# Permission model ## What is permission model? Permission model is a special concept introduced by SnowDDL to help managing permissions for databases and schemas. Permission model holds information about `CREATE GRANTS` and `FUTURE GRANTS`. Permission models are optional. If you do not set it explicitly, `DEFAULT` model will be used for all schemas. You may check the specific configuration of `DEFAULT` model on [this page](/basic/yaml-configs/permission-model.md). ## Grants Permission model allows you to specify the following types of grants: * OWNER create grants - which types of objects can be created by OWNER role; * OWNER future grants - which future grants should be applied to OWNER role (usually `OWNERSHIP`) * WRITE future grants - which future grants should be applied to WRITE role * READ future grants - which future grants should be applied to READ role ## Rulesets Additionally, you may choose one of two "rulesets" defining how grants should be applied. Currently available rulesets are called: `SCHEMA_OWNER` and `DATABASE_OWNER`. Here is the comparison table: | SCHEMA\_OWNER | DATABASE\_OWNER | | ---------------------------------------------------- | ------------------------------------------------------------------------------------------------------------------------------ | | Selected by default | Must be configured explicitly | | `OWNER` role is created on schema level | `OWNER` role is created on database level | | `OWNER` cannot create new schemas | `OWNER` can create new schemas | | Schemas are owned by SnowDDL admin | Schemas are owned by `OWNER` role | | Schemas are created with `MANAGED ACCESS` | Schemas are created without `MANAGED ACCESS` | | `READ` and `WRITE` roles are created on schema level | `READ` and `WRITE` roles are created on database level, but additionally on schema level for each explicitly configured schema | `DATABASE_OWNER` ruleset is typically used for external tools which absolutely require ability to create their own schemas, such as Fivetran, Airbyte, etc. ## Setting permission model 1. Define permission models(s) in [config](/guides/permission-model.md). 2. Set permission model(s) in [DATABASE](/basic/yaml-configs/database.md) or [SCHEMA](/basic/yaml-configs/schema.md) configs. If permission model is set on DATABASE level, all its SCHEMAS inherit it by default. You can mix & match different permission models across different schemas, but the ruleset on all models in one DATABASE must be the same. --- # Agent Instructions: Querying This Documentation If you need additional information that is not directly available in this page, you can query the documentation dynamically by asking a question. Perform an HTTP GET request on the current page URL with the `ask` query parameter: ``` GET https://docs.snowddl.com/guides/permission-model.md?ask= ``` The question should be specific, self-contained, and written in natural language. The response will contain a direct answer to the question and relevant excerpts and sources from the documentation. Use this mechanism when the answer is not explicitly present in the current page, you need clarification or additional context, or you want to retrieve related documentation sections.