What grants are needed to DESCRIBE a Snowflake-object?

0
votes

The DESCRIBE function of Snowflake can be applied to many objects, like users, warehouses or databases (https://docs.snowflake.com/en/sql-reference/sql/desc.html).

I cannot find what grants are required to execute DESCRIBE. From experiments, I figured out a few things: - In most cases, only the OWNER of an object is allowed to DESCRIBE that object - Exception: DESCRIBE DATABASE is allowed to be executed by non-owners - (Exception: DESCRIBE SCHEMA fails when the schema holds an external table, but this is probably just not implemented)

I cannot find in the documentation what the general grants are in order to perform DESCRIBE. My test seem to suggest that there is no general rule, but I would be very happy of somebody can prove me wrong :-)

1
snowflake-cloud-data-platform

1 Answers

1
votes

From my experiments, all of the basic objects that lie under a schema, such as Tables, Procedures and Functions, File Formats, Stages, etc. will permit DESCRIBE commands if any of its privilege types is granted to the accessor. This implicit behaviour may be why it is not specially called-out in Snowflake's access control documentation page.

For almost all other types of objects, the MONITOR privilege is necessary to permit DESCRIBE commands. Quoting a relevant part from the documentation:

MONITOR

Resource Monitor , Warehouse , Database , Schema, Task

Grants ability to see details within an object (e.g. queries and usage within a warehouse).