Access Control Privileges¶

This topic describes the privileges that are available in the Snowflake access control model. Privileges are granted to roles, and roles are granted to users, to specify the operations that the users can perform on objects in the system.

All Privileges (Alphabetical)¶

The following privileges are available in the Snowflake access control model. The meaning of each privilege varies depending on the object type to which it is applied, and not all objects support all privileges:

Privilege	Object Type	Description
ALL [ PRIVILEGES ]	All	Grants all the privileges for the specified object type.
APPLY MASKING POLICY	Global	Grants the ability to set a Column-level Security masking policy on a table or view column and to set a masking policy on a tag. This global privilege also allows executing the DESCRIBE operation on tables and views.
APPLY PASSWORD POLICY	Global	Grants the ability to add or drop a password policy on the Snowflake account or a user in the Snowflake account.
APPLY ROW ACCESS POLICY	Global	Grants the ability to add and drop a row access policy on a table or view. This global privilege also allows executing the DESCRIBE operation on tables and views.
APPLY SESSION POLICY	Global	Grants the ability to set or unset a session policy on an account or user.
APPLY TAG	Global	Grants the ability to add or drop a tag on a Snowflake object.
ATTACH POLICY	Global	Grants the ability to activate a network policy by associating it with your account.
CREATE <object_type>	Global, Database, Schema	Grants the ability to create an object of <object_type> (e.g. CREATE TABLE grants the ability to create a table within a schema).
DELETE	Table	Grants the ability to execute a DELETE command on the table.
EXECUTE ALERT	Global	Grants the ability to execute alerts owned by the role.
EXECUTE MANAGED TASK	Global	Grants the ability to create tasks that rely on Snowflake-managed compute resources (serverless compute model). Only required to create serverless tasks. The role that has the OWNERSHIP privilege on a task must have both the EXECUTE MANAGED TASK and the EXECUTE TASK privilege for the task to run.
EXECUTE TASK	Global	Grants the ability to run tasks owned by the role. For serverless tasks to run, the role that has the OWNERSHIP privilege on the task must also have the global EXECUTE MANAGED TASK privilege.
FAILOVER	Failover Group	Grants the ability to promote a secondary failover group to serve as primary failover group.
IMPORT SHARE	Global	Applies to data consumers. Grants the ability to view shares shared with your account. Also grants the ability to create databases from the shares; requires the global CREATE DATABASE privilege.
OVERRIDE SHARE RESTRICTIONS	Global	Grants the ability to set value for the SHARE_RESTRICTIONS parameter which enables a Business Critical provider account to add a consumer account (with Non-Business Critical edition) to a share. For more details, see Enabling Sharing from a Business Critical Account to a non-Business Critical Account.
IMPORTED PRIVILEGES	Database, Data Exchange	Grants the ability to enable roles other than the owning role to access a shared database or manage a Snowflake Marketplace / Data Exchange.
INSERT	Table	Grants the ability to execute an INSERT command on the table.
MANAGE GRANTS	Global	Grants the ability to grant or revoke privileges on any object as if the invoking role were the owner of the object.
MODIFY	Resource Monitor, Warehouse, Data Exchange Listing, Database, Schema	Grants the ability to change the settings or properties of an object (e.g. on a virtual warehouse, provides the ability to change the size of a virtual warehouse).
MONITOR	User, Resource Monitor, Warehouse, Database, Schema, Task, Failover Group, Replication Group	Grants the ability to see details within an object (e.g. queries and usage within a warehouse).
MONITOR EXECUTION	Global	Grants the ability to monitor pipes (Snowpipe) or tasks in the account.
MONITOR USAGE	Global	Grants the ability to monitor account-level usage and historical information for databases and warehouses; for more details, see Enabling Non-Account Administrators to Monitor Usage and Billing History in the Classic Console. Additionally grants the ability to view managed accounts using SHOW MANAGED ACCOUNTS.
OPERATE	Warehouse, Task	Grants the ability to start, stop, suspend, or resume a virtual warehouse. Grants the ability to suspend or resume a task.
OWNERSHIP	All	Grants the ability to drop, alter, and grant or revoke access to an object. Required to rename an object. OWNERSHIP is a special privilege on an object that is automatically granted to the role that created the object, but can also be transferred using the GRANT OWNERSHIP command to a different role by the owning role (or any role with the MANAGE GRANTS privilege).
READ	Stage (internal only)	Grants the ability to perform any operations that require reading from an internal stage (GET, LIST, COPY INTO <table>, etc.).
REFERENCES	Table, External table, View	Grants the ability to view the structure of an object (but not the data). . . For tables, the privilege also grants the ability to reference the object as the unique/primary key table for a foreign key constraint.
REPLICATE	Replication Group, Failover Group	Grants the ability to refresh a secondary replication or failover group.
SELECT	Table, External table, View, Stream	Grants the ability to execute a SELECT statement on the table/view.
TRUNCATE	Table	Grants the ability to execute a TRUNCATE TABLE command on the table.
UPDATE	Table	Grants the ability to execute an UPDATE command on the table.
USAGE	Warehouse, Data Exchange Listing, Integration, Database, Schema, Stage (external only), File Format, Sequence, Stored Procedure, User-Defined Function, External Function	Grants the ability to execute a USE <object> command on the object. Also grants the ability to execute a SHOW <objects> command on the object.
WRITE	Stage (internal only)	Grants the ability to perform any operations that require writing to an internal stage (PUT, REMOVE, COPY INTO <location>, etc.).

