what are outbound privileges in snowflake

2
votes

In the snowflake grant ownership documentation, there is a reference to "outgoing privileges."

What are "outgoing privileges?

This is part of the optional parameter "copy/revoke current grants."

It says, "Transfers ownership of an object along with a copy of any existing outbound privileges on the object."

I am trying to figure out what "outbound privileges" are.

EDIT: Here is a test I ran. I'm not seeing the difference.

create or replace view sandbox.test_schema.my_test_view
as
select 1 a;

grant ownership on view sandbox.test_schema.my_test_view to role ABC

show grants on view sandbox.test_schema.my_test_view

Privilege=ownership; granted_to=ROLE; grantee_name=ABC; grant_option=true; granted_by=ABC

if i add the copy grants

If instead I run everything exactly the same except I copy grant privileges

grant ownership on view sandbox.test_schema.my_test_view to role ABC copy current grants

The result of showing grants on the view are identical.

Is there an example where "copy current grants" makes a difference?

1
snowflake-cloud-data-platform
Updated my answer to cover your latest question.Gokhan Atil
Outgoing privilege is ANY privilege/grant on the object other than ownership (in case, you accept that being ownership is a privilege). For example, if you grant SELECT privilege explicitly to the role which owns the object, changing ownership will fail saying "Dependent grant exits".Gokhan Atil

1 Answers

1
votes

"Outbound privileges" mean existing privileges (current grants) on the object.

So you updated your sample and asked if there is an example where "copy current grants" makes a difference?

Assume that there's another role (DEF), and we granted select on the sample view:

create role DEF;
grant select on sandbox.test_schema.my_test_view to role DEF;

In this case, the following command would fail saying "SQL execution error: Dependent grant of privilege 'SELECT' on securable 'SANDBOX.TEST_SCHEMA.MY_TEST_VIEW' to role 'DEF' exists":

grant ownership on view sandbox.test_schema.my_test_view to role ABC;

To overcome this issue:

1) We can remove existing grants manually, and retry the first statement:

revoke select on sandbox.test_schema.my_test_view from role DEF;
grant ownership on view sandbox.test_schema.my_test_view to role ABC;

2) We can remove existing grants automatically:

grant ownership on view sandbox.test_schema.my_test_view to role ABC revoke current grants;

3) We can keep existing grants while changing the ownership:

grant ownership on view sandbox.test_schema.my_test_view to role ABC copy current grants;

So the "COPY/REVOKE current grants" make a difference if there are existing grants on the object.