These queries don’t need much explanation. I’ve had some customers request how to get a complete list of user privileges, often for auditing purposes. The two queries below will show the role hierarchy (which roles have been granted which other roles) and a complete list of effective permissions for each user.<\/p>\n\n\n\n
For instance, if someone grants user ‘MARY’ the ‘PLAN_9’ role, and that role has a privilege to select from ‘TABLE_X”, then one row in the result will show that MARY can select from TABLE_X because she’s been granted the PLAN_9 role. All other users in the PLAN_9 role will also show a row with this set of user, role granting the privilege, and then the privilege itself.<\/p>\n\n\n\n
Snowflake enforces a best practice for security and governance called RBAC, role based access control. Privileges go to roles, not directly to users. To grant a user a privilege, add the user to a role with the privilege.<\/p>\n\n\n
\n-- The data returned by both queries is in the\n-- SNOWFLAKE database, which has latency of up\n-- to 3 hours to reflect changes\n\n-- Get the effective role hierarchy for each user.\nwith\n -- CTE gets all the roles each role is granted\n ROLE_MEMBERSHIPS(ROLE_GRANTEE, ROLE_GRANTED_THROUGH_ROLE)\n as\n (\n select GRANTEE_NAME, "NAME"\n from SNOWFLAKE.ACCOUNT_USAGE.GRANTS_TO_ROLES\n where GRANTED_TO = 'ROLE' and\n GRANTED_ON = 'ROLE' and\n DELETED_ON is null\n ),\n -- CTE gets all roles a user is granted\n USER_MEMBERSHIPS(ROLE_GRANTED_TO_USER, USER_GRANTEE, GRANTED_BY)\n as\n (\n select ROLE,\n GRANTEE_NAME,\n GRANTED_BY\n from SNOWFLAKE.ACCOUNT_USAGE.GRANTS_TO_USERS\n where DELETED_ON is null\n )\n-- \nselect \n USER_GRANTEE,\n case\n when ROLE_GRANTED_THROUGH_ROLE is null \n then ROLE_GRANTED_TO_USER \n else ROLE_GRANTED_THROUGH_ROLE\n end \n EFFECTIVE_ROLE,\n GRANTED_BY,\n ROLE_GRANTEE,\n ROLE_GRANTED_TO_USER,\n ROLE_GRANTED_THROUGH_ROLE\nfrom USER_MEMBERSHIPS U\n left join ROLE_MEMBERSHIPS R\n on U.ROLE_GRANTED_TO_USER = R.ROLE_GRANTEE\n;\n\n--------------------------------------------------------------------------------------------------\n\n-- This gets all the grants for all of the users:\nwith \n ROLE_MEMBERSHIPS\n (\n ROLE_GRANTEE, \n ROLE_GRANTED_THROUGH_ROLE\n )\n as\n (\n -- This lists all the roles a role is in\n select GRANTEE_NAME, "NAME"\n from SNOWFLAKE.ACCOUNT_USAGE.GRANTS_TO_ROLES\n where GRANTED_TO = 'ROLE' and\n GRANTED_ON = 'ROLE' and\n DELETED_ON is null\n ),\n USER_MEMBERSHIPS\n (\n ROLE_GRANTED_TO_USER,\n USER_GRANTEE,\n GRANTED_BY\n )\n as\n (\n select ROLE,GRANTEE_NAME,GRANTED_BY\n from SNOWFLAKE.ACCOUNT_USAGE.GRANTS_TO_USERS\n where DELETED_ON is null\n ),\n EFFECTIVE_ROLES\n (\n USER_GRANTEE,\n EFFECTIVE_ROLE,\n GRANTED_BY,\n ROLE_GRANTEE,\n ROLE_GRANTED_TO_USER,\n ROLE_GRANTED_THROUGH_ROLE\n )\n as\n (\n select \n USER_GRANTEE,\n case \n when ROLE_GRANTED_THROUGH_ROLE is null\n then ROLE_GRANTED_TO_USER\n else ROLE_GRANTED_THROUGH_ROLE\n end\n EFFECTIVE_ROLE,\n GRANTED_BY,\n ROLE_GRANTEE,\n ROLE_GRANTED_TO_USER,\n ROLE_GRANTED_THROUGH_ROLE\n from USER_MEMBERSHIPS U\n left join ROLE_MEMBERSHIPS R\n on U.ROLE_GRANTED_TO_USER = R.ROLE_GRANTEE\n ),\n GRANT_LIST\n (\n CREATED_ON,\n MODIFIED_ON,\n PRIVILEGE,\n GRANTED_ON, \n "NAME",\n TABLE_CATALOG,\n TABLE_SCHEMA,\n GRANTED_TO,\n GRANTEE_NAME,\n GRANT_OPTION\n )\n as\n (\n -- This shows all the grants (other than to roles)\n select CREATED_ON,\n MODIFIED_ON,\n PRIVILEGE,\n "NAME",\n TABLE_CATALOG,\n TABLE_SCHEMA,\n GRANTED_TO,\n GRANTEE_NAME,\n GRANT_OPTION,\n GRANTED_ON\n from SNOWFLAKE.ACCOUNT_USAGE.GRANTS_TO_ROLES\n where GRANTED_ON <> 'ROLE' and\n PRIVILEGE <> 'USAGE' and \n DELETED_ON is null\n )\nselect * from EFFECTIVE_ROLES R\n left join GRANT_LIST G \n on G.GRANTED_TO = R.EFFECTIVE_ROLE\nwhere G.PRIVILEGE is not null\n;\n<\/pre><\/div>\n\n\n <\/p>\n","protected":false},"excerpt":{"rendered":"
These queries don’t need much explanation. I’ve had some customers request how to get a complete list of user privileges, often for auditing purposes. The two queries below will show the role hierarchy (which roles have been granted which other roles) and a complete list of effective permissions for each user. For instance, if someone […]<\/p>\n","protected":false},"author":1,"featured_media":0,"comment_status":"open","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"footnotes":""},"categories":[34,33,2],"tags":[],"class_list":["post-304","post","type-post","status-publish","format-standard","hentry","category-rbac","category-security","category-sql"],"yoast_head":"\r\n
Getting a Complete List of User Privileges in Snowflake - Snowflake in the Carolinas<\/title>\r\n<meta name=\"robots\" content=\"index, follow, max-snippet:-1, max-image-preview:large, max-video-preview:-1\" \/>\r\n<link rel=\"canonical\" href=\"https:\/\/snowflake.pavlik.us\/index.php\/2020\/02\/21\/getting-a-complete-list-of-user-privileges-in-snowflake\/\" \/>\r\n<meta property=\"og:locale\" content=\"en_US\" \/>\r\n<meta property=\"og:type\" content=\"article\" \/>\r\n<meta property=\"og:title\" content=\"Getting a Complete List of User Privileges in Snowflake - Snowflake in the Carolinas\" \/>\r\n<meta property=\"og:description\" content=\"These queries don’t need much explanation. I’ve had some customers request how to get a complete list of user privileges, often for auditing purposes. The two queries below will show the role hierarchy (which roles have been granted which other roles) and a complete list of effective permissions for each user. For instance, if someone […]\" \/>\r\n<meta property=\"og:url\" content=\"https:\/\/snowflake.pavlik.us\/index.php\/2020\/02\/21\/getting-a-complete-list-of-user-privileges-in-snowflake\/\" \/>\r\n<meta property=\"og:site_name\" content=\"Snowflake in the Carolinas\" \/>\r\n<meta property=\"article:published_time\" content=\"2020-02-21T06:14:37+00:00\" \/>\r\n<meta property=\"article:modified_time\" content=\"2020-02-21T06:16:07+00:00\" \/>\r\n<meta name=\"author\" content=\"Greg Pavlik\" \/>\r\n<meta name=\"twitter:card\" content=\"summary_large_image\" \/>\r\n<meta name=\"twitter:label1\" content=\"Written by\" \/>\n\t<meta name=\"twitter:data1\" content=\"Greg Pavlik\" \/>\n\t<meta name=\"twitter:label2\" content=\"Est. reading time\" \/>\n\t<meta name=\"twitter:data2\" content=\"3 minutes\" \/>\r\n<script type=\"application\/ld+json\" class=\"yoast-schema-graph\">{\"@context\":\"https:\\\/\\\/schema.org\",\"@graph\":[{\"@type\":\"Article\",\"@id\":\"https:\\\/\\\/snowflake.pavlik.us\\\/index.php\\\/2020\\\/02\\\/21\\\/getting-a-complete-list-of-user-privileges-in-snowflake\\\/#article\",\"isPartOf\":{\"@id\":\"https:\\\/\\\/snowflake.pavlik.us\\\/index.php\\\/2020\\\/02\\\/21\\\/getting-a-complete-list-of-user-privileges-in-snowflake\\\/\"},\"author\":{\"name\":\"Greg