SNOWFLAKE database roles | Snowflake Documentation (original) (raw)

When an account is provisioned, the SNOWFLAKE database is automatically imported. The database is an example of Snowflake using Secure Data Sharing to provide object metadata and other usage metrics for your organization and accounts.

Access to schema objects in the SNOWFLAKE database is controlled by different database roles. The following sections describe each SNOWFLAKE database role, its associated privileges, and the associated schema objects the role is granted access to.

ACCOUNT_USAGE schema¶

ACCOUNT_USAGE schemas have four defined SNOWFLAKE database roles, each granted the SELECT privilege on specific views.

Role	Purpose and Description
OBJECT_VIEWER	The OBJECT_VIEWER role provides visibility into object metadata.
USAGE_VIEWER	The USAGE_VIEWER role provides visibility into historical usage information.
GOVERNANCE_VIEWER	The GOVERNANCE_VIEWER role provides visibility into data governance related information.
SECURITY_VIEWER	The SECURITY_VIEWER role provides visibility into security based information.

Database role required to access ACCOUNT_USAGE views¶

The OBJECT_VIEWER, USAGE_VIEWER, GOVERNANCE_VIEWER, and SECURITY_VIEWER roles have the SELECT privilege to query Account Usage views in the shared SNOWFLAKE database. Use the following table to determine which database role has access to a view.