The remaining sections in this topic describe the specific privileges available for each type of object and their usage.

Global Privileges¶

Privilege	Usage	Notes
APPLY MASKING POLICY	Grants the ability to set a Column-level Security masking policy on a table or view column and to set a masking policy on a tag.	This global privilege also allows executing the DESCRIBE operation on tables and views.
APPLY ROW ACCESS POLICY	Grants the ability to add and drop a row access policy on a table or view.	This global privilege also allows executing the DESCRIBE operation on tables and views.
APPLY PASSWORD POLICY	Grants the ability to add or drop a password policy on the Snowflake account or a user in the Snowflake account.
APPLY SESSION POLICY	Grants the ability to set or unset a session policy on an account or user.
ATTACH POLICY	Grants the ability to activate a network policy by associating it with your account.
CREATE ACCOUNT	Enables a data provider to create a new managed account (i.e. reader account). For more details, see Managing Reader Accounts.	Must be granted by the ACCOUNTADMIN role.
CREATE FAILOVER GROUP	Enables creating a new failover group.	Must be granted by the ACCOUNTADMIN role.
CREATE REPLICATION GROUP	Enables creating a new replication group.	Must be granted by the ACCOUNTADMIN role.
CREATE ROLE	Enables creating a new role.
CREATE USER	Enables creating a new user.
MANAGE GRANTS	Enables granting or revoking privileges on objects for which the role is not the owner.	Must be granted by the SECURITYADMIN role (or higher).
CREATE DATA EXCHANGE LISTING	Enables creating a new Data Exchange listing.	Must be granted by the ACCOUNTADMIN role.
CREATE INTEGRATION	Enables creating a new notification, security, or storage integration.	Must be granted by the ACCOUNTADMIN role.
CREATE NETWORK POLICY	Enables creating a new network policy.
CREATE SHARE	Enables a data provider to create a new share. For more details, see Enabling non-ACCOUNTADMIN Roles to Perform Data Sharing Tasks.	Must be granted by the ACCOUNTADMIN role.
CREATE WAREHOUSE	Enables creating a new virtual warehouse.
EXECUTE ALERT	Grants the ability to execute alerts owned by the role.	Must be granted by the ACCOUNTADMIN role.
EXECUTE MANAGED TASK	Grants the ability to create tasks that rely on Snowflake-managed compute resources (serverless compute model). Only required for serverless tasks. The role that has the OWNERSHIP privilege on a task must have both the EXECUTE MANAGED TASK and the EXECUTE TASK privilege for the task to run.	Must be granted by the ACCOUNTADMIN role.
EXECUTE TASK	Grants the ability to run tasks owned by the role. For serverless tasks to run, the role that has the OWNERSHIP privilege on the task must also have the global EXECUTE MANAGED TASK privilege.	Must be granted by the ACCOUNTADMIN role.
IMPORT SHARE	Enables a data consumer to view shares shared with their account. Also grants the ability to create databases from shares; requires the global CREATE DATABASE privilege. For more details, see Enabling non-ACCOUNTADMIN Roles to Perform Data Sharing Tasks.	Must be granted by the ACCOUNTADMIN role.
MONITOR EXECUTION	Grants the ability to monitor any pipes or tasks in the account.	Must be granted by the ACCOUNTADMIN role. The USAGE privilege is also required on each database and schema that stores these objects.
MONITOR USAGE	Grants the ability to monitor account-level usage and historical information for databases and warehouses; for more details, see Enabling Non-Account Administrators to Monitor Usage and Billing History in the Classic Console. Additionally grants the ability to view managed accounts using SHOW MANAGED ACCOUNTS.	Must be granted by the ACCOUNTADMIN role.
OVERRIDE SHARE RESTRICTIONS	Grants the ability to set value for the SHARE_RESTRICTIONS parameter which enables a Business Critical provider account to add a consumer account (with Non-Business Critical edition) to a share.	For more details, see Enabling Sharing from a Business Critical Account to a non-Business Critical Account.
ALL [ PRIVILEGES ]	Grants all global privileges.