Pavlik\",\"@id\":\"https:\\\/\\\/snowflake.pavlik.us\\\/#\\\/schema\\\/person\\\/019455f4675665b6cf5edea31ec44d7b\"},\"headline\":\"Getting a Complete List of User Privileges in Snowflake\",\"datePublished\":\"2020-02-21T06:14:37+00:00\",\"dateModified\":\"2020-02-21T06:16:07+00:00\",\"mainEntityOfPage\":{\"@id\":\"https:\\\/\\\/snowflake.pavlik.us\\\/index.php\\\/2020\\\/02\\\/21\\\/getting-a-complete-list-of-user-privileges-in-snowflake\\\/\"},\"wordCount\":170,\"commentCount\":0,\"articleSection\":[\"RBAC\",\"Security\",\"SnowSQL\"],\"inLanguage\":\"en-US\",\"potentialAction\":[{\"@type\":\"CommentAction\",\"name\":\"Comment\",\"target\":[\"https:\\\/\\\/snowflake.pavlik.us\\\/index.php\\\/2020\\\/02\\\/21\\\/getting-a-complete-list-of-user-privileges-in-snowflake\\\/#respond\"]}]},{\"@type\":\"WebPage\",\"@id\":\"https:\\\/\\\/snowflake.pavlik.us\\\/index.php\\\/2020\\\/02\\\/21\\\/getting-a-complete-list-of-user-privileges-in-snowflake\\\/\",\"url\":\"https:\\\/\\\/snowflake.pavlik.us\\\/index.php\\\/2020\\\/02\\\/21\\\/getting-a-complete-list-of-user-privileges-in-snowflake\\\/\",\"name\":\"Getting a Complete List of User Privileges in Snowflake - Snowflake in the Carolinas\",\"isPartOf\":{\"@id\":\"https:\\\/\\\/snowflake.pavlik.us\\\/#website\"},\"datePublished\":\"2020-02-21T06:14:37+00:00\",\"dateModified\":\"2020-02-21T06:16:07+00:00\",\"author\":{\"@id\":\"https:\\\/\\\/snowflake.pavlik.us\\\/#\\\/schema\\\/person\\\/019455f4675665b6cf5edea31ec44d7b\"},\"breadcrumb\":{\"@id\":\"https:\\\/\\\/snowflake.pavlik.us\\\/index.php\\\/2020\\\/02\\\/21\\\/getting-a-complete-list-of-user-privileges-in-snowflake\\\/#breadcrumb\"},\"inLanguage\":\"en-US\",\"potentialAction\":[{\"@type\":\"ReadAction\",\"target\":[\"https:\\\/\\\/snowflake.pavlik.us\\\/index.php\\\/2020\\\/02\\\/21\\\/getting-a-complete-list-of-user-privileges-in-snowflake\\\/\"]}]},{\"@type\":\"BreadcrumbList\",\"@id\":\"https:\\\/\\\/snowflake.pavlik.us\\\/index.php\\\/2020\\\/02\\\/21\\\/getting-a-complete-list-of-user-privileges-in-snowflake\\\/#breadcrumb\",\"itemListElement\":[{\"@type\":\"ListItem\",\"position\":1,\"name\":\"Home\",\"item\":\"https:\\\/\\\/snowflake.pavlik.us\\\/\"},{\"@type\":\"ListItem\",\"position\":2,\"name\":\"Getting a Complete List of User Privileges in Snowflake\"}]},{\"@type\":\"WebSite\",\"@id\":\"https:\\\/\\\/snowflake.pavlik.us\\\/#website\",\"url\":\"https:\\\/\\\/snowflake.pavlik.us\\\/\",\"name\":\"Snowflake in the Carolinas\",\"description\":\"Random thoughts on all things Snowflake in the Carolinas\",\"potentialAction\":[{\"@type\":\"SearchAction\",\"target\":{\"@type\":\"EntryPoint\",\"urlTemplate\":\"https:\\\/\\\/snowflake.pavlik.us\\\/?s={search_term_string}\"},\"query-input\":{\"@type\":\"PropertyValueSpecification\",\"valueRequired\":true,\"valueName\":\"search_term_string\"}}],\"inLanguage\":\"en-US\"},{\"@type\":\"Person\",\"@id\":\"https:\\\/\\\/snowflake.pavlik.us\\\/#\\\/schema\\\/person\\\/019455f4675665b6cf5edea31ec44d7b\",\"name\":\"Greg