View	Database Role
ACCESS_HISTORY view	GOVERNANCE_VIEWER
AGGREGATE_ACCESS_HISTORY view	GOVERNANCE_VIEWER
AGGREGATE_QUERY_HISTORY view	GOVERNANCE_VIEWER
AGGREGATION_POLICIES view	GOVERNANCE_VIEWER
ANOMALIES_DAILY view	USAGE_VIEWER
APPLICATION_DAILY_USAGE_HISTORY view	USAGE_VIEWER
APPLICATION_SPECIFICATION_STATUS_HISTORY view	SECURITY_VIEWER
APPLICATION_SPECIFICATIONS view	SECURITY_VIEWER
ARCHIVE_STORAGE_DATA_RETRIEVAL_USAGE_HISTORY view	USAGE_VIEWER
AUTOMATIC_CLUSTERING_HISTORY view	USAGE_VIEWER
BLOCK_STORAGE_HISTORY view	USAGE_VIEWER
BLOCK_STORAGE_SNAPSHOTS view	OBJECT_VIEWER
CATALOG_LINKED_DATABASE_USAGE_HISTORY view	USAGE_VIEWER
CLASS_INSTANCES view	USAGE_VIEWER
CLASSES view	USAGE_VIEWER
COLUMN_QUERY_PRUNING_HISTORY view	USAGE_VIEWER
COLUMNS view	OBJECT_VIEWER
COMPLETE_TASK_GRAPHS view	OBJECT_VIEWER
CONTACT_REFERENCES view	GOVERNANCE_VIEWER
CONTACTS view	GOVERNANCE_VIEWER
COPY_FILES_HISTORY view	USAGE_VIEWER
COPY_HISTORY view	USAGE_VIEWER
CORTEX_AISQL_USAGE_HISTORY view	USAGE_VIEWER
CORTEX_ANALYST_USAGE_HISTORY view	USAGE_VIEWER
CORTEX_DOCUMENT_PROCESSING_USAGE_HISTORY view	USAGE_VIEWER
CORTEX_FINE_TUNING_USAGE_HISTORY view	USAGE_VIEWER
CORTEX_FUNCTIONS_QUERY_USAGE_HISTORY view	USAGE_VIEWER
CORTEX_FUNCTIONS_USAGE_HISTORY view	USAGE_VIEWER
CORTEX_SEARCH_DAILY_USAGE_HISTORY view	USAGE_VIEWER
CORTEX_SEARCH_REFRESH_HISTORY view	USAGE_VIEWER
CORTEX_PROVISIONED_THROUGHPUT_USAGE_HISTORY view	USAGE_VIEWER
CORTEX_SEARCH_SERVING_USAGE_HISTORY view	USAGE_VIEWER
CREDENTIALS view	SECURITY_VIEWER
DATA_CLASSIFICATION_LATEST view	GOVERNANCE_VIEWER
DATA_METRIC_FUNCTION_EXPECTATIONS view	USAGE_VIEWER or GOVERNANCE_VIEWER
DATA_METRIC_FUNCTION_REFERENCES view	USAGE_VIEWER or GOVERNANCE_VIEWER
DATA_QUALITY_MONITORING_USAGE_HISTORY view	USAGE_VIEWER
DATA_TRANSFER_HISTORY view	USAGE_VIEWER
DATABASE_STORAGE_USAGE_HISTORY view	USAGE_VIEWER
DATABASES view	OBJECT_VIEWER
DOCUMENT_AI_USAGE_HISTORY view	USAGE_VIEWER
DYNAMIC_TABLE_REFRESH_HISTORY view	USAGE_VIEWER
ELEMENT_TYPES view	OBJECT_VIEWER
EVENT_USAGE_HISTORY view	USAGE_VIEWER
EXTERNAL_ACCESS_HISTORY view	USAGE_VIEWER
FIELDS view	OBJECT_VIEWER
FILE_FORMATS view	OBJECT_VIEWER
FUNCTIONS view	OBJECT_VIEWER
GRANTS_TO_ROLES view	SECURITY_VIEWER
GRANTS_TO_USERS view	SECURITY_VIEWER
HYBRID_TABLE_USAGE_HISTORY view	USAGE_VIEWER
HYBRID_TABLES view	OBJECT_VIEWER
ICEBERG_STORAGE_OPTIMIZATION_HISTORY view	USAGE_VIEWER
INDEX_COLUMNS view	OBJECT_VIEWER
INDEXES view	OBJECT_VIEWER
INGRESS_NETWORK_ACCESS_HISTORY view	SECURITY_VIEWER
INTERNAL_DATA_TRANSFER_HISTORY view	USAGE_VIEWER
INTERNAL_STAGE_NETWORK_ACCESS_HISTORY view	SECURITY_VIEWER
JOIN_POLICIES view	GOVERNANCE_VIEWER
LOAD_HISTORY view	USAGE_VIEWER
LOGIN_HISTORY view	SECURITY_VIEWER
MASKING_POLICIES view	GOVERNANCE_VIEWER
MATERIALIZED_VIEW_REFRESH_HISTORY view	USAGE_VIEWER
METERING_DAILY_HISTORY view	USAGE_VIEWER
METERING_HISTORY view	USAGE_VIEWER
NETWORK_POLICIES view	SECURITY_VIEWER
NETWORK_RULE_REFERENCES view	SECURITY_VIEWER
