Database roles: Updated error messages when granting to a share

Attention

This behavior change is in the 2023_06 bundle.

For the current status of the bundle, refer to Bundle History.

The error messages associated with granting a database role to a share using the GRANT DATABASE ROLE … TO SHARE command have changed.

In these tables, the word “resolve” means that the owner role of the database role (executing role) has the appropriate privilege to access the object granted to the database role. For example, the owner role can resolve a table if the database role has the SELECT privilege on a table with the USAGE privilege on the database and schema that stores the table and the owner role has the same privileges granted to it.

This table lists the error message replacements when granting a database role to a share:

Behavior

Previously

Currently

The executing role can resolve the object but the object cannot be shared.

Cannot share a database role that is granted privilege ‘SELECT’ on ‘Table’ object: SQL compilation error: A view can only be shared if it is created as a SECURE view, or marked SECURE using ALTER VIEW V SET SECURE.

Cannot share a database role that is granted privilege ‘SELECT’ on VIEW ‘DB.SCH.V’: SQL compilation error: A view can only be shared if it is created as a SECURE view, or marked SECURE using ALTER VIEW V SET SECURE.

The database role cannot resolve the object and the object is not shared.

Cannot share a database role that is granted privilege ‘SELECT’ on ‘Table’ object.

Cannot share a database role that is granted non-shareable privileges. Use role with MANAGE GRANTS to fix it.

The database role can resolve a dropped object that was not shared.

Cannot share a database role that is granted privilege ‘SELECT’ on ‘Table’ object: SQL compilation error: A view can only be shared if it is created as a SECURE view, or marked SECURE using ALTER VIEW VD SET SECURE.

Cannot share a database role that is granted privilege ‘SELECT’ on DROPPED View ‘DB.DSCH.V’. Use roles with MANAGE GRANTS to call the CLEANUP_DATABASE_ROLE_GRANTS(‘database_role_name’, ‘share_name’) to revoke the privileges and then grant the database role to the share.

The database role cannot resolve a dropped object that was not shared.

Cannot share a database role that is granted privilege ‘SELECT’ on ‘Table’ object.

Cannot share a database role that is granted non-shareable privileges. Use role with MANAGE GRANTS to fix it.

Additionally, the system function SYSTEM$CLEANUP_DATABASE_ROLE_GRANTS helps to address the scenario when a database role can resolve a dropped object that was not shared.

This table lists the error messages that are being removed when you try to grant a database role to a share.

Behavior

Previous error message

Current result

The database role cannot resolve the shared object.

Cannot share a database role that is granted privilege ‘SELECT’ on ‘Table’ object.

You can grant the database role to the share. Snowflake returns a successful status message.

The database role cannot resolve a dropped object that was shared.

Cannot share a database role that is granted privilege ‘SELECT’ on ‘Table’ object.

You can grant the database role to the share. Snowflake returns a successful status message.

Ref: 1220

Language: English