SnowDDL
  • 👋Introduction
  • 🚩Getting started
  • 📋Main features
  • 🪤SnowDDL vs. Declarative DCM
  • In-depth guides
    • 👓Object identifiers
    • 📐Data types
    • 📦Object types
    • 🎭Role hierarchy
    • 🚧Permission model
    • 🔦Other guides
      • Administration user
      • Integrations
      • Inbound shares
      • Object OWNERSHIP
      • Safe & unsafe DDL
      • Dependency management
      • Short hash explained
      • Env Prefix explained
      • Team workflow
      • Limitations & workarounds
      • Fivetran
      • Airbyte
      • Encrypt user passwords
      • Iceberg Tables
  • Basic usage (CLI + YAML)
    • 💻CLI interface
    • 📦YAML configs
      • ACCOUNT PARAMETER
      • ACCOUNT POLICY
      • AGGREGATION POLICY
      • ALERT
      • AUTHENTICATION POLICY
      • BUSINESS ROLE
      • DATABASE
      • DYNAMIC TABLE
      • EVENT TABLE
      • EXTERNAL ACCESS INTEGRATION
      • EXTERNAL FUNCTION
      • EXTERNAL TABLE
      • FILE FORMAT
      • FUNCTION
      • HYBRID TABLE
      • ICEBERG TABLE
      • MASKING POLICY
      • MATERIALIZED VIEW
      • NETWORK POLICY
      • NETWORK RULE
      • PERMISSION MODEL
      • PIPE
      • PLACEHOLDER
      • PROCEDURE
      • PROJECTION POLICY
      • RESOURCE MONITOR
      • ROW ACCESS POLICY
      • SCHEMA
      • SECRET
      • SEQUENCE
      • SHARE (outbound)
      • STAGE
      • STAGE FILE
      • STREAM
      • TABLE
      • TASK
      • TECHNICAL ROLE
      • USER
      • VIEW
      • WAREHOUSE
    • 🏷️YAML placeholders
    • 📬YAML tag !include
    • 🔐YAML tag !decrypt
  • Single DB
    • 🦀Overview
  • Advanced usage (Python)
    • ⚙️Programmatic config
    • 🐍Architecture overview
      • 🔵Blueprints
      • 🟣Config
      • 🟠Parsers
      • 🟢Resolvers
      • 🔴Engine
    • 🏗️Query builder & formatter
  • Breaking changes log
    • 0.45.0 - March 2025
    • 0.41.0 - January 2025
    • 0.37.0 - December 2024
    • 0.36.0 - November 2024
    • 0.33.0 - October 2024
    • 0.27.0 - May 2024
  • Links
    • GitHub repository
    • PyPI package
    • YouTube tutorials
    • Changelog
    • LinkedIn profile
Powered by GitBook
On this page
  • Schema
  • Usage notes
  • Links
  1. Basic usage (CLI + YAML)
  2. YAML configs

BUSINESS ROLE

Config path: /business_role.yaml

Example:

bookings_analyst:
  schema_read:
    - snowddl_db.bookings
  warehouse_usage:
    - bookings_analyst_wh

  comment: "Business analyst working on data in Bookings schema"


sakila_analyst:
  schema_read:
    - snowddl_db.sakila
  schema_owner:
    - snowddl_db.sakila_sandbox
  warehouse_usage:
    - sakila_analyst_wh

  comment: "Business analyst working on data in Sakila schema"

Schema

  • {key} (ident) - business role name

  • {value} (dict)

    • database_owner (list)

      • {items} (ident) - grant OWNERSHIP privileges for objects in database

    • database_write (list)

      • {items} (ident) - grant WRITE privileges for objects in database

    • database_read (list)

      • {items} (ident) - grant READ privileges for objects in database

    • schema_owner (list)

      • {items} (ident) - grant OWNERSHIP privileges for objects in schema

    • schema_write (list)

      • {items} (ident) - grant WRITE privileges for objects in schema

    • schema_read (list)

      • {items} (ident) - grant READ privileges for objects in schema

    • share_read (list)

      • {items} (ident) - grant IMPORTED PRIVILEGES or DATABASE ROLE for inbound share

    • warehouse_usage (list)

      • {items} (ident) - grant USAGE privileges for warehouses

    • warehouse_monitor (list)

      • {items} (ident) - grant MONITOR privileges for warehouses

    • technical_roles (list)

      • {items} (ident) - grant TECHNICAL ROLES

    • global_roles (list)

      • {items} (ident) - grant external roles with custom permissions created outside of SnowDDL (e.g. FIVETRAN_ROLE)

    • comment (str)

Usage notes

  1. Schema names should be fully qualified (<database>.<schema>).

  2. It is possible to specify database and schema names as wildcards (e.g. <database>.*). It is helpful for large number of objects with similar names sharing similar access patterns.

  3. Global roles are managed outside of SnowDDL and are applied without env prefix.

  4. You may grant database roles of inbound shares using share_read parameter. For example: SNOWFLAKE.OBJECT_VIEWER.

Links

PreviousAUTHENTICATION POLICYNextDATABASE

Last updated 5 months ago

📦
CREATE ROLE
GRANT PRIVILEGE
Parser & JSON Schema (GitHub)