User Privileges¶

Privilege	Usage
MONITOR	Grants the ability to view the login history for the user.
OWNERSHIP	Grants full control over a user/role. Only a single role can hold this privilege on a specific object at a time.
ALL [ PRIVILEGES ]	Grants all privileges, except OWNERSHIP, on the user.

Role Privileges¶

Privilege	Usage
OWNERSHIP	Grants full control over a role. Only a single role can hold this privilege on a specific object at a time. Note that the owner role does not inherit any permissions granted to the owned role. To inherit permissions from a role, that role must be granted to another role, creating a parent-child relationship in a role hierarchy.

Resource Monitor Privileges¶

Privilege	Usage
MODIFY	Enables altering any properties of a resource monitor, such as changing the monthly credit quota.
MONITOR	Enables viewing a resource monitor.
ALL [ PRIVILEGES ]	Grants all privileges, except OWNERSHIP, on the resource monitor.

Virtual Warehouse Privileges¶

Privilege	Usage
MODIFY	Enables altering any properties of a warehouse, including changing its size. . . Required to assign a warehouse to a resource monitor. Note that only the ACCOUNTADMIN role can assign warehouses to resource monitors.
MONITOR	Enables viewing current and past queries executed on a warehouse as well as usage statistics on that warehouse.
OPERATE	Enables changing the state of a warehouse (stop, start, suspend, resume). In addition, enables viewing current and past queries executed on a warehouse and aborting any executing queries.
USAGE	Enables using a virtual warehouse and, as a result, executing queries on the warehouse. If the warehouse is configured to auto-resume when a SQL statement (e.g. query) is submitted to it, the warehouse resumes automatically and executes the statement.
OWNERSHIP	Grants full control over a warehouse. Only a single role can hold this privilege on a specific object at a time.
ALL [ PRIVILEGES ]	Grants all privileges, except OWNERSHIP, on the warehouse.

Connection Privileges¶

Only the ACCOUNTADMIN role owns connections. The OWNERSHIP privilege cannot be granted to another role.

Failover Group Privileges¶

Privilege	Usage
MONITOR	Enables viewing details of a failover group.
OWNERSHIP	Grants full control over a failover group. Only a single role can hold this privilege on a specific object at a time.
FAILOVER	Enables promoting a secondary failover group to serve as primary failover group.
REPLICATE	Enables refreshing refreshing a secondary failover group.
ALL [ PRIVILEGES ]	Grants all privileges, except OWNERSHIP, on the failover group.

Replication Group Privileges¶

Privilege	Usage
MONITOR	Enables viewing details of a replication group.
OWNERSHIP	Grants full control over a replication group. Only a single role can hold this privilege on a specific object at a time.
REPLICATE	Enables refreshing refreshing a secondary replication group.
ALL [ PRIVILEGES ]	Grants all privileges, except OWNERSHIP, on the replication group.