NETWORK_RULES view	SECURITY_VIEWER
NOTEBOOKS_CONTAINER_RUNTIME_HISTORY view	USAGE_VIEWER
OBJECT_ACCESS_REQUEST_HISTORY view	OBJECT_VIEWER
OBJECT_DEPENDENCIES view	OBJECT_VIEWER
ACCOUNT_USAGE.ONLINE_FEATURE_TABLE_REFRESH_HISTORY	USAGE_VIEWER
OPENFLOW_USAGE_HISTORY view	USAGE_VIEWER
OUTBOUND_PRIVATELINK_ENDPOINTS view	SECURITY_VIEWER
PASSWORD_POLICIES view	SECURITY_VIEWER
PIPE_USAGE_HISTORY view	USAGE_VIEWER
PIPES view	OBJECT_VIEWER
POLICY_REFERENCES view	GOVERNANCE_VIEWER, SECURITY_VIEWER
POSTGRES_STORAGE_USAGE_HISTORY view	USAGE_VIEWER
PRIVACY_BUDGETS view	GOVERNANCE_VIEWER
PRIVACY_POLICIES view	GOVERNANCE_VIEWER
PROCEDURES view	OBJECT_VIEWER
PROJECTION_POLICIES view	GOVERNANCE_VIEWER
QUERY_ACCELERATION_ELIGIBLE view	GOVERNANCE_VIEWER
QUERY_ATTRIBUTION_HISTORY view	USAGE_VIEWER, GOVERNANCE_VIEWER
QUERY_HISTORY view	GOVERNANCE_VIEWER
QUERY_INSIGHTS view	GOVERNANCE_VIEWER
REFERENTIAL_CONSTRAINTS view	OBJECT_VIEWER
REPLICATION_GROUP_REFRESH_HISTORY view	USAGE_VIEWER
REPLICATION_GROUP_USAGE_HISTORY view	USAGE_VIEWER
REPLICATION_GROUPS view	OBJECT_VIEWER
REPLICATION_USAGE_HISTORY view	USAGE_VIEWER
RESOURCE_MONITORS view	OBJECT_VIEWER
ROLES view	SECURITY_VIEWER
ROW_ACCESS_POLICIES view	GOVERNANCE_VIEWER
SCHEMATA view	OBJECT_VIEWER
SEARCH_OPTIMIZATION_BENEFITS view	USAGE_VIEWER
SEARCH_OPTIMIZATION_HISTORY view	USAGE_VIEWER
SECRETS view	SECURITY_VIEWER
SEMANTIC_DIMENSIONS view	OBJECT_VIEWER
SEMANTIC_FACTS view	OBJECT_VIEWER
SEMANTIC_METRICS view	OBJECT_VIEWER
SEMANTIC_RELATIONSHIPS view	OBJECT_VIEWER
SEMANTIC_TABLES view	OBJECT_VIEWER
SEMANTIC_VIEWS view	OBJECT_VIEWER
SEQUENCES view	OBJECT_VIEWER
SERVERLESS_ALERT_HISTORY view	USAGE_VIEWER
SERVERLESS_TASK_HISTORY view	USAGE_VIEWER
SERVICES view	OBJECT_VIEWER
SESSION_POLICIES view	SECURITY_VIEWER
SESSIONS view	SECURITY_VIEWER
SNAPSHOT_OPERATION_HISTORY view — Deprecated	OBJECT_VIEWER
SNAPSHOT_POLICIES view — Deprecated	OBJECT_VIEWER
SNAPSHOT_SETS view — Deprecated	OBJECT_VIEWER
SNAPSHOT_STORAGE_USAGE view — Deprecated	OBJECT_VIEWER
SNAPSHOTS view — Deprecated	OBJECT_VIEWER
SNOWPARK_CONTAINER_SERVICES_HISTORY view	USAGE_VIEWER
SNOWPIPE_STREAMING_CHANNEL_HISTORY view	USAGE_VIEWER
STAGE_STORAGE_USAGE_HISTORY view	USAGE_VIEWER
STAGES view	OBJECT_VIEWER
STORAGE_LIFECYCLE_POLICIES view	GOVERNANCE_VIEWER
STORAGE_LIFECYCLE_POLICY_HISTORY view	GOVERNANCE_VIEWER
STORAGE_USAGE view	USAGE_VIEWER
TABLE_CONSTRAINTS view	OBJECT_VIEWER
TABLE_DML_HISTORY view	USAGE_VIEWER
TABLE_PRUNING_HISTORY view	USAGE_VIEWER
TABLE_QUERY_PRUNING_HISTORY view	USAGE_VIEWER
TABLE_STORAGE_METRICS view	USAGE_VIEWER
TABLES view	OBJECT_VIEWER
TAG_REFERENCES view	GOVERNANCE_VIEWER
TAGS view	OBJECT_VIEWER or GOVERNANCE_VIEWER
TASK_HISTORY view	USAGE_VIEWER
TRUST_CENTER_FINDINGS view	SECURITY_VIEWER
USERS view	SECURITY_VIEWER
VIEWS view	OBJECT_VIEWER
WAREHOUSE_EVENTS_HISTORY view	USAGE_VIEWER
WAREHOUSE_LOAD_HISTORY view	USAGE_VIEWER
WAREHOUSE_METERING_HISTORY view	USAGE_VIEWER

