Access Control Privileges Reference¶
This topic describes the privileges that can be associated with roles in Snowflake. Roles are assigned to users to specify which privileges are available to which users.
In this Topic:
All Privileges (Alphabetical)¶
The following privileges are available in the Snowflake access control model. The meaning of each privilege varies depending on the object type to which it is applied, and not all objects support all privileges:
Privilege | Type | Description |
---|---|---|
CREATE object |
Global, Database, Schema | Grants ability to create a new object of type object (e.g. a new table within a schema). |
DELETE | Table | Grants ability to execute a DELETE command on the table. |
INSERT | Table | Grants ability to execute an INSERT command on the table. |
MANAGE GRANTS | Global | Grants ability to grant or revoke privileges on any object as if the invoking role were the owner of the object. |
MODIFY | Warehouse, Database, Schema | Grants ability to change the settings or properties of an object (e.g. on a virtual warehouse, provides the ability to change the size of a virtual warehouse). |
MONITOR | Warehouse, Database, Schema | Grants ability to see details within an object (e.g. queries and usage within a warehouse). |
MONITOR USAGE | Global | Grants ability to monitor account-level usage and historical information for tables, warehouses, etc. For more details, see Enabling Non-Account Administrators to Monitor Usage and Billing History. |
OPERATE | Warehouse | Grants ability to start, stop, hibernate, or resume a virtual warehouse. |
OWNERSHIP | All | Grants ability to delete, alter, and grant or revoke access to an object. Required to rename an object. OWNERSHIP is a special privilege on an object that is automatically granted to the role that created the object, but can also be transferred using the GRANT OWNERSHIP command to a different role by the owning role (or any role with the MANAGE GRANTS privilege). |
SELECT | Table, View | Grants ability to execute a SELECT statement on the table/view. |
TRUNCATE | Table | Grants ability to execute a TRUNCATE command on the table. |
UPDATE | Table | Grants ability to execute an UPDATE command on the table. |
USAGE | Warehouse, Database, Schema | Grants ability to execute a USE command on an object or showing the objects within a container such as DATABASE or SCHEMA; however, a contained object is only listed if the executing role has at least one privilege on the object. |
The remaining sections in this topic describe the specific privileges available for each type of object and their usage.
Global Privileges¶
Privilege | Usage |
---|---|
CREATE USER | Enables creating a new user. |
CREATE ROLE | Enables creating a new role. |
MANAGE GRANTS | Enables modifying grants on objects for which the role is not the owner. |
CREATE WAREHOUSE | Enables creating a new virtual warehouse. |
CREATE DATABASE | Enables creating a new database or create a clone of an existing database. |
MONITOR USAGE | Enables viewing the account utilization and billing history, as well as viewing all account databases and warehouses using the SHOW command. For more details, see Enabling Non-Account Administrators to Monitor Usage and Billing History. |
ALL [ PRIVILEGES ] | Grants all global privileges. |
User and Role Privileges¶
Privilege | Usage |
---|---|
OWNERSHIP | Grants full control over a user/role. |
Virtual Warehouse Privileges¶
Privilege | Usage |
---|---|
MODIFY | Enables altering any properties of a warehouse, including changing its size. |
MONITOR | Enables viewing current and past queries executed on a warehouse as well as usage statistics on that warehouse. |
OPERATE | Enables changing the state of a warehouse (stop, start, hibernate, resume) as well as abort any executing queries. |
USAGE | Enables using a virtual warehouse and, as a result, execute queries on the warehouse. |
ALL [ PRIVILEGES ] | Grants all privileges, except OWNERSHIP, on the warehouse. |
OWNERSHIP | Transfers ownership of a warehouse, which gives full control over the warehouse. |
Database Privileges¶
Privilege | Usage |
---|---|
MODIFY | Enables altering any settings of a database. |
MONITOR | Enables viewing details for a database. |
USAGE | Enables using a database, including showing objects (i.e. schemas) in the database. |
CREATE SCHEMA | Enables creating a new schema in a database, including cloning a schema. |
ALL [ PRIVILEGES ] | Grants all privileges, except OWNERSHIP, on a database. |
OWNERSHIP | Transfers ownership of a database, which grants full control over the database. |
Note that changing the properties of a database, including comments, requires the OWNERSHIP privilege for the database.
