IS_GRANTED_TO_INVOKER_ROLE Function: Change to the Output

Attention

This behavior change is in the 2023_04 bundle.

For the current status of the bundle, refer to Bundle History.

The behavior of the IS_GRANTED_TO_INVOKER_ROLE function is as follows:

Previously:

The function evaluates to FALSE when the argument corresponds to a role in the following context:

  • Calling the function by itself: the role hierarchy of the active, primary role (i.e. CURRENT_ROLE()).

  • Stored procedure caller’s rights.

  • Stored procedure owner’s rights.

  • Task owner.

If the function is used in a masking policy that protects a table, the function evaluates the policy owner’s role hierarchy. If the role in the function argument is in the role hierarchy of the role that owns the policy, the function evaluates to TRUE. Otherwise, the function evaluates to FALSE.

Currently:

The function evaluation uses the primary role hierarchy for the session in the following contexts:

  • Calling the function by itself.

  • Table

  • Stored procedure with caller’s rights.

If the function is used in a stored procedure with owner’s rights, the function evaluates the role hierarchy of the role that owns the stored procedure with owner’s rights.

Similarly, if the function is used with a task, the function evaluates the role hierarchy of the role that owns the task.

To identify existing masking policies that use the IS_GRANTED_TO_INVOKER_ROLE function, execute the following statements:

USE ROLE ACCOUNTADMIN;

SELECT *
    FROM snowflake.account_usage.masking_policies
    WHERE policy_body ilike '%is_granted_to_invoker_role%';
Copy

Ref: 984

Language: English