Integration Privileges¶

Privilege	Usage
USAGE	Enables referencing the storage integration when creating a stage (using CREATE STAGE) or modifying a stage (using ALTER STAGE).
USE_ANY_ROLE	Allows the External OAuth client or user to switch roles only if this privilege is granted to the client or user. Configure the External OAuth security integration to use the `EXTERNAL_OAUTH_ANY_ROLE_MODE` parameter using CREATE SECURITY INTEGRATION or ALTER SECURITY INTEGRATION.
OWNERSHIP	Grants full control over an integration. Only a single role can hold this privilege on a specific object at a time.
ALL [ PRIVILEGES ]	Grants all privileges, except OWNERSHIP, on the integration.

Network Policy Privileges¶

Privilege	Usage
OWNERSHIP	Grants full control over the network policy. Only a single role can hold this privilege on a specific object at a time.

Password Policy Privileges¶

Privilege	Usage
OWNERSHIP	Transfers ownership of a password policy, which grants full control over the password policy. Required to alter most properties of a password policy.

Session Policy Privileges¶

Privilege	Usage
OWNERSHIP	Transfers ownership of a session policy, which grants full control over the session policy. Required to alter most properties of a session policy.

Data Exchange Privileges¶

Privilege	Usage
IMPORTED PRIVILEGES	Enables roles other than the owning role to manage a Snowflake Marketplace or Data Exchange.

Data Exchange Listing Privileges¶

Note

Currently, privileges on Data Exchange listings can only be granted in the Snowflake web interface. For instructions, see Granting Privileges to Other Roles.

Privilege	Usage
MODIFY	Enables roles other than the owning role to modify a Snowflake Marketplace or Data Exchange listing.
USAGE	Enables viewing a Snowflake Marketplace or Data Exchange listing.
OWNERSHIP	Grants full control over a Snowflake Marketplace or Data Exchange listing. Only a single role can hold this privilege on a specific object at a time.
ALL [ PRIVILEGES ]	Grants all privileges, except OWNERSHIP, on a Snowflake Marketplace or Data Exchange listing.

Database Privileges¶

Privilege	Usage
MODIFY	Enables altering any settings of a database.
MONITOR	Enables performing the DESCRIBE command on the database.
USAGE	Enables using a database, including returning the database details in the SHOW DATABASES command output. Additional privileges are required to view or take actions on objects in a database.
REFERENCE_USAGE	Enables using an object (e.g. secure view in a share) when the object references another object in a different database. Grant the privilege on the other database to the share. For details, refer to GRANT <privilege> … TO SHARE and Sharing Data from Multiple Databases.
CREATE DATABASE ROLE	Enables creating a new database role in a database.
CREATE SCHEMA	Enables creating a new schema in a database, including cloning a schema.
IMPORTED PRIVILEGES	Enables roles other than the owning role to access a shared database; applies only to shared databases.
OWNERSHIP	Grants full control over the database. Only a single role can hold this privilege on a specific object at a time.
ALL [ PRIVILEGES ]	Grants all privileges, except OWNERSHIP, on a database.

Note

Changing the properties of a database, including comments, requires the OWNERSHIP privilege for the database.
If any database privilege is granted to a role, that role can take SQL actions on objects in a schema using fully-qualified names. The role must have the USAGE privilege on the schema as well as the required privilege or privileges on the object. To make a database the active database in a user session, the USAGE privilege on the database is required.
An account-level role (i.e. r1) with the OWNERSHIP privilege on the database can grant the CREATE DATABASE ROLE privilege to a different account-level role (i.e. r2). Similarly, r1 can also revoke the CREATE DATABASE ROLE privilege from another account-level role..

In this scenario, r2 must have the USAGE privilege on the database to create a new database role in that database.

