Categories:: Context functions (Session Object)

INVOKER_ROLE¶

Returns the name of the account-level role of the object executing the query or NULL if the name of the role is a database role.

See also:: Advanced Column-level Security topics

Syntax¶

INVOKER_ROLE()

Arguments¶

None.

Usage notes¶

If using the INVOKER_ROLE function with masking policy, verify that your Snowflake account is Enterprise Edition or higher.

The following table summarizes the relationship between the query context and the role the function evaluates.

Context	Evaluated role
User	CURRENT_ROLE
Table	CURRENT_ROLE.
View	View owner role.
UDF	UDF owner role.
Stored procedure with caller’s right	CURRENT_ROLE.
Stored procedure with owner’s right	Stored procedure owner role.
Task	Task owner role.
Stream	The role that queries a given stream.

The following diagram shows the relationship of a query performer, roles in Snowflake, and masking policies on tables or views.

Where:
- R0, R1, R2, R3
  Are roles in Snowflake.
- P1, P2, P3
  Are masking policies in Snowflake.
- V1, V2
  Are views in Snowflake.
- T
  Is a table in Snowflake.
Based on this diagram, the values of CURRENT_ROLE and INVOKER_ROLE in a query are as follows:

Policy CURRENT_ROLE INVOKER_ROLE
P1 R3 R1
P2 R3 R2
P3 R3 R3

Policy	CURRENT_ROLE	INVOKER_ROLE
P1	R3	R1
P2	R3	R2
P3	R3	R3

Examples¶

The following examples show how to use the INVOKER_ROLE in a masking policy SQL expression.

Return NULL for unauthorized users:

CREATE OR REPLACE MASKING POLICY mask_string AS
(val string) RETURNS string ->
CASE
  WHEN INVOKER_ROLE() IN ('ANALYST') THEN val
  ELSE NULL
END;

Return a static masked value for unauthorized users:

CREATE OR REPLACE MASKING POLICY mask_string AS
(val string) RETURNS string ->
CASE
  WHEN INVOKER_ROLE() IN ('ANALYST') THEN val
  ELSE '********'
END;

Return a hash value using SHA2 , SHA2_HEX for unauthorized users:

CREATE OR REPLACE MASKING POLICY mask_string AS
(val string) RETURNS string ->
CASE
  WHEN INVOKER_ROLE() IN ('ANALYST') THEN val
  ELSE SHA2(val)
END;