I want to create a new role, so we do have two options 1) using GUI 2) using statement Why do we have to choose parent role when using GUI and not when creating using statement ? Does creating using statement takes parent role as public by default ? Now, i created using statement and havent given any DB usage grant to the role but still i can see that new role is able to see DB's and other objects that are created by Accountadmin or sysadmin or Public roles, why is that so ? As per the role creation, new role should not be able to see the other DB's via console unless usage is granted. Thanks
0
votes
1 Answers
0
votes
When creating a role via the UI, you can always click the button "Show SQL" to see exactly what gets executed. As you can see, a role is created and assigned to a parent role. This is a best practice to keep a hierarchy-like structure for roles (the top role can see everything the bottom role can see). However, Snowflake also gives you the flexibility to also create a role without specifying the parent, as you can see from executing Worksheet SQL statements.
The PUBLIC role is special as all users are automatically assigned this role. You can kind think of it as the "Everyone" group in Windows. You will want to make sure you're not accidentally giving the PUBLIC role too many permissions or else all roles will be able to see those objects. https://docs.snowflake.com/en/user-guide/admin-user-management.html#user-roles