Schema Privileges¶

Privilege	Usage
MODIFY	Enables altering any settings of a schema.
MONITOR	Enables performing the DESCRIBE command on the schema.
USAGE	Enables using a schema, including returning the schema details in the SHOW SCHEMAS command output. . . To execute SHOW <objects> commands for objects (tables, views, stages, file formats, sequences, pipes, or functions) in the schema, a role must have at least one privilege granted on the object.
CREATE TABLE	Enables creating a new table in a schema, including cloning a table. Note that this privilege is not required to create temporary tables, which are scoped to the current user session and are automatically dropped when the session ends.
CREATE EXTERNAL TABLE	Enables creating a new external table in a schema.
CREATE VIEW	Enables creating a new view in a schema.
CREATE MASKING POLICY	Enables creating a new masking policy in a schema.
CREATE MATERIALIZED VIEW	Enables creating a new materialized view in a schema.
CREATE ROW ACCESS POLICY	Enables creating a new row access policy in a schema.
CREATE SECRET	Enables creating a new secret in the current/specified schema or replaces an existing secret.
CREATE SESSION POLICY	Enables creating a new session policy in a schema.
CREATE STAGE	Enables creating a new stage in a schema, including cloning a stage.
CREATE FILE FORMAT	Enables creating a new file format in a schema, including cloning a file format.
CREATE SEQUENCE	Enables creating a new sequence in a schema, including cloning a sequence.
CREATE FUNCTION	Enables creating a new UDF or external function in a schema.
CREATE PASSWORD POLICY	Enables creating a new password policy in a schema.
CREATE PIPE	Enables creating a new pipe in a schema.
CREATE STREAM	Enables creating a new stream in a schema, including cloning a stream.
CREATE TAG	Enables creating a new tag key in a schema.
CREATE TASK	Enables creating a new task in a schema, including cloning a task.
CREATE PROCEDURE	Enables creating a new stored procedure in a schema.
CREATE ALERT	Enables creating a new alert in a schema.
ADD SEARCH OPTIMIZATION	Enables adding search optimization to a table in a schema.
OWNERSHIP	Grants full control over the schema. Only a single role can hold this privilege on a specific object at a time.
ALL [ PRIVILEGES ]	Grants all privileges, except OWNERSHIP, on a schema.

Note

Changing the properties of a schema, including comments, requires the OWNERSHIP privilege for the database.
Operating on a schema also requires the USAGE privilege on the parent database.

Table Privileges¶

Privilege	Usage
SELECT	Enables executing a SELECT statement on a table.
INSERT	Enables executing an INSERT command on a table. Also enables using the ALTER TABLE command with a `RECLUSTER` clause to manually recluster a table with a clustering key.
UPDATE	Enables executing an UPDATE command on a table.
TRUNCATE	Enables executing a TRUNCATE TABLE command on a table.
DELETE	Enables executing a DELETE command on a table.
REFERENCES	Enables referencing a table as the unique/primary key table for a foreign key constraint. Also enables viewing the structure of a table (but not the data) via the DESCRIBE or SHOW command or by querying the Information Schema.
OWNERSHIP	Grants full control over the table. Required to alter most properties of a table, with the exception of reclustering. Only a single role can hold this privilege on a specific object at a time. Note that in a managed access schema, only the schema owner (i.e. the role with the OWNERSHIP privilege on the schema) or a role with the MANAGE GRANTS privilege can grant or revoke privileges on objects in the schema, including future grants.
ALL [ PRIVILEGES ]	Grants all privileges, except OWNERSHIP, on a table.

Note

Operating on a table also requires the USAGE privilege on the parent database and schema.

External Table Privileges¶

Privilege	Usage
SELECT	Enables executing a SELECT statement on an external table.
REFERENCES	Enables viewing the structure of an external table (but not the data) via the DESCRIBE or SHOW command or by querying the Information Schema.
OWNERSHIP	Grants full control over the external table; required to refresh an external table. Only a single role can hold this privilege on a specific object at a time. Note that in a managed access schema, only the schema owner (i.e. the role with the OWNERSHIP privilege on the schema) or a role with the MANAGE GRANTS privilege can grant or revoke privileges on objects in the schema, including future grants.
ALL [ PRIVILEGES ]	Grants all privileges, except OWNERSHIP, on an external table.

