Categories:

Context functions (Session Object)

IS_ORGANIZATION_USER_GROUP_IN_SESSION

Assuming a role was imported from an organization user group, verifies whether the role is in the user’s active primary or secondary role hierarchy for the session.

如果指定角色未链接到组织用户组,则该函数返回 FALSE。

See also:

Advanced Column-level Security topics

语法

IS_ORGANIZATION_USER_GROUP_IN_SESSION( '<string_literal>' )

实参

'string_literal'

角色的名称。

返回

TRUE

The current user’s active primary role or secondary roles in the session inherit the privileges of the specified role.

When the DEFAULT_SECONDARY_ROLES value is ALL, any role granted to the user inherits the privileges of the specified role.

The specified role can be the current primary role or secondary role (that is, the roles returned by CURRENT_ROLE or CURRENT_SECONDARY_ROLES, respectively) or any role lower in the role hierarchy.

FALSE

以下任一内容:

  • 指定的角色是未链接到组织用户组的本地角色。
  • The specified role is either higher in the role hierarchy of the current primary or secondary roles or is not in the role hierarchy at all.
NULL

在数据共享使用者账户中,如果引用共享对象(例如安全 UDF 或安全视图),例如在掩码策略条件下,则此函数返回 NULL。此行为可防止在数据共享使用者账户中公开角色层次结构。

使用说明

The IS_ORGANIZATION_USER_GROUP_IN_SESSION function is similar to the IS_DATABASE_ROLE_IN_SESSION and IS_ROLE_IN_SESSION functions. The following usage notes apply to all of these context functions:

  • Use one syntax.

  • Name syntax:

    • Only one role name can be passed as an argument.
    • The argument must be a string and use the same casing as how the role is stored in Snowflake. For details, see Identifier requirements.

  • Column syntax:

    • Only one column can be passed as an argument.
    • The column must have a STRING data type.
    • Specify the column as one of the following:
      • column_name
      • table_name.column_name
      • schema_name.table_name.column_name
      • database_name.schema_name.table_name.column_name

  • Virtual columns:

    A virtual column, which contains the result of a calculated value from an expression rather than the calculated value being stored in the table, is not supported.

    SELECT IS_ROLE_IN_SESSION(UPPER(authz_role)) FROM t1;

    A virtual column is supported only when the expression has an alias for the column name:

    CREATE VIEW v2 AS
SELECT
  authz_role,
  UPPER(authz_role) AS upper_authz_role
FROM t2;

SELECT IS_ROLE_IN_SESSION(upper_authz_role) FROM v2;

  • Policies:

    If you use these functions with a masking policy or row access policy, verify that your Snowflake account is Enterprise Edition or higher.

    Snowflake recommends using this function when the policy conditions need to evaluate role hierarchy and inherited privileges.

  • Result cache:

    If you use this function in a masking policy or row access policy and neither the policy nor the table or column protected by the policy change from a previous query, you can use the RESULT_SCAN function to return the results of a query on the protected table. The result cache applies when using the nonliteral syntax only.

  • These functions cannot be used in the materialized view definition because the functions are not deterministic and Snowflake cannot determine what data to materialize.

示例

如果以下条件为 True,则以下示例返回 TRUE

  • Role analyst was created or linked when an organization user group was added to the account.
  • The privileges granted to the analyst role are inherited by the current role in the session.
SELECT IS_ORGANIZATION_USER_GROUP_IN_SESSION('ANALYST');