TECHNICAL ROLE

Config path: /technical_role.yaml

Example:

restricted_bookings:
  grants:
    DATABASE:USAGE:
      - snowddl_db
    SCHEMA:USAGE:
      - snowddl_db.bookings
    VIEW:SELECT:
      - snowddl_db.bookings.aircrafts
      - snowddl_db.bookings.airports
    FUNCTION:USAGE:
      - snowddl_db.bookings.lang(object)

  comment: "Access to some specific views and functions in Bookings schema"

Schema

• {key} (ident) - tech role name

• {value} (dict)

  • grants (dict)

    • {key} (str) - <object_type>:<privilege>

    • {value} (list)

      • {items} (ident) - full objects names to grant privilege

  • account_grants (list)

    • {items} (str) - account-level privilege

  • comment (str)

Usage notes

1. List of possible privileges is available in Access Control documentation.

2. Long object types should be specified with underscore (e.g. EXTERNAL_TABLE).

3. Object names should be fully qualified:<database>.<schema>.<name>. Functions and procedures should also have data types in parenthesis: <database>.<schema>.<name>(<arg1_dtype>,<arg2_dtype>).

4. FUTURE GRANTS are not supported by TECHNICAL ROLES, since TECHNICAL ROLES are being created after most of other objects. FUTURE GRANTS can be customised via permission models.

5. OWNERSHIP privilege is not allowed for TECHNICAL ROLES. It is controlled by permission model instead.

Links

• CREATE ROLE

• GRANT PRIVILEGE

• Parser & JSON Schema (GitHub)