Note

Operating on an external table also requires the USAGE privilege on the parent database and schema.

View Privileges¶

The following privileges apply to both standard and materialized views.

Privilege	Usage
SELECT	Enables executing a SELECT statement on a view. . . Note that this privilege is sufficient to query a view. The SELECT privilege on the underlying objects for a view is not required.
REFERENCES	Enables viewing the structure of a view (but not the data) via the DESCRIBE or SHOW command or by querying the Information Schema.
OWNERSHIP	Grants full control over the view. Required to alter a view. Only a single role can hold this privilege on a specific object at a time. Note that in a managed access schema, only the schema owner (i.e. the role with the OWNERSHIP privilege on the schema) or a role with the MANAGE GRANTS privilege can grant or revoke privileges on objects in the schema, including future grants.
ALL [ PRIVILEGES ]	Grants all privileges, except OWNERSHIP, on a view.

Note

Table DML privileges such as INSERT, UPDATE, and DELETE can be granted on views; however, because views are read-only, these privileges have no effect.
Operating on a view also requires the USAGE privilege on the parent database and schema.

Stage Privileges¶

Privilege	Usage
USAGE	Enables using an external stage object in a SQL statement; not applicable to internal stages.
READ	Enables performing any operations that require reading from an internal stage (GET, LIST, COPY INTO <table>, etc.); not applicable to external stages.
WRITE	Enables performing any operations that require writing to an internal stage (PUT, REMOVE, COPY INTO <location>, etc.); not applicable for external stages.
OWNERSHIP	Grants full control over the stage. Only a single role can hold this privilege on a specific object at a time. Note that in a managed access schema, only the schema owner (i.e. the role with the OWNERSHIP privilege on the schema) or a role with the MANAGE GRANTS privilege can grant or revoke privileges on objects in the schema, including future grants.
ALL [ PRIVILEGES ]	Grants all applicable privileges, except OWNERSHIP, on the stage (internal or external).

Note

When granting both the READ and WRITE privileges for an internal stage, the READ privilege must be granted before or at the same time as the WRITE privilege.
When revoking both the READ and WRITE privileges for an internal stage, the WRITE privilege must be revoked before or at the same time as the READ privilege.
Operating on a stage also requires the USAGE privilege on the parent database and schema.

File Format Privileges¶

Privilege	Usage
USAGE	Enables using a file format in a SQL statement.
OWNERSHIP	Grants full control over the file format. Required to alter a file format. Only a single role can hold this privilege on a specific object at a time. Note that in a managed access schema, only the schema owner (i.e. the role with the OWNERSHIP privilege on the schema) or a role with the MANAGE GRANTS privilege can grant or revoke privileges on objects in the schema, including future grants.
ALL [ PRIVILEGES ]	Grants all privileges, except OWNERSHIP, on the file format.

Note

Operating on file formats also requires the USAGE privilege on the parent database and schema.

Pipe Privileges¶

Pipe objects are created and managed to load data using Snowpipe.

Privilege	Usage
MONITOR	Enables viewing details for the pipe (using DESCRIBE PIPE or SHOW PIPES).
OPERATE	Enables viewing details for the pipe (using DESCRIBE PIPE or SHOW PIPES), pausing or resuming the pipe, and refreshing the pipe.
OWNERSHIP	Grants full control over the pipe. Only a single role can hold this privilege on a specific object at a time. Note that in a managed access schema, only the schema owner (i.e. the role with the OWNERSHIP privilege on the schema) or a role with the MANAGE GRANTS privilege can grant or revoke privileges on objects in the schema, including future grants.
ALL [ PRIVILEGES ]	Grants all privileges, except OWNERSHIP, on the pipe.

Note

Operating on pipes also requires the USAGE privilege on the parent database and schema.

Database Role Privileges¶

Privilege	Usage
OWNERSHIP	Grants full control over a database role. Only a single role can hold this privilege on a specific object at a time. Note that the owner role does not inherit any permissions granted to the owned database role. To inherit permissions from a database role, that database role must be granted to another role, creating a parent-child relationship in a role hierarchy.

