> For the complete documentation index, see [llms.txt](https://docs.snowddl.com/llms.txt). Markdown versions of documentation pages are available by appending `.md` to page URLs; this page is available as [Markdown](https://docs.snowddl.com/guides/permission-model.md).

# Permission model

## What is permission model?

Permission model is a special concept introduced by SnowDDL to help managing permissions for databases and schemas. Permission model holds information about `CREATE GRANTS` and `FUTURE GRANTS`.

Permission models are optional. If you do not set it explicitly, `DEFAULT` model will be used for all schemas. You may check the specific configuration of `DEFAULT` model on [this page](/basic/yaml-configs/permission-model.md).

## Grants

Permission model allows you to specify the following types of grants:

* OWNER create grants - which types of objects can be created by OWNER role;
* OWNER future grants - which future grants should be applied to OWNER role (usually `OWNERSHIP`)
* WRITE future grants - which future grants should be applied to WRITE role
* READ future grants - which future grants should be applied to READ role

## Rulesets

Additionally, you may choose one of two "rulesets" defining how grants should be applied. Currently available rulesets are called: `SCHEMA_OWNER` and `DATABASE_OWNER`.

Here is the comparison table:

| SCHEMA\_OWNER                                        | DATABASE\_OWNER                                                                                                                |
| ---------------------------------------------------- | ------------------------------------------------------------------------------------------------------------------------------ |
| Selected by default                                  | Must be configured explicitly                                                                                                  |
| `OWNER` role is created on schema level              | `OWNER` role is created on database level                                                                                      |
| `OWNER` cannot create new schemas                    | `OWNER` can create new schemas                                                                                                 |
| Schemas are owned by SnowDDL admin                   | Schemas are owned by `OWNER` role                                                                                              |
| Schemas are created with `MANAGED ACCESS`            | Schemas are created without `MANAGED ACCESS`                                                                                   |
| `READ` and `WRITE` roles are created on schema level | `READ` and `WRITE` roles are created on database level, but additionally on schema level for each explicitly configured schema |

`DATABASE_OWNER` ruleset is typically used for external tools which absolutely require ability to create their own schemas, such as Fivetran, Airbyte, etc.

## Setting permission model

1. Define permission models(s) in [config](/guides/permission-model.md).
2. Set permission model(s) in [DATABASE](/basic/yaml-configs/database.md) or [SCHEMA](/basic/yaml-configs/schema.md) configs.

If permission model is set on DATABASE level, all its SCHEMAS inherit it by default.

You can mix & match different permission models across different schemas, but the ruleset on all models in one DATABASE must be the same.
