# Safe & unsafe DDL DDL queries are classified into "safe" and "unsafe" categories. * "Safe" queries can be applied and reverted with little to no risk (e.g. `CREATE`). "Safe" queries usually do not require code review. * "Unsafe" queries may potentially cause loss of data or security issues (e.g. `ALTER`, `DROP`). "Unsafe queries" usually do require more attention from reviewers. By default only "safe" queries are applied by SnowDDL. Add argument `--apply-unsafe` when calling SnowDDL [CLI interface](/basic/cli.md) to apply unsafe queries as well. ## Special cases On top of that, some "unsafe" queries require an additional argument to be applied. * `--apply-replace-table` is a safety check to prevent overspending of credits. Unlike `ALTER TABLE`, `CREATE OR REPLACE TABLE ... AS SELECT` requires an active warehouse and full rewrite of original table, which may cost a lot if table is big. * `--apply-account-params` is a safety check to prevent accidental changes in ACCOUNT PARAMETERS. It may cause security issues if applied to account-level NETWORK POLICY without review. It may cause timeouts during query execution, it may break timestamp-related settings, etc. etc. * `--apply-network-policy` is a safety check to prevent changes in NETWORK POLICIES. Unlike "on premise" DWH systems, Snowflake is exposed to anyone on the Internet, and the only thing preventing a free access is NETWORK POLICY. Updates to NETWORK POLICY should not be applied without review. * `--apply-resource-monitor` is a safety check to prevent changes in RESOURCE MONITORS. It may cause all sorts of issues from overspending to inability of business users to run even a single query due to resource monitors running out of credits quota. * `--apply-masking-policy` and `--apply-row-access-policy` is a safety check for data security "policies". The main issue with policies is related to lack of transactional DDL in Snowflake. Currently it is not possible to re-create the whole policy "atomically". First all references must be dropped, after that policy can be re-created, and all refs should be re-applied once again. But during all these operations your data remains potentially exposed. All changes to policies should be applied under the strict control. ## Suggested queries All queries which are not "applied" due to safety settings, are "suggested" instead. Suggested queries are outputted to `STDOUT` and are available for copy-paste and manual review by administrator. You can apply such queries manually using `ACCOUNTADMIN` role. All "suggested" queries use fully-qualified identifiers, and the "[OWNERSHIP](/guides/other-guides/ownership.md)" of schema-level object will remain intact due to FUTURE GRANTS. --- # Agent Instructions: Querying This Documentation If you need additional information that is not directly available in this page, you can query the documentation dynamically by asking a question. Perform an HTTP GET request on the current page URL with the `ask` query parameter: ``` GET https://docs.snowddl.com/guides/other-guides/safe-unsafe.md?ask= ``` The question should be specific, self-contained, and written in natural language. The response will contain a direct answer to the question and relevant excerpts and sources from the documentation. Use this mechanism when the answer is not explicitly present in the current page, you need clarification or additional context, or you want to retrieve related documentation sections.