Stream Privileges¶

Privilege	Usage
SELECT	Enables executing a SELECT statement on a stream.
OWNERSHIP	Grants full control over the stream. Only a single role can hold this privilege on a specific object at a time. Note that in a managed access schema, only the schema owner (i.e. the role with the OWNERSHIP privilege on the schema) or a role with the MANAGE GRANTS privilege can grant or revoke privileges on objects in the schema, including future grants.
ALL [ PRIVILEGES ]	Grants all privileges, except OWNERSHIP, on the stream.

Task Privileges¶

Privilege	Usage
MONITOR	Enables viewing details for the task (using DESCRIBE TASK or SHOW TASKS).
OPERATE	Enables viewing details for the task (using DESCRIBE TASK or SHOW TASKS) and resuming or suspending the task.
OWNERSHIP	Grants full control over the task. Only a single role can hold this privilege on a specific object at a time. Note that in a managed access schema, only the schema owner (i.e. the role with the OWNERSHIP privilege on the schema) or a role with the MANAGE GRANTS privilege can grant or revoke privileges on objects in the schema, including future grants.
ALL [ PRIVILEGES ]	Grants all privileges, except OWNERSHIP, on the task.

Secret Privileges¶

Privilege	Usage
OWNERSHIP	Transfers ownership of a secret, which grants full control over the secret. Required to alter most properties of a secret or drop a secret from the system.
USAGE	Enables using a secret.

Masking Policy Privileges¶

Privilege	Usage
APPLY	Enables executing the unset and set operations for a masking policy on a column. Note that granting the global APPLY MASKING POLICY privilege (i.e. APPLY MASKING POLICY on ACCOUNT) enables executing the DESCRIBE operation on tables and views. For syntax examples, see Masking Policy Privileges.
OWNERSHIP	Grants full control over the masking policy. Required to alter most properties of a masking policy. Only a single role can hold this privilege on a specific object at a time. Note that in a managed access schema, only the schema owner (i.e. the role with the OWNERSHIP privilege on the schema) or a role with the MANAGE GRANTS privilege can grant or revoke privileges on objects in the schema, including future grants.

Privilege

Usage

APPLY

Enables executing the unset and set operations for a masking policy on a column.

Note that granting the global APPLY MASKING POLICY privilege (i.e. APPLY MASKING POLICY on ACCOUNT) enables executing the DESCRIBE operation on tables and views.

For syntax examples, see Masking Policy Privileges.

OWNERSHIP

Grants full control over the masking policy. Required to alter most properties of a masking policy. Only a single role can hold this privilege on a specific object at a time. Note that in a managed access schema, only the schema owner (i.e. the role with the OWNERSHIP privilege on the schema) or a role with the MANAGE GRANTS privilege can grant or revoke privileges on objects in the schema, including future grants.

Note

Operating on a masking policy also requires the USAGE privilege on the parent database and schema.

Row Access Policy Privileges¶

Privilege	Usage
APPLY	Enables executing the add and drop operations for the row access policy on a table or view. Note that granting the global APPLY ROW ACCESS POLICY privilege (i.e. APPLY ROW ACCESS POLICY on ACCOUNT) enables executing the DESCRIBE operation on tables and views. For syntax examples, see Summary of DDL Commands, Operations, and Privileges.
OWNERSHIP	Grants full control over the row access policy. Required to alter most properties of a row access policy. Only a single role can hold this privilege on a specific object at a time. Note that in a managed access schema, only the schema owner (i.e. the role with the OWNERSHIP privilege on the schema) or a role with the MANAGE GRANTS privilege can grant or revoke privileges on objects in the schema, including future grants.

Privilege

Usage

APPLY

Enables executing the add and drop operations for the row access policy on a table or view.

Note that granting the global APPLY ROW ACCESS POLICY privilege (i.e. APPLY ROW ACCESS POLICY on ACCOUNT) enables executing the DESCRIBE operation on tables and views.

For syntax examples, see Summary of DDL Commands, Operations, and Privileges.

