search

DATABASE ROLE

circle-exclamation

DATABASE_ROLE is intended to be used for outbound SHAREs only.

It is not a part of SnowDDL role hierarchy and should not be used to grant access outside of shares.

Config path: /<database>/database_role.yaml

Example:

test_database_role:
  grants:
    DATABASE:USAGE:
      - test_db
    SCHEMA:USAGE:
      - test_db.test_schema
    TABLE:SELECT:
      - test_db.test_schema.*
    FUNCTION:USAGE:
      - test_db.test_schema.test_secure_udf(varchar)

  comment: Test share role

hashtag
Schema

  • {key} (ident) - database role name

  • {value} (dict)

    • grants (str)

      • {key} (str) - <object_type>:<privilege>

      • {value} (list)

        • {items} (ident) - full objects names or name patterns to grant privilege;

    • comment (str)

hashtag
Usage notes

  1. Data roles are processed only if at least one database role exists in config.

  2. All limitations related to GRANT ... TO SHAREarrow-up-right command applies to database role grants. Please read it carefully.

  3. It is possible to use Unix-style wildcard patternsarrow-up-right for grant object names.

  4. Grants created externally and matching Unix-style wildcard patterns will not be dropped if objects are not explicitly defined in config. It is an intentional workaround for lack of future grants on database roles used in shares.

hashtag
Links

PreviousDATABASENextDYNAMIC TABLE

Last updated