Privileges to Manage Preexisting Objects
Below is the list of privileges required to manage Snowflake objects that did exist in the account and cannot be created from scratch.
note
- All required parameters of a Snowflake Object can only be modified by role with
OWNERSHIPgrant on the object. - All Snowflake Objects can only be destroyed by role with
OWNERSHIPgrant on the object.
Database
To modify a database the MODIFY privilege will be required.
GRANT MODIFY ON DATABASE <database-name> TO ROLE DATAOPS_ADMIN;
Warehouse
To modify a warehouse the MODIFY privilege will be required.
GRANT MODIFY ON WAREHOUSE <warehouse-name> TO ROLE DATAOPS_ADMIN;
Resource monitor
To modify the Resource Monitor the MODIFY privilege will be required.
GRANT MODIFY ON RESOURCE MONITOR <resource-monitor-name> TO ROLE DATAOPS_ADMIN;
User
GRANT OWNERSHIP on USER <user_name> to role DATAOPS_ADMIN;
Role
GRANT OWNERSHIP on ROLE <role_name> to role DATAOPS_ADMIN;
Schema
To modify the schema the MODIFY and USAGE privileges will be required.
GRANT USAGE ON SCHEMA <database-name>.<schema-name> TO ROLE DATAOPS_ADMIN;
GRANT MODIFY ON SCHEMA <database-name>.<schema-name> TO ROLE DATAOPS_ADMIN;
Masking policy
GRANT OWNERSHIP on MASKING POLICY <masking_policy_name> to role DATAOPS_ADMIN;
Pipe
To modify a pipe the OPERATE privilege will be required. Note: only Optional Parameters can be modified using OPERATE.
GRANT OPERATE on PIPE <pipe-name> to ROLE DATAOPS_ADMIN ;
GRANT OWNERSHIP on MASKING POLICY <masking_policy_name> to role DATAOPS_ADMIN;
View
GRANT OWNERSHIP on VIEW <view_name> to role DATAOPS_ADMIN;
File format
GRANT OWNERSHIP on FILE FORMAT <file_format_name> to role DATAOPS_ADMIN;
Table
GRANT OWNERSHIP on TABLE <table_name> to role DATAOPS_ADMIN;
Stage
GRANT OWNERSHIP on STAGE <stage_name> to role DATAOPS_ADMIN;
Stream
GRANT OWNERSHIP on STREAM <stream_name> to role DATAOPS_ADMIN;
External table
GRANT OWNERSHIP on EXTERNAL TABLE <external_table_name> to role DATAOPS_ADMIN;
Task
The OPERATE privilege allows updating status like resuming or suspending the task.
GRANT OPERATE on TASK <task_name> to role DATAOPS_ADMIN;
Tag
GRANT OWNERSHIP on TAG <tag-identifier> to role DATAOPS_ADMIN;