OWNERSHIP

Grants full control over the row access policy. Required to alter most properties of a row access policy. Only a single role can hold this privilege on a specific object at a time. Note that in a managed access schema, only the schema owner (i.e. the role with the OWNERSHIP privilege on the schema) or a role with the MANAGE GRANTS privilege can grant or revoke privileges on objects in the schema, including future grants.

Note

Operating on a row access policy also requires the USAGE privilege on the parent database and schema.

Tag Privileges¶

Privilege	Usage
APPLY	Enables executing the add and drop operations for the tag on a Snowflake object.
OWNERSHIP	Grants full control over the tag. Required to alter most properties of a tag. Only a single role can hold this privilege on a specific object at a time. Note that in a managed access schema, only the schema owner (i.e. the role with the OWNERSHIP privilege on the schema) or a role with the MANAGE GRANTS privilege can grant or revoke privileges on objects in the schema, including future grants.

Note

Tags are stored at the schema level.

Operating on a tag requires the USAGE privilege on the parent database and schema.

Sequence Privileges¶

Privilege	Usage
USAGE	Enables using a sequence in a SQL statement.
ALL [ PRIVILEGES ]	Grants all privileges, except OWNERSHIP, on the sequence.
OWNERSHIP	Grants full control over the sequence; required to alter the sequence. Only a single role can hold this privilege on a specific object at a time. Note that in a managed access schema, only the schema owner (i.e. the role with the OWNERSHIP privilege on the schema) or a role with the MANAGE GRANTS privilege can grant or revoke privileges on objects in the schema, including future grants.

Note

Operating on a sequence also requires the USAGE privilege on the parent database and schema.

Stored Procedure Privileges¶

Privilege	Usage
USAGE	Enables calling a stored procedure.
ALL [ PRIVILEGES ]	Grants all privileges, except OWNERSHIP, on the stored procedure.
OWNERSHIP	Grants full control over the stored procedure; required to alter the stored procedure. Only a single role can hold this privilege on a specific object at a time. Note that in a managed access schema, only the schema owner (i.e. the role with the OWNERSHIP privilege on the schema) or a role with the MANAGE GRANTS privilege can grant or revoke privileges on objects in the schema, including future grants.

Note

Operating on a stored procedure also requires the USAGE privilege on the parent database and schema.
If a stored procedure runs with caller’s rights, the user who calls the stored procedure must have privileges on the database objects (e.g. tables) accessed by the stored procedure. For details, see Understanding Caller’s Rights and Owner’s Rights Stored Procedures.

User-Defined Function (UDF) and External Function Privileges¶

Privilege	Usage
USAGE	Enables calling a UDF or external function.
ALL [ PRIVILEGES ]	Grants all privileges, except OWNERSHIP, on the UDF or external function.
OWNERSHIP	Grants full control over the UDF or external function; required to alter the UDF or external function. Only a single role can hold this privilege on a specific object at a time. Note that in a managed access schema, only the schema owner (i.e. the role with the OWNERSHIP privilege on the schema) or a role with the MANAGE GRANTS privilege can grant or revoke privileges on objects in the schema, including future grants.

Note

Operating on a UDF or external function also requires the USAGE privilege on the parent database and schema.
The owner of a UDF must have privileges on the objects accessed by the function; the user who calls a UDF does not need those privileges. For details, see Security/Privilege Requirements for SQL UDFs.
The owner of an external function must have the USAGE privilege on the API integration object associated with the external function. For details, see Access Control in the documentation on external functions.

Alert Privileges¶

Privilege	Usage
OPERATE	Enables viewing details for the alert (using DESCRIBE ALERT or SHOW ALERTS) and resuming or suspending the alert (using ALTER ALERT).
OWNERSHIP	Grants full control over the task. Only a single role can hold this privilege on a specific object at a time. Note that in a managed access schema, only the schema owner (i.e. the role with the OWNERSHIP privilege on the schema) or a role with the MANAGE GRANTS privilege can grant or revoke privileges on objects in the schema, including future grants.
ALL [ PRIVILEGES ]	Grants all privileges, except OWNERSHIP, on the alert.