GRANT

Description

Grants specific privileges to a user or a role.

Grants roles to users or other roles.

NOTE

You are not allowed grant privileges or roles to system built-in roles account_admin and org_admin.

Syntax

Grant privileges to roles or users

System

GRANT
    { CREATE EXTERNAL CATALOG | REPOSITORY } 
    ON SYSTEM
    TO { ROLE | USER } {<role_name>|<username>} [ WITH GRANT OPTION ]

Global UDF

GRANT
    { USAGE | DROP | ALL [PRIVILEGES]} 
    ON { GLOBAL FUNCTION <function_name>(input_data_type) [, < function_name >(input_data_type),...]    
       | ALL GLOBAL FUNCTIONS }
    TO { ROLE | USER} {<role_name>|<username>} [ WITH GRANT OPTION ]

Example: GRANT usage ON GLOBAL FUNCTION a(string) to kevin;

Internal catalog

GRANT
    { USAGE | CREATE DATABASE | ALL [PRIVILEGES]} 
    ON CATALOG default_catalog
    TO { ROLE | USER} {<role_name>|<username>} [ WITH GRANT OPTION ]

External catalog

GRANT
   { USAGE | DROP | ALL [PRIVILEGES] } 
   ON { CATALOG <catalog_name> [, <catalog_name>,...] | ALL CATALOGS}
   TO { ROLE | USER} {<role_name>|<username>} [ WITH GRANT OPTION ]

Database

GRANT
    { ALTER | DROP | CREATE TABLE | CREATE VIEW | CREATE FUNCTION | CREATE MATERIALIZED VIEW | ALL [PRIVILEGES] } 
    ON { DATABASE <database_name> [, <database_name>,...] | ALL DATABASES }
    TO { ROLE | USER} {<role_name>|<username>} [ WITH GRANT OPTION ]
  
-- You must first run SET CATALOG before you run this command.

Table

GRANT
    { ALTER | DROP | SELECT | INSERT | EXPORT | UPDATE | DELETE | ALL [PRIVILEGES]} 
    ON { TABLE <table_name> [, < table_name >,...]
       | ALL TABLES} IN 
           { DATABASE <database_name> | ALL DATABASES }
    TO { ROLE | USER} {<role_name>|<username>} [ WITH GRANT OPTION ]

-- You must first run SET CATALOG before you run this command. 
-- You can also use db.tbl to represent a table.
GRANT <priv> ON TABLE db.tbl TO {ROLE <role_name> | USER <username>}

-- You can grant the SELECT privilege on all tables in Internal and External Catalogs to read data from these tables. For tables in Hive and Iceberg Catalogs,you can grant the INSERT privilege to write data into such tables.

View

GRANT  
    { ALTER | DROP | SELECT | ALL [PRIVILEGES]} 
    ON { VIEW <view_name> [, < view_name >,...]ALL VIEWS} IN 
           {  DATABASE <database_name> | ALL DATABASES }
    TO { ROLE | USER} {<role_name>|<username>} [ WITH GRANT OPTION ]
    
-- You must first run SET CATALOG before you run this command. 
-- You can also use db.view to represent a view.
GRANT <priv> ON VIEW db.view TO {ROLE <role_name> | USER <username>}

-- For tables in an External Catalog, you can only grant the SELECT privilege on Hive table views.

Materialized view

GRANT
    { SELECT | ALTER | REFRESH | DROP | ALL [PRIVILEGES]} 
    ON { MATERIALIZED VIEW <mv_name> [, < mv_name >,...]ALL MATERIALIZED VIEWS} IN 
           { DATABASE <database_name> | ALL DATABASES }
    TO { ROLE | USER} {<role_name>|<username>} [ WITH GRANT OPTION ]

-- You must first run SET CATALOG before you run this command. 
-- You can also use db.mv to represent an mv.
GRANT <priv> ON MATERIALIZED VIEW db.mv TO {ROLE <role_name> | USER <username>}

Function

GRANT
    { USAGE | DROP | ALL [PRIVILEGES]} 
    ON { FUNCTION <function_name>(input_data_type) [, < function_name >(input_data_type),...]ALL FUNCTIONS} IN 
           {  DATABASE <database_name>  | ALL DATABASES }
    TO { ROLE | USER} {<role_name>|<username>} [ WITH GRANT OPTION ]

-- You must first run SET CATALOG before you run this command. 
-- You can also use db.function to represent a function.
GRANT <priv> ON FUNCTION db.function TO {ROLE <role_name> | USER <username>}

User

GRANT IMPERSONATE
ON USER <username>
TO USER <username> [ WITH GRANT OPTION ]

Grant roles to roles or users

GRANT <role_name> [,<role_name>, ...] TO ROLE <role_name>
GRANT <role_name> [,<role_name>, ...] TO USER <username>

References