privilege on a provider profile¶
If the OWNERSHIP privilege on a provider profile is granted to a role, that role becomes the new owner of the profile. Only the role with the OWNERSHIP privilege on the provider profile can grant this privilege.
OWNERSHIP is a special type of privilege that can only be granted from one role to another role; it cannot be revoked. For more details, see Overview of Access Control.
To grant the OWNERSHIP privilege on a provider profile to a role, use the GRANT <privileges> [WITH GRANT OPTION] command. You cannot use Snowsight to grant this privilege.
For example to grant the privilege to the custom role myrole:
GRANT OWNERSHIP ON DATA EXCHANGE PROFILE "<provider_profile_name>" TO ROLE myrole;