PERMISSION MODEL
Config path: /permision_model.yaml
What is permission model?
Permission model is a special concept introduced by SnowDDL to help managing permissions for databases and schemas. Permission model holds information about CREATE GRANTS and FUTURE GRANTS.
This page describes the practical configuration of permission models. You may consider to reading this guide first explaining the concept in greater detail.
Default model
DEFAULT model is always present and does not require configuration. It is automatically applied to databases and schemas without permission_model parameter being explicitly set.
DEFAULT model will most likely evolve in future versions of SnowDDL in response to Snowflake adding more object types and changing privileges.
default:
ruleset: SCHEMA_OWNER
owner_create_grants:
- FILE_FORMAT
- FUNCTION
- PROCEDURE
- TABLE
- VIEW
owner_future_grants:
ALERT: [OWNERSHIP]
DYNAMIC_TABLE: [OWNERSHIP]
EVENT_TABLE: [OWNERSHIP]
EXTERNAL_TABLE: [OWNERSHIP]
FILE_FORMAT: [OWNERSHIP]
FUNCTION: [OWNERSHIP]
MATERIALIZED_VIEW: [OWNERSHIP]
PIPE: [OWNERSHIP]
PROCEDURE: [OWNERSHIP]
SEQUENCE: [OWNERSHIP]
STAGE: [OWNERSHIP]
STREAM: [OWNERSHIP]
TABLE: [OWNERSHIP]
TASK: [OWNERSHIP]
VIEW: [OWNERSHIP]
write_future_grants:
STAGE: [READ, WRITE, USAGE]
SEQUENCE: [USAGE]
TABLE: [INSERT, UPDATE, DELETE, TRUNCATE]
read_future_grants:
DYNAMIC_TABLE: [SELECT]
EXTERNAL_TABLE: [SELECT, REFERENCES]
FILE_FORMAT: [USAGE]
FUNCTION: [USAGE]
MATERIALIZED_VIEW: [SELECT, REFERENCES]
PROCEDURE: [USAGE]
STAGE: [READ, USAGE]
STREAM: [SELECT]
TABLE: [SELECT, REFERENCES]
VIEW: [SELECT, REFERENCES]
Schema
{key} (ident) - permission model role name
{value} (dict)
inherit_from (str) - inherit all settings from
DEFAULTor from another permission model defined earlier in the same config file. This feature helps to reduce code repetition when you have a lot of similar models with minor differences.ruleset (str) - specific rules how "create grants" and "future grants" should be applied, currently supported values are:
SCHEMA_OWNER,DATABASE_OWNERowner_create_grants (list) - object types which
OWNERrole can create{items} (str) - object type
owner_future_grants (dict) - future grants for
OWNERrole{key} (str) - object type
{value} (list)
{items} (str) - privilege name
write_future_grants (dict) - future grants for
WRITErole{key} (str) - object type
{value} (list)
{items} (str) - privilege name
read_future_grants (dict) - future grants for
READrole{key} (str) - object type
{value} (list)
{items} (str) - privilege name
Usage notes
If you define permission model with name
default, it will completely override default permission model which exists in SnowDDL.OWNERSHIPprivilege can only be granted toOWNERrole. If you do not grant this privilege for specific object type, objects of this type will be owned by SnowDDL admin role or user role of user who created this object. Normally it is highly advised to defineOWNERSHIPprivilege for all object types you are planning to use.You may change
create_grantsandfuture_grantsat any time, but changingrulesetmay require some additional considerations. Documentation page about changingrulesetfor existing databases will be added shortly.
Examples
Example which creates a slightly extended version of DEFAULT model with additional grants:
my_custom_model:
inherit_from: default
owner_create_grants:
- STAGE
read_future_grants:
STAGE: [USAGE]
Example which creates a custom permission model for Fivetran with DATABASE_OWNER ruleset:
my_custom_fivetran_model
ruleset: DATABASE_OWNER
owner_create_grants:
- STAGE
- TABLE
- VIEW
owner_future_grants:
STAGE: [OWNERSHIP]
TABLE: [OWNERSHIP]
VIEW: [OWNERSHIP]
read_future_grants:
STAGE: [READ]
TABLE: [SELECT, REFERENCES]
VIEW: [SELECT, REFERENCES]Links
Last updated