Pavlik\",\"image\":{\"@type\":\"ImageObject\",\"inLanguage\":\"en-US\",\"@id\":\"https:\\\/\\\/secure.gravatar.com\\\/avatar\\\/d81df729eebf37a042922b17d4a4c834b1e0ccfa9fea1c2c78cb8e95c7e91701?s=96&d=mm&r=g\",\"url\":\"https:\\\/\\\/secure.gravatar.com\\\/avatar\\\/d81df729eebf37a042922b17d4a4c834b1e0ccfa9fea1c2c78cb8e95c7e91701?s=96&d=mm&r=g\",\"contentUrl\":\"https:\\\/\\\/secure.gravatar.com\\\/avatar\\\/d81df729eebf37a042922b17d4a4c834b1e0ccfa9fea1c2c78cb8e95c7e91701?s=96&d=mm&r=g\",\"caption\":\"Greg Pavlik\"},\"description\":\"Greg is a Senior Sales Engineer at Snowflake Computing, in the Raleigh-Durham area. He's been in data management and security for the twenty years.\"}]}<\/script>\r\n<!-- \/ Yoast SEO plugin. -->","yoast_head_json":{"title":"Getting a Complete List of User Privileges in Snowflake - Snowflake in the Carolinas","robots":{"index":"index","follow":"follow","max-snippet":"max-snippet:-1","max-image-preview":"max-image-preview:large","max-video-preview":"max-video-preview:-1"},"canonical":"https:\/\/snowflake.pavlik.us\/index.php\/2020\/02\/21\/getting-a-complete-list-of-user-privileges-in-snowflake\/","og_locale":"en_US","og_type":"article","og_title":"Getting a Complete List of User Privileges in Snowflake - Snowflake in the Carolinas","og_description":"These queries don’t need much explanation. I’ve had some customers request how to get a complete list of user privileges, often for auditing purposes. The two queries below will show the role hierarchy (which roles have been granted which other roles) and a complete list of effective permissions for each user. For instance, if someone […]","og_url":"https:\/\/snowflake.pavlik.us\/index.php\/2020\/02\/21\/getting-a-complete-list-of-user-privileges-in-snowflake\/","og_site_name":"Snowflake in the Carolinas","article_published_time":"2020-02-21T06:14:37+00:00","article_modified_time":"2020-02-21T06:16:07+00:00","author":"Greg Pavlik","twitter_card":"summary_large_image","twitter_misc":{"Written by":"Greg Pavlik","Est. reading time":"3 minutes"},"schema":{"@context":"https:\/\/schema.org","@graph":[{"@type":"Article","@id":"https:\/\/snowflake.pavlik.us\/index.php\/2020\/02\/21\/getting-a-complete-list-of-user-privileges-in-snowflake\/#article","isPartOf":{"@id":"https:\/\/snowflake.pavlik.us\/index.php\/2020\/02\/21\/getting-a-complete-list-of-user-privileges-in-snowflake\/"},"author":{"name":"Greg Pavlik","@id":"https:\/\/snowflake.pavlik.us\/#\/schema\/person\/019455f4675665b6cf5edea31ec44d7b"},"headline":"Getting a Complete List of User Privileges in Snowflake","datePublished":"2020-02-21T06:14:37+00:00","dateModified":"2020-02-21T06:16:07+00:00","mainEntityOfPage":{"@id":"https:\/\/snowflake.pavlik.us\/index.php\/2020\/02\/21\/getting-a-complete-list-of-user-privileges-in-snowflake\/"},"wordCount":170,"commentCount":0,"articleSection":["RBAC","Security","SnowSQL"],"inLanguage":"en-US","potentialAction":[{"@type":"CommentAction","name":"Comment","target":["https:\/\/snowflake.pavlik.us\/index.php\/2020\/02\/21\/getting-a-complete-list-of-user-privileges-in-snowflake\/#respond"]}]},{"@type":"WebPage","@id":"https:\/\/snowflake.pavlik.us\/index.php\/2020\/02\/21\/getting-a-complete-list-of-user-privileges-in-snowflake\/","url":"https:\/\/snowflake.pavlik.us\/index.php\/2020\/02\/21\/getting-a-complete-list-of-user-privileges-in-snowflake\/","name":"Getting a Complete List of User Privileges in Snowflake - Snowflake in the