SHOW ROW ACCESS POLICIES¶
列出您具有访问权限的行访问策略。返回包括创建日期、数据库和架构名称、所有者以及任何可用注释的信息。
- See also:
语法
参数
LIKE 'pattern'Optionally filters the command output by object name. The filter uses case-insensitive pattern matching, with support for SQL wildcard characters (
%and_).For example, the following patterns return the same results:
... LIKE '%testing%' ...... LIKE '%TESTING%' ...
Default: No value (no filtering is applied to the output).
LIMIT rows [ FROM 'name_string' ]Optionally limits the maximum number of rows returned, while also enabling “pagination” of the results. The actual number of rows returned might be less than the specified limit. For example, the number of existing objects is less than the specified limit.
The optional
FROM 'name_string'subclause effectively serves as a “cursor” for the results. This enables fetching the specified number of rows following the first row whose object name matches the specified string:- The string must be enclosed in single quotes and is case sensitive.
- The string does not have to include the full object name; partial names are supported.
Default: No value (no limit is applied to the output)
Note
For SHOW commands that support both the
FROM 'name_string'andSTARTS WITH 'name_string'clauses, you can combine both of these clauses in the same statement. However, both conditions must be met or they cancel out each other and no results are returned.In addition, objects are returned in lexicographic order by name, so
FROM 'name_string'only returns rows with a higher lexicographic value than the rows returned bySTARTS WITH 'name_string'.For example:
... STARTS WITH 'A' LIMIT ... FROM 'B'would return no results.... STARTS WITH 'B' LIMIT ... FROM 'A'would return no results.... STARTS WITH 'A' LIMIT ... FROM 'AB'would return results (if any rows match the input strings).
[ IN ... ](可选)指定命令的作用域。指定以下任一项:
ACCOUNTReturns records for the entire account.
DATABASE,
DATABASE db_nameReturns records for the current database in use or for a specified database (
db_name).If you specify
DATABASEwithoutdb_nameand no database is in use, the keyword has no effect on the output.Note
Using SHOW commands without an
INclause in a database context can result in fewer than expected results.Objects with the same name are only displayed once if no
INclause is used. For example, if you have tablet1inschema1and tablet1inschema2, and they are both in scope of the database context you’ve specified (that is, the database you’ve selected is the parent ofschema1andschema2), then SHOW TABLES only displays one of thet1tables.SCHEMA,
SCHEMA schema_nameReturns records for the current schema in use or a specified schema (
schema_name).SCHEMAis optional if a database is in use or if you specify the fully qualifiedschema_name(for example,db.schema).If no database is in use, specifying
SCHEMAhas no effect on the output.
APPLICATION application_name,
APPLICATION PACKAGE application_package_nameReturns records for the named Snowflake Native App or application package.
If you omit
IN ..., the scope of the command depends on whether the session currently has a database in use:- If a database is currently in use, the command returns the objects you have privileges to view in the database. This has the
same effect as specifying
IN DATABASE. - If no database is currently in use, the command returns the objects you have privileges to view in your account. This has the
same effect as specifying
IN ACCOUNT.
访问控制要求
A role used to execute this SQL command must have at least one of the following privileges at a minimum:
| Privilege | Object | Notes |
|---|---|---|
| APPLY ROW ACCESS POLICY | Account | |
| APPLY | Row access policy | |
| OWNERSHIP | Row access policy | OWNERSHIP is a special privilege on an object that is automatically granted to the role that created the object, but can also be transferred using the [GRANT OWNERSHIP](/sql-reference/sql/grant-ownership) command to a different role by the owning role (or any role with the MANAGE GRANTS privilege). |
Operating on an object in a schema requires at least one privilege on the parent database and at least one privilege on the parent schema.
For instructions on creating a custom role with a specified set of privileges, see Creating custom roles.
For general information about roles and privilege grants for performing SQL actions on securable objects, see Overview of Access Control.
For additional details on row access policy DDL and privileges, see Manage row access policies.
使用说明
- The command doesn’t require a running warehouse to execute.
- The command only returns objects for which the current user’s current role has been granted at least one access privilege.
- The MANAGE GRANTS access privilege implicitly allows its holder to see every object in the account. By default, only the account administrator (users with the ACCOUNTADMIN role) and security administrator (users with the SECURITYADMIN role) have the MANAGE GRANTS privilege.
-
To post-process the output of this command, you can use the pipe operator (
->>) or the RESULT_SCAN function. Both constructs treat the output as a result set that you can query.For example, you can use the pipe operator or RESULT_SCAN function to select specific columns from the SHOW command output or filter the rows.
When you refer to the output columns, use double-quoted identifiers for the column names. For example, to select the output column
type, specifySELECT "type".You must use double-quoted identifiers because the output column names for SHOW commands are in lowercase. The double quotes ensure that the column names in the SELECT list or WHERE clause match the column names in the SHOW command output that was scanned.
-
The value for
LIMIT rowscan’t exceed10000. IfLIMIT rowsis omitted, the command results in an error if the result set is larger than ten thousand rows.To view results for which more than ten thousand records exist, either include
LIMIT rowsor query the corresponding view in the Snowflake Information Schema.
示例
以下示例代表具有 ACCOUNTADMIN 角色的用户执行查询。
以下示例代表一个角色,该角色对存在行访问策略的父架构没有 USAGE,并且不是 ACCOUNTADMIN 角色。