SnowDDL
  • 👋Introduction
  • ðŸšĐGetting started
  • 📋Main features
  • ðŸŠĪSnowDDL vs. Declarative DCM
  • In-depth guides
    • 👓Object identifiers
    • 📐Data types
    • ðŸ“ĶObject types
    • 🎭Role hierarchy
    • 🚧Permission model
    • ðŸ”ĶOther guides
      • Administration user
      • Integrations
      • Inbound shares
      • Object OWNERSHIP
      • Safe & unsafe DDL
      • Dependency management
      • Short hash explained
      • Env Prefix explained
      • Team workflow
      • Limitations & workarounds
      • Fivetran
      • Airbyte
      • Encrypt user passwords
      • Iceberg Tables
  • Basic usage (CLI + YAML)
    • ðŸ’ŧCLI interface
    • ðŸ“ĶYAML configs
      • ACCOUNT PARAMETER
      • ACCOUNT POLICY
      • AGGREGATION POLICY
      • ALERT
      • AUTHENTICATION POLICY
      • BUSINESS ROLE
      • DATABASE
      • DYNAMIC TABLE
      • EVENT TABLE
      • EXTERNAL ACCESS INTEGRATION
      • EXTERNAL FUNCTION
      • EXTERNAL TABLE
      • FILE FORMAT
      • FUNCTION
      • HYBRID TABLE
      • ICEBERG TABLE
      • MASKING POLICY
      • MATERIALIZED VIEW
      • NETWORK POLICY
      • NETWORK RULE
      • PERMISSION MODEL
      • PIPE
      • PLACEHOLDER
      • PROCEDURE
      • PROJECTION POLICY
      • RESOURCE MONITOR
      • ROW ACCESS POLICY
      • SCHEMA
      • SECRET
      • SEQUENCE
      • SHARE (outbound)
      • STAGE
      • STAGE FILE
      • STREAM
      • TABLE
      • TASK
      • TECHNICAL ROLE
      • USER
      • VIEW
      • WAREHOUSE
    • 🏷ïļYAML placeholders
    • 📎YAML tag !include
    • 🔐YAML tag !decrypt
  • Single DB
    • ðŸĶ€Overview
  • Advanced usage (Python)
    • ⚙ïļProgrammatic config
    • 🐍Architecture overview
      • ðŸ”ĩBlueprints
      • ðŸŸĢConfig
      • 🟠Parsers
      • ðŸŸĒResolvers
      • ðŸ”īEngine
    • 🏗ïļQuery builder & formatter
  • Breaking changes log
    • 0.45.0 - March 2025
    • 0.41.0 - January 2025
    • 0.37.0 - December 2024
    • 0.36.0 - November 2024
    • 0.33.0 - October 2024
    • 0.27.0 - May 2024
  • Links
    • GitHub repository
    • PyPI package
    • YouTube tutorials
    • Changelog
    • LinkedIn profile
Powered by GitBook
On this page
  1. In-depth guides
  2. Other guides

Object OWNERSHIP

PreviousInbound sharesNextSafe & unsafe DDL

Last updated 12 months ago

OWNERSHIP is a special privilege in Snowflake. You should read & fully understand the documentation first.

SnowDDL implementation of OWNERSHIP is following:

  • Account-level object types are typically owned by SnowDDL admin role

  • Schema-level objects are typically owned by SCHEMA ROLE (OWNER) or DATABASE ROLE (OWNER) which are created automatically.

For schema-level objects OWNERSHIP is assigned using There is no "race condition" between creation of object and change of OWNERSHIP, which is common for other object management tools.

SnowDDL typically creates schemas with MANAGED ACCESS. It means that users having SCHEMA ROLE (OWNER) can create / alter / drop objects in such schema, but they cannot grant access to objects in this schema to some other role (e.g. to PUBLIC).

This is very important for security.

Practical example

MY_DB                    (owned by SNOWDDL_ADMIN)
|--  MY_SCHEMA           (owned by SNOWDDL_ADMIN)
     |-- MY_TABLE        (owned by MY_DB__MY_SCHEMA__OWNER__S_ROLE)
     |-- MY_VIEW         (owned by MY_DB__MY_SCHEMA__OWNER__S_ROLE)
     |-- MY_FUNCTION     (owned by MY_DB__MY_SCHEMA__OWNER__S_ROLE)
     
MY_WAREHOUSE             (owned by SNOWDDL_ADMIN)
MY_USER                  (owned by SNOWDDL_ADMIN)
MY_RESOURCE_MONITOR      (owned by SNOWDDL_ADMIN)
ðŸ”Ķ
Access Control Snowflake
FUTURE GRANTS.