Carolinas","isPartOf":{"@id":"https:\/\/snowflake.pavlik.us\/#website"},"datePublished":"2020-02-21T06:14:37+00:00","dateModified":"2020-02-21T06:16:07+00:00","author":{"@id":"https:\/\/snowflake.pavlik.us\/#\/schema\/person\/019455f4675665b6cf5edea31ec44d7b"},"breadcrumb":{"@id":"https:\/\/snowflake.pavlik.us\/index.php\/2020\/02\/21\/getting-a-complete-list-of-user-privileges-in-snowflake\/#breadcrumb"},"inLanguage":"en-US","potentialAction":[{"@type":"ReadAction","target":["https:\/\/snowflake.pavlik.us\/index.php\/2020\/02\/21\/getting-a-complete-list-of-user-privileges-in-snowflake\/"]}]},{"@type":"BreadcrumbList","@id":"https:\/\/snowflake.pavlik.us\/index.php\/2020\/02\/21\/getting-a-complete-list-of-user-privileges-in-snowflake\/#breadcrumb","itemListElement":[{"@type":"ListItem","position":1,"name":"Home","item":"https:\/\/snowflake.pavlik.us\/"},{"@type":"ListItem","position":2,"name":"Getting a Complete List of User Privileges in Snowflake"}]},{"@type":"WebSite","@id":"https:\/\/snowflake.pavlik.us\/#website","url":"https:\/\/snowflake.pavlik.us\/","name":"Snowflake in the Carolinas","description":"Random thoughts on all things Snowflake in the Carolinas","potentialAction":[{"@type":"SearchAction","target":{"@type":"EntryPoint","urlTemplate":"https:\/\/snowflake.pavlik.us\/?s={search_term_string}"},"query-input":{"@type":"PropertyValueSpecification","valueRequired":true,"valueName":"search_term_string"}}],"inLanguage":"en-US"},{"@type":"Person","@id":"https:\/\/snowflake.pavlik.us\/#\/schema\/person\/019455f4675665b6cf5edea31ec44d7b","name":"Greg Pavlik","image":{"@type":"ImageObject","inLanguage":"en-US","@id":"https:\/\/secure.gravatar.com\/avatar\/d81df729eebf37a042922b17d4a4c834b1e0ccfa9fea1c2c78cb8e95c7e91701?s=96&d=mm&r=g","url":"https:\/\/secure.gravatar.com\/avatar\/d81df729eebf37a042922b17d4a4c834b1e0ccfa9fea1c2c78cb8e95c7e91701?s=96&d=mm&r=g","contentUrl":"https:\/\/secure.gravatar.com\/avatar\/d81df729eebf37a042922b17d4a4c834b1e0ccfa9fea1c2c78cb8e95c7e91701?s=96&d=mm&r=g","caption":"Greg Pavlik"},"description":"Greg is a Senior Sales Engineer at Snowflake Computing, in the Raleigh-Durham area. He's been in data management and security for the twenty years."}]}},"_links":{"self":[{"href":"https:\/\/snowflake.pavlik.us\/index.php\/wp-json\/wp\/v2\/posts\/304","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/snowflake.pavlik.us\/index.php\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/snowflake.pavlik.us\/index.php\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/snowflake.pavlik.us\/index.php\/wp-json\/wp\/v2\/users\/1"}],"replies":[{"embeddable":true,"href":"https:\/\/snowflake.pavlik.us\/index.php\/wp-json\/wp\/v2\/comments?post=304"}],"version-history":[{"count":1,"href":"https:\/\/snowflake.pavlik.us\/index.php\/wp-json\/wp\/v2\/posts\/304\/revisions"}],"predecessor-version":[{"id":305,"href":"https:\/\/snowflake.pavlik.us\/index.php\/wp-json\/wp\/v2\/posts\/304\/revisions\/305"}],"wp:attachment":[{"href":"https:\/\/snowflake.pavlik.us\/index.php\/wp-json\/wp\/v2\/media?parent=304"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/snowflake.pavlik.us\/index.php\/wp-json\/wp\/v2\/categories?post=304"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/snowflake.pavlik.us\/index.php\/wp-json\/wp\/v2\/tags?post=304"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}