Show Grants: What does it do?
Used to find:
Which Users have access to a given Role?
Which Users or Roles were granted to a given Role (confusing - but it makes sense below)
Which Roles have access to a given Table or View
Which Privileges (eg. Create Database) have been granted to Roles
SHOW GRANTS TO USER <User Name>
Lists the Roles accessible to a given User. This could be used (for example), to list the roles available to a given User.
show grants to user JOHN;
The screenshot shows that user TEST has been granted several roles including ACCOUNTADMIN and SECURITYADMIN.
SHOW GRANTS OF ROLE <Role Name>
For a given Role, this lists the Users and Roles to which a given Role has been granted. For example, you could identify the Users who have been granted the role ACCOUNTADMIN.
show grants of role accountadmin;
Want to learn more from a Snowflake Expert? Click on the image below for training from Analytics Today.
SHOW GRANTS TO ROLE <Role>
Lists the Privileges granted to a given Role. This could be used (for example) to check whether a given role can CREATE TABLEs.
show grants to role TEST_ROLE;
The screenshot below shows the Privileges granted to role TEST_ROLE:
SHOW GRANTS ON TABLE <Table>
Shows the Privileges (for example, SELECT, INSERT, UPDATE, DELETE) granted on Objects. This could be used (for example), to check which roles have access to a given table, view or even virtual warehouse.
show grants on table clustered_tables;
The above screenshot shows which roles have access to the table CLUSTERED_TABLES.
SHOW GRANTS ON WAREHOUSE <Warehouse>
This example shows how to list the roles with access to the warehouse named BIGGER_WH.
show grants on warehouse bigger_wh;
Show Grants: Reports
List All Objects accessible to a <User>
As indicated above, users are granted roles, which may be given other roles, and eventually are granted privileges on objects. Because of the potential hierarchy, it's necessary to tree-walk from a User to the Roles and, finally, Tables, Views, and Warehouses.
The code below lists all the Objects (Tables, Views, etc.) accessible to the current user.
-- Create local TEMP table purely to speed the next query
create or replace temp table temp_grants_to_roles as
select *
from snowflake.account_usage.grants_to_roles;
-- Treewalk the RBAC hierarchy
with ROLE_HIER as (
-- anchor query
select gu.GRANTEE_NAME as USER_NAME
, gu.ROLE::varchar(1000) as ROLE_NAME
from SNOWFLAKE.ACCOUNT_USAGE.GRANTS_TO_USERS gu
where DELETED_ON is null
union all
-- recursive query
select rh.USER_NAME
, g2u.NAME as ROLE_NAME
from role_hier rh
join temp_grants_to_roles g2u on rh.ROLE_NAME = g2u.GRANTEE_NAME
where g2u.PRIVILEGE = 'USAGE'
and g2u.GRANTED_TO = 'ROLE'
and g2u.GRANTED_ON = 'ROLE'
and g2u.DELETED_ON is null)
, DIST_USER_ROLE as (
select distinct USER_NAME, ROLE_NAME
from ROLE_HIER
order by USER_NAME, ROLE_NAME)
select distinct
dur.USER_NAME as "User"
, dur.ROLE_NAME as "User Role"
-- , g2r.CREATED_ON
, g2r.TABLE_CATALOG as "Database"
, g2r.TABLE_SCHEMA as "Schema"
, g2r.GRANTED_ON as "On"
, g2r.NAME as "Object Name"
, g2r.PRIVILEGE as "Privilege Granted"
-- , g2r.GRANT_OPTION
-- , g2r.GRANTED_BY
from DIST_USER_ROLE dur
join temp_grants_to_roles g2r on dur.ROLE_NAME = g2r.GRANTEE_NAME
where g2r.GRANTED_TO = 'ROLE'
and g2r.GRANTED_ON <> 'ROLE'
and g2r.DELETED_ON is null
and dur.USER_NAME = current_user()
-- and g2r.PRIVILEGE = 'OWNERSHIP'
order by dur.USER_NAME
, dur.ROLE_NAME
, g2r.TABLE_CATALOG
, g2r.TABLE_SCHEMA
, g2r.NAME
-- , g2r.CREATED_ON
;
The screenshot above shows the tables owned by the current User - JOHN. It also shows the Roles that have resulted in access and (if relevant) the Database and Schema names.
Snowflake Training by an Expert.
Click in the image below for more detail
List Roles Accessible to a User
Whereas the code above shows all the accessible Objects (Tables, Views, Warehouses), this query returns only the Roles accessible to a given User.
Unlike SHOW GRANTS TO USER, which only shows the roles directly granted, this code performs a tree-walk to list all accessible Roles for a given User.
set user_name = 'JOHN';
-- For a NAMED user - list the roles they have been granted
with ROLE_HIER as (
-- anchor query
select gu.GRANTEE_NAME as USER_NAME
, gu.ROLE::varchar(1000) as ROLE_NAME
from SNOWFLAKE.ACCOUNT_USAGE.GRANTS_TO_USERS gu
where DELETED_ON is null
union all
-- recursive query
select rh.USER_NAME
, g2u.NAME as ROLE_NAME
from role_hier rh
join monitor_grant_to_roles g2u on rh.ROLE_NAME = g2u.GRANTEE_NAME
where g2u.PRIVILEGE = 'USAGE'
and g2u.GRANTED_TO = 'ROLE'
and g2u.GRANTED_ON = 'ROLE'
and g2u.DELETED_ON is null)
select distinct USER_NAME, ROLE_NAME
from ROLE_HIER
where USER_NAME = $user_name
order by USER_NAME, ROLE_NAME
;
The screenshot above shows the Roles accessible to user JOHN.
Snowflake Training from an Snowflake Superhero.
Click on the image below for more information.