READER_ACCOUNT_USAGE schema¶

The READER_USAGE_VIEWER SNOWFLAKE database role is granted SELECT privilege on all READER_ACCOUNT_USAGE views. As reader accounts are created by clients, the READER_USAGE_VIEWER role is expected to be granted to those roles used to monitor reader account use.

View
LOGIN_HISTORY view
QUERY_HISTORY view
RESOURCE_MONITORS view
STORAGE_USAGE view
WAREHOUSE_METERING_HISTORY view

ORGANIZATION_USAGE schema¶

The ORGANIZATION_USAGE_VIEWER, ORGANIZATION_BILLING_VIEWER, and ORGANIZATION_ACCOUNTS_VIEWER SNOWFLAKE database roles are granted the SELECT privilege on Organization Usage views in the shared SNOWFLAKE database.

View	ORGANIZATION_BILLING_VIEWER Role	ORGANIZATION_USAGE_VIEWER Role	ORGANIZATION_ACCOUNTS_VIEWER Role
ACCOUNTS view	✔
ANOMALIES_IN_CURRENCY_DAILY view	✔
CONTRACT_ITEMS view	✔
LISTING_AUTO_FULFILLMENT_USAGE_HISTORY view	✔
RATE_SHEET_DAILY view	✔
REMAINING_BALANCE_DAILY view	✔
USAGE_IN_CURRENCY_DAILY view	✔
MARKETPLACE_DISBURSEMENT_REPORT View	✔
DATA_TRANSFER_DAILY_HISTORY view	✔
DATA_TRANSFER_HISTORY view	✔
DATABASE_STORAGE_USAGE_HISTORY view	✔
AUTOMATIC_CLUSTERING_HISTORY view	✔
MARKETPLACE_PAID_USAGE_DAILY View	✔
MATERIALIZED_VIEW_REFRESH_HISTORY view	✔
METERING_DAILY_HISTORY view	✔
MONETIZED_USAGE_DAILY View	✔
PIPE_USAGE_HISTORY view	✔
QUERY_ACCELERATION_HISTORY view	✔
REPLICATION_GROUP_USAGE_HISTORY view	✔
REPLICATION_USAGE_HISTORY view	✔
SEARCH_OPTIMIZATION_HISTORY view	✔
STAGE_STORAGE_USAGE_HISTORY view	✔
STORAGE_DAILY_HISTORY view	✔
WAREHOUSE_METERING_HISTORY view	✔

CORE schema¶

The CORE_VIEWER SNOWFLAKE database role is granted to the PUBLIC role in all Snowflake accounts containing a shared SNOWFLAKE database. The USAGE privilege is granted to all Snowflake-defined functions and bundles in the CORE schema.

Budget class¶

The BUDGET_CREATOR Snowflake database role is granted the USAGE privilege on the SNOWFLAKE.CORE schema and the BUDGET class in the schema. This grant allows users with the BUDGET_CREATOR role to create instances of the BUDGET class.

For more information, see Create a custom role to create budgets.

Tag objects¶

The CORE_VIEWER database role is granted the APPLY privilege each Data Classificationsystem tag: SNOWFLAKE.CORE.PRIVACY_CATEGORY and SNOWFLAKE.CORE.SEMANTIC_CATEGORY. These grants allow users with a role that is granted the CORE_VIEWER database role to assign these system tags to columns.

For details, see:

ALERT schema¶

The ALERT_VIEWER SNOWFLAKE database role is granted the USAGE privilege on the functions defined in this schema.

ML schema¶

The ML_USER SNOWFLAKE database role is granted to the PUBLIC role in all Snowflake accounts that contain a shared SNOWFLAKE database and allows customers to access and use ML functions. Users must also have the USAGE privilege on the ML schema to call these functions.

MONITORING schema¶

The MONITORING_VIEWER database role has the SELECT privilege on all views in the MONITORING schema.

