管理对协作、资源和数据的访问

概述

对 Collaboration 的访问以及在其中执行操作的能力，通过以下机制进行管理：

安装 Data Clean Room 应用程序需要 账户级安装应用的权限，该权限默认由 ACCOUNTADMIN 持有。
Permission to run specific Collaboration API procedures is managed by DCR privileges.
Permission to perform specific role-based actions in a collaboration is managed by Collaboration roles. These roles determine what a user can do in a specific collaboration. The collaboration definition must list you as an analysis runner to be able to run an analysis. You must be listed as a data provider to share data with a specified analysis runner.

These mechanisms are overlapping, and all requirements must be fulfilled to be able to perform a specific action on a specific resource. For example, for you to share a table my_data with user_1 in existing collaboration collab_1, all of the following requirements must be met:

You must be a designated data provider for user_1 in the collaboration, and user_1 must be an analysis runner in that collaboration (collaboration role).
您必须拥有调用相应 Collaboration API 存储过程的权限，才能将数据产品关联到 Collaboration 中（DCR 权限）。
You must have the REFERENCE_USAGE privilege with GRANT OPTION on the table my_data to register it as a data offering resource (RBAC privilege).

This topic describes how to manage DCR privileges. Data policies and collaboration roles are described separately.

使用 DCR 权限管理账户、对象和过程权限¶

SAMOOHA_APP_ROLE 角色拥有运行 Collaboration API 中所有存储过程的权限。该角色的访问范围可能比您希望授予账户中某些用户组的权限更广泛。尽管 Collaboration 角色会限制用户可以执行的操作，您也可以配置权限更精确、范围更受限的特定角色。

安装 Snowflake Data Clean Room 应用程序后，可能会向特定用户分配额外的 Data Clean Room 特定权限。

要向用户授予精细的 API 权限，请执行以下步骤：

创建角色。
将正在使用的仓库的使用权限授予该角色。
Call GRANT_PRIVILEGE_ON_OBJECT_TO_ROLE if needed to grant appropriate privileges on a specific collaboration to a role.
Call GRANT_PRIVILEGE_ON_ACCOUNT_TO_ROLE if needed to grant appropriate high-level privileges on all collaborations in the account to the role.
向用户授予该角色，用户现在可以调用协作过程来参与协作。

For example, GRANT_PRIVILEGE_ON_ACCOUNT_TO_ROLE( 'JOIN COLLABORATION', 'collab_join_role' ) grants collab_join_role permission to call JOIN, REVIEW, RUN, LEAVE, VIEW_DATA_OFFERINGS, and many other API procedures needed to join and use a collaboration. In contrast, GRANT_PRIVILEGE_ON_OBJECT_TO_ROLE('READ', 'REGISTRY', 'registry_1', 'registry_reader_role') grants registry_reader_role the permission to read from a single registry. You can grant multiple sets of privileges to the same role.

See which DCR privileges must be granted to be able to call a given Collaboration API procedure if you aren’t using SAMOOHA_APP_ROLE.

以下示例创建了一个名为 COLLABORATION_CREATOR 的角色，该角色可以创建协作、创建自定义注册表以及注册数据产品，并将该角色授予当前用户。

CREATE ROLE IF NOT EXISTS COLLABORATION_CREATOR;

-- Grant warehouse access to the role.
GRANT USAGE ON WAREHOUSE APP_WH TO ROLE COLLABORATION_CREATOR;

-- COLLABORATION_CREATOR needs these manual account-level privileges,
-- which are required by the CREATE COLLABORATION DCR privilege.
GRANT APPLY ROW ACCESS POLICY ON ACCOUNT TO ROLE COLLABORATION_CREATOR;
GRANT CREATE APPLICATION ON ACCOUNT TO ROLE COLLABORATION_CREATOR;
GRANT CREATE DATABASE ON ACCOUNT TO ROLE COLLABORATION_CREATOR;
GRANT CREATE LISTING ON ACCOUNT TO ROLE COLLABORATION_CREATOR;
GRANT CREATE SHARE ON ACCOUNT TO ROLE COLLABORATION_CREATOR;
GRANT IMPORT SHARE ON ACCOUNT TO ROLE COLLABORATION_CREATOR;
GRANT MANAGE SHARE TARGET ON ACCOUNT TO ROLE COLLABORATION_CREATOR;

GRANT ROLE COLLABORATION_CREATOR TO USER alexander_hamilton;

-- Grant DCR account-level privileges using GRANT_PRIVILEGE_ON_ACCOUNT_TO_ROLE.
-- This procedure requires the ACCOUNTADMIN role.