Schema Privileges¶
Privilege | Usage |
---|---|
MODIFY | Enables altering any settings of a schema. |
MONITOR | Enables viewing details for a schema. |
USAGE | Enables using a schema, including showing objects (e.g. TABLES, VIEWS, FUNCTIONS, SEQUENCES, STAGES, or FILE FORMATS) in the schema. |
CREATE TABLE | Enables creating a new table in a schema, including cloning a table. |
CREATE VIEW | Enables creating a new view in a schema. |
CREATE STAGE | Enables creating a new stage in a schema, including cloning a stage. |
CREATE FILE FORMAT | Enables creating a new file format in a schema, including cloning a file format. |
CREATE SEQUENCE | Enables creating a new sequence in a schema, including cloning a sequence. |
CREATE FUNCTION | Enables creating a new UDF in a schema. |
ALL [ PRIVILEGES ] | Grants all privileges, except OWNERSHIP, on a schema. |
OWNERSHIP | Transfers ownership of a schema, which grants full control over the schema. |
Note
- Changing the properties of a schema, including comments, requires the OWNERSHIP privilege for the database.
- Operating on a schema also requires the USAGE privilege on the parent database.
Table Privileges¶
Privilege | Usage |
---|---|
SELECT | Enables executing a SELECT statement on a table. |
INSERT | Enables executing an INSERT command on a table. Also enables using the ALTER TABLE command with a RECLUSTER clause to manually recluster a table with clustering keys. |
UPDATE | Enables executing an UPDATE command on a table. |
TRUNCATE | Enables executing a TRUNCATE command on a table. |
DELETE | Enables executing a DELETE command on a table. |
REFERENCES | Enables referencing a table as the unique/primary key table for a foreign key constraint. |
ALL [ PRIVILEGES ] | Grants all privileges, except OWNERSHIP, on a table. |
OWNERSHIP | Transfers ownership of a table, which grants full control over the table. Required to alter most properties a table, with the exception of reclustering. |
Note
Operating on a table also requires the USAGE privilege on the parent database and schema.
View Privileges¶
Privilege | Usage |
---|---|
SELECT | Enables executing a SELECT statement on a view. |
ALL [ PRIVILEGES ] | Grants all privileges, except OWNERSHIP, on a view. |
OWNERSHIP | Transfers ownership of a view, which grants full control over the view. Required to alter a view. |
Note
Operating on a view also requires the USAGE privilege on the parent database and schema.
Stage Privileges¶
Privilege | Usage |
---|---|
USAGE | Enables using an external stage object in a SQL statement; not applicable to internal stages. |
READ | Enables performing any operations that require reading from an internal stage (GET, LIST, COPY INTO table, etc.); not applicable to external stages. |
WRITE | Enables performing any operations that require writing to an internal stage (PUT, REMOVE, COPY INTO location, etc.); not applicable for external stages. |
ALL [ PRIVILEGES ] | Grants all applicable privileges, except OWNERSHIP, to a stage (internal or external). |
OWNERSHIP | Transfers ownership of a stage, which grants full control over the stage. |
Note
- When granting or revoking both the READ and WRITE privileges for an internal stage:
- The READ privilege must be granted before the WRITE privilege or at the same time.
- The WRITE privilege must be revoked before the READ privilege or at the same time.
- Operating on a stage also requires the USAGE privilege on the parent database and schema.
File Format Privileges¶
Privilege | Usage |
---|---|
USAGE | Enables utilizing a file format in a SQL statement. |
ALL [ PRIVILEGES ] | Grants all privileges, except OWNERSHIP, on the file format. |
OWNERSHIP | Transfers ownership of a file format, which grants full control over the file format. Required to alter a file format. |
Note
Operating on file formats also requires the USAGE privilege on the parent database and schema.
Pipe Privileges¶
Privilege | Usage |
---|---|
CREATE | Enables creating a new pipe in a schema. |
ALL [ PRIVILEGES ] | Grants all privileges, except OWNERSHIP, on the pipe. |
OWNERSHIP | Transfers ownership of a pipe, which grants full control over the pipe. Required to load data using Snowpipe. |
Note
Operating on pipes also requires the USAGE privilege on the parent database and schema.
Other Database Object Privileges (Sequences, UDFs)¶
Privilege | Usage |
---|---|
USAGE | Enables utilizing the specified object in a SQL statement. |
ALL [ PRIVILEGES ] | Grants all privileges, except OWNERSHIP, on the specified object. |
OWNERSHIP | Transfers ownership of the specified object, which grants full control over the object. Required to alter the object. |
Note
Operating on these other database objects also requires the USAGE privilege on the parent database and schema.