# Object OWNERSHIP

OWNERSHIP is a special privilege in Snowflake. You should read & fully understand the [Access Control Snowflake](https://docs.snowflake.com/en/user-guide/security-access-control-configure.html) documentation first.

SnowDDL implementation of OWNERSHIP is following:

* Account-level object types are typically owned by SnowDDL admin role
* Schema-level objects are typically owned by `SCHEMA ROLE (OWNER)` or `DATABASE ROLE (OWNER)` which are created automatically.

For schema-level objects OWNERSHIP is assigned using [FUTURE GRANTS.](https://docs.snowflake.com/en/sql-reference/sql/grant-privilege.html#future-grants-on-database-or-schema-objects) There is no "race condition" between creation of object and change of OWNERSHIP, which is common for other object management tools.

SnowDDL typically creates schemas with `MANAGED ACCESS`. It means that users having `SCHEMA ROLE (OWNER)` can create / alter / drop objects in such schema, but they cannot grant access to objects in this schema to some other role (e.g. to `PUBLIC`).

This is very important for security.

## Practical example

```
MY_DB                    (owned by SNOWDDL_ADMIN)
|--  MY_SCHEMA           (owned by SNOWDDL_ADMIN)
     |-- MY_TABLE        (owned by MY_DB__MY_SCHEMA__OWNER__S_ROLE)
     |-- MY_VIEW         (owned by MY_DB__MY_SCHEMA__OWNER__S_ROLE)
     |-- MY_FUNCTION     (owned by MY_DB__MY_SCHEMA__OWNER__S_ROLE)
     
MY_WAREHOUSE             (owned by SNOWDDL_ADMIN)
MY_USER                  (owned by SNOWDDL_ADMIN)
MY_RESOURCE_MONITOR      (owned by SNOWDDL_ADMIN)
```