BUSINESS ROLE

Config path: /business_role.yaml

Example:

bookings_analyst:
  schema_read:
    - snowddl_db.bookings
  warehouse_usage:
    - bookings_analyst_wh

  comment: "Business analyst working on data in Bookings schema"


sakila_analyst:
  schema_read:
    - snowddl_db.sakila
  schema_owner:
    - snowddl_db.sakila_sandbox
  warehouse_usage:
    - sakila_analyst_wh

  comment: "Business analyst working on data in Sakila schema"

Schema

{key} (ident) - business role name
{value} (dict)
- database_owner (list)
  - {items} (ident) - grant OWNERSHIP privileges for objects in database
- database_write (list)
  - {items} (ident) - grant WRITE privileges for objects in database
- database_read (list)
  - {items} (ident) - grant READ privileges for objects in database
- schema_owner (list)
  - {items} (ident) - grant OWNERSHIP privileges for objects in schema
- schema_write (list)
  - {items} (ident) - grant WRITE privileges for objects in schema
- schema_read (list)
  - {items} (ident) - grant READ privileges for objects in schema
- share_read (list)
  - {items} (ident) - grant IMPORTED PRIVILEGES or DATABASE ROLE for inbound share
- warehouse_usage (list)
  - {items} (ident) - grant USAGE privileges for warehouses
- warehouse_monitor (list)
  - {items} (ident) - grant MONITOR privileges for warehouses
- technical_roles (list)
  - {items} (ident) - grant TECHNICAL ROLES
- global_roles (list)
  - {items} (ident) - grant external roles with custom permissions created outside of SnowDDL (e.g. FIVETRAN_ROLE)
- comment (str)

Usage notes

Schema names should be fully qualified (<database>.<schema>).
It is possible to specify database and schema names as wildcards (e.g. <database>.*). It is helpful for large number of objects with similar names sharing similar access patterns.
Global roles are managed outside of SnowDDL and are applied without env prefix.
You may grant database roles of inbound shares using share_read parameter. For example: SNOWFLAKE.OBJECT_VIEWER.

Links

PreviousAUTHENTICATION POLICY NextDATABASE

Last updated 5 months ago

bookings_analyst: schema_read: - snowddl_db.bookings warehouse_usage: - bookings_analyst_wh comment: "Business analyst working on data in Bookings schema" sakila_analyst: schema_read: - snowddl_db.sakila schema_owner: - snowddl_db.sakila_sandbox warehouse_usage: - sakila_analyst_wh comment: "Business analyst working on data in Sakila schema"

Schema

{key} (ident) - business role name

{value} (dict)

database_owner (list)
- {items} (ident) - grant OWNERSHIP privileges for objects in database
database_write (list)
- {items} (ident) - grant WRITE privileges for objects in database
database_read (list)
- {items} (ident) - grant READ privileges for objects in database
schema_owner (list)
- {items} (ident) - grant OWNERSHIP privileges for objects in schema
schema_write (list)
- {items} (ident) - grant WRITE privileges for objects in schema
schema_read (list)
- {items} (ident) - grant READ privileges for objects in schema
share_read (list)
- {items} (ident) - grant IMPORTED PRIVILEGES or DATABASE ROLE for inbound share
warehouse_usage (list)
- {items} (ident) - grant USAGE privileges for warehouses
warehouse_monitor (list)
- {items} (ident) - grant MONITOR privileges for warehouses
technical_roles (list)
- {items} (ident) - grant TECHNICAL ROLES
global_roles (list)
- {items} (ident) - grant external roles with custom permissions created outside of SnowDDL (e.g. FIVETRAN_ROLE)
comment (str)

Usage notes

Schema names should be fully qualified (<database>.<schema>).

It is possible to specify database and schema names as wildcards (e.g. <database>.*). It is helpful for large number of objects with similar names sharing similar access patterns.

Global roles are managed outside of SnowDDL and are applied without env prefix.

You may grant database roles of inbound shares using share_read parameter. For example: SNOWFLAKE.OBJECT_VIEWER.