The MONITORING_VIEWER database role is granted to the PUBLIC role in all Snowflake accounts containing a shared SNOWFLAKE database.

SNOWFLAKE.CLASSIFICATION_ADMIN database role¶

The SNOWFLAKE.CLASSIFICATION_ADMIN database role allows a data engineer or steward to create an instance of the CLASSIFICATION_PROFILE class. A classification profile is used to implement automatic sensitive data classification.

SNOWFLAKE.CORTEX_AGENT_USER database role¶

You can use the SNOWFLAKE.CORTEX_AGENT_USER database role to grant your users access to Snowflake Cortex Agents API without granting access to other Cortex features. Using the Cortex Agents API requires either the SNOWFLAKE.CORTEX_USER database role or the SNOWFLAKE.CORTEX_AGENT_USER database role.

By default, the SNOWFLAKE.CORTEX_USER database role is granted to the PUBLIC role. For fine-grained access control, revoke access from the PUBLIC role and grant access to the SNOWFLAKE.CORTEX_AGENT_USER database role. For more information, see Set up access to the agent.

SNOWFLAKE.CORTEX_EMBED_USER database role¶

The SNOWFLAKE.CORTEX_EMBED_USER database role is used to grant customers access to Snowflake Cortex embedding functions AI_EMBED, SNOWFLAKE.CORTEX.EMBED_768, and SNOWFLAKE.CORTEX_EMBED_TEXT_1024 without granting access to other Cortex features. Calling these embedding functions requires either the SNOWFLAKE.CORTEX_USER database role or the SNOWFLAKE.CORTEX_EMBED_USER database role. This role is not granted to any roles by default.

By default, this role is not granted to any roles. If you want users to have access to the embedding functions, grant this database role to appropriate roles. For details, see Cortex LLM Functions required privileges

SNOWFLAKE.CORTEX_USER database role¶

This SNOWFLAKE.CORTEX_USER database role is used to grant customers access to Snowflake Cortex features. By default, this role is granted to the PUBLIC role. The PUBLIC role is automatically granted to all users and roles, so this allows all users in your account to use Snowflake Cortex LLM functions.

If you don’t want all users to have this privilege, you can revoke access from the PUBLIC role and grant access to specific roles. For details, see Cortex LLM Functions required privileges.

SNOWFLAKE.COPILOT_USER database role¶

The SNOWFLAKE.COPILOT_USER database role allows customers to access Snowflake Copilot features. Initially, this database role is granted to the PUBLIC role. The PUBLIC role is automatically granted to all users and roles, so this allows all users in your account to use Snowflake Copilot. If you want to limit access to Snowflake Copilot features, you can revoke access from the PUBLIC role and grant access to specific roles. For details, see Access control requirements.

Using SNOWFLAKE database roles¶

Administrators can use the GRANT DATABASE ROLE to assign a SNOWFLAKE database role to another role, which can then be granted to a user. This would allow the user to access a specific subset of views in the SNOWFLAKE database.

In the following example a role is created which can be used to view SNOWFLAKE database object metadata, and does the following:

Creates a custom role.
Grants the OBJECT_VIEWER role to the custom role.
Grants the custom role to a user.

To create and grant the custom role, do the following:

Create the CAN_VIEWMD role, using CREATE ROLE that will be used to grant access to object metadata.
Only users with the USERADMIN system role or higher, or another role with the CREATE ROLE privilege on the account, can create roles.
CREATE ROLE CAN_VIEWMD COMMENT = 'This role can view metadata per SNOWFLAKE database role definitions';
Grant the OBJECT_VIEWER role to the CAN_VIEWMD role.
Only users with the OWNERSHIP role can grant SNOWFLAKE database roles. For additional information, refer to GRANT DATABASE ROLE.
GRANT DATABASE ROLE OBJECT_VIEWER TO ROLE CAN_VIEWMD;
Assign CAN_VIEWMD role to user smith.
Only users with the SECURITYADMIN role can grant roles to users. For additional options, refer to GRANT ROLE.
GRANT ROLE CAN_VIEWMD TO USER smith;