Skip to main content

Required Privileges to manage preexisting objects

Below is the list of privileges required to manage Snowflake objects that existed in the account and cannot be created from scratch.

note
  • All required parameters of a Snowflake Object can only be modified by role with OWNERSHIP grant on the object.
  • All Snowflake Objects can only be destroyed by role with OWNERSHIP grant on the object.

Database

To modify a database the MODIFY privilege will be required.

GRANT MODIFY  ON DATABASE <database-name> TO ROLE DATAOPS_ADMIN;

Warehouse

To modify a warehouse the MODIFY privilege will be required.

GRANT MODIFY ON WAREHOUSE <warehouse-name> TO ROLE DATAOPS_ADMIN;

Resource Monitor

To modify the Resource Monitor the MODIFY privilege will be required.

GRANT MODIFY ON RESOURCE MONITOR  <resource-monitor-name> TO ROLE DATAOPS_ADMIN;

User

GRANT OWNERSHIP on USER <user_name> to role DATAOPS_ADMIN;

Role

GRANT OWNERSHIP on ROLE <role_name> to role DATAOPS_ADMIN;

Schema

To modify the schema the MODIFY and USAGE privileges will be required.

GRANT USAGE ON SCHEMA <database-name>.<schema-name>  TO ROLE DATAOPS_ADMIN;

GRANT MODIFY ON SCHEMA <database-name>.<schema-name> TO ROLE DATAOPS_ADMIN;

Masking policy

GRANT OWNERSHIP on MASKING POLICY <masking_policy_name> to role DATAOPS_ADMIN;

Pipe

To modify a pipe the OPERATE privilege will be required. Note: only Optional Parameters can be modified using OPERATE.

GRANT OPERATE on PIPE <pipe-name> to ROLE DATAOPS_ADMIN ;
GRANT OWNERSHIP on MASKING POLICY <masking_policy_name> to role DATAOPS_ADMIN;

View

GRANT OWNERSHIP on VIEW <view_name> to role DATAOPS_ADMIN;

File Format

GRANT OWNERSHIP on FILE FORMAT <file_format_name> to role DATAOPS_ADMIN;

Table

GRANT OWNERSHIP on TABLE <table_name> to role DATAOPS_ADMIN;

Stage

GRANT OWNERSHIP on STAGE <stage_name> to role DATAOPS_ADMIN;

Stream

GRANT OWNERSHIP on STREAM <stream_name> to role DATAOPS_ADMIN;

External Table

GRANT OWNERSHIP on EXTERNAL TABLE <external_table_name> to role DATAOPS_ADMIN;

Task

The OPERATE privilege allows updating status like resuming or suspending the task.

GRANT OPERATE on TASK <task_name> to role DATAOPS_ADMIN;