DATABASE ROLE

DATABASE_ROLE is intended to be used for outbound SHAREs only.

It is not a part of SnowDDL role hierarchy and should not be used to grant access outside of shares.

Config path: /<database>/database_role.yaml

Example:

test_database_role:
  grants:
    DATABASE:USAGE:
      - test_db
    SCHEMA:USAGE:
      - test_db.test_schema
    TABLE:SELECT:
      - test_db.test_schema.*
    FUNCTION:USAGE:
      - test_db.test_schema.test_secure_udf(varchar)

  comment: Test share role

Schema

  • {key} (ident) - database role name

  • {value} (dict)

    • grants (str)

      • {key} (str) - <object_type>:<privilege>

      • {value} (list)

        • {items} (ident) - full objects names or name patterns to grant privilege;

    • comment (str)

Usage notes

  1. Data roles are processed only if at least one database role exists in config.

  2. All limitations related to GRANT ... TO SHARE command applies to database role grants. Please read it carefully.

  3. It is possible to use Unix-style wildcard patterns for grant object names.

  4. Grants created externally and matching Unix-style wildcard patterns will not be dropped if objects are not explicitly defined in config. It is an intentional workaround for lack of future grants on database roles used in shares.

Links

PreviousDATABASENextDYNAMIC TABLE

Last updated