ð§Permission model
Last updated
Last updated
Permission model is a special concept introduced by SnowDDL to help managing permissions for databases and schemas. Permission model holds information about CREATE GRANTS
and FUTURE GRANTS
.
Permission models are optional. If you do not set it explicitly, DEFAULT
model will be used for all schemas. You may check the specific configuration of DEFAULT
model on this page.
Permission model allows you to specify the following types of grants:
OWNER create grants - which types of objects can be created by OWNER role;
OWNER future grants - which future grants should be applied to OWNER role (usually OWNERSHIP
)
WRITE future grants - which future grants should be applied to WRITE role
READ future grants - which future grants should be applied to READ role
Additionally, you may choose one of two "rulesets" defining how grants should be applied. Currently available rulesets are called: SCHEMA_OWNER
and DATABASE_OWNER
.
Here is the comparison table:
SCHEMA_OWNER | DATABASE_OWNER |
---|---|
DATABASE_OWNER
ruleset is typically used for external tools which absolutely require ability to create their own schemas, such as Fivetran, Airbyte, etc.
Define permission models(s) in config.
If permission model is set on DATABASE level, all its SCHEMAS inherit it by default.
You can mix & match different permission models across different schemas, but the ruleset on all models in one DATABASE must be the same.
Selected by default
Must be configured explicitly
OWNER
role is created on schema level
OWNER
role is created on database level
OWNER
cannot create new schemas
OWNER
can create new schemas
Schemas are owned by SnowDDL admin
Schemas are owned by OWNER
role
Schemas are created with MANAGED ACCESS
Schemas are created without MANAGED ACCESS
READ
and WRITE
roles are created on schema level
READ
and WRITE
roles are created on database level, but additionally on schema level for each explicitly configured schema