-- COLLABORATION_CREATOR: create collaborations, create registries,
-- and register data offerings.
CALL SAMOOHA_BY_SNOWFLAKE_LOCAL_DB.ADMIN.GRANT_PRIVILEGE_ON_ACCOUNT_TO_ROLE(
  'CREATE COLLABORATION', 'COLLABORATION_CREATOR');
CALL SAMOOHA_BY_SNOWFLAKE_LOCAL_DB.ADMIN.GRANT_PRIVILEGE_ON_ACCOUNT_TO_ROLE(
  'CREATE REGISTRY', 'COLLABORATION_CREATOR');
CALL SAMOOHA_BY_SNOWFLAKE_LOCAL_DB.ADMIN.GRANT_PRIVILEGE_ON_ACCOUNT_TO_ROLE(
  'REGISTER DATA OFFERING', 'COLLABORATION_CREATOR');

以下代码使用角色 COLLABORATION_CREATOR 创建了一个自定义注册表，然后授予 EU_SALES_TEAM 角色对该注册表的读取权限：

USE ROLE COLLABORATION_CREATOR;
USE WAREHOUSE APP_WH;
USE SECONDARY ROLES NONE;

-- Create a custom registry.
CALL SAMOOHA_BY_SNOWFLAKE_LOCAL_DB.REGISTRY.CREATE_REGISTRY(
  'DATA_REGISTRY_EU',
  'DATA OFFERING');

-- Grant read permission on a registry created by this role to the role EU_SALES_TEAM.
CALL SAMOOHA_BY_SNOWFLAKE_LOCAL_DB.ADMIN.GRANT_PRIVILEGE_ON_OBJECT_TO_ROLE(
  'READ',
  'REGISTRY',
  'DATA_REGISTRY_EU',
  'EU_SALES_TEAM');

Collaboration API 过程的 DCR 权限要求¶

如果您使用的是自定义角色（而不是 SAMOOHA_APP_ROLE），下表总结了运行每个 Collaboration API 过程所需的权限。

除非另有说明，项目符号列表中的权限通常为替代关系：您只需拥有其中一项权限即可运行指定的过程。

Procedure name	Access requirements
REGISTER_TEMPLATE	Default registry: `GRANT_PRIVILEGE_ON_ACCOUNT_TO_ROLE('REGISTER TEMPLATE', '{role name}')` Custom registry: You have read and write privileges on any custom registry that you created yourself. To access a custom registry created by another user, you need `GRANT_PRIVILEGE_ON_OBJECT_TO_ROLE('REGISTER', 'REGISTRY', '{registry name}', '{role name}')`.
VIEW_REGISTERED_TEMPLATES	默认注册表： `GRANT_PRIVILEGE_ON_ACCOUNT_TO_ROLE('VIEW REGISTERED TEMPLATES', '{role name}')` `GRANT_PRIVILEGE_ON_ACCOUNT_TO_ROLE('CREATE COLLABORATION', '{role name}')`, plus all additional account-level privileges `GRANT_PRIVILEGE_ON_ACCOUNT_TO_ROLE('JOIN COLLABORATION', '{role name}')`, plus all additional account-level privileges Custom registry: You have read and write privileges on any custom registry that you created yourself. To access a custom registry created by another user, you need `GRANT_PRIVILEGE_ON_OBJECT_TO_ROLE('READ', 'REGISTRY', '{registry name}', '{role name}')`.
ADD_TEMPLATE_REQUEST	`GRANT_PRIVILEGE_ON_OBJECT_TO_ROLE('UPDATE', 'COLLABORATION', '{collaboration name}', '{role name}')` `GRANT_PRIVILEGE_ON_ACCOUNT_TO_ROLE('CREATE COLLABORATION', '{role name}')`, plus all additional account-level privileges `GRANT_PRIVILEGE_ON_ACCOUNT_TO_ROLE('JOIN COLLABORATION', '{role name}')`, plus all additional account-level privileges 如果模板位于自定义注册表中，或者引用了自定义注册表中的代码样式，则还必须拥有注册表的 READ 权限。
REMOVE_TEMPLATE	`GRANT_PRIVILEGE_ON_OBJECT_TO_ROLE('UPDATE', 'COLLABORATION', '{collaboration name}', '{role name}')` `GRANT_PRIVILEGE_ON_ACCOUNT_TO_ROLE('CREATE COLLABORATION', '{role name}')`, plus all additional account-level privileges `GRANT_PRIVILEGE_ON_ACCOUNT_TO_ROLE('JOIN COLLABORATION', '{role name}')`, plus all additional account-level privileges
VIEW_TEMPLATES	`GRANT_PRIVILEGE_ON_OBJECT_TO_ROLE('VIEW TEMPLATES', 'COLLABORATION', '{collaboration name}', '{role name}')` `GRANT_PRIVILEGE_ON_OBJECT_TO_ROLE('READ', 'COLLABORATION', '{collaboration name}', '{role name}')` `GRANT_PRIVILEGE_ON_ACCOUNT_TO_ROLE('CREATE COLLABORATION', '{role name}')`, plus all additional account-level privileges `GRANT_PRIVILEGE_ON_ACCOUNT_TO_ROLE('JOIN COLLABORATION', '{role name}')`, plus all additional account-level privileges 此外，要查看在自定义注册表中注册的对象，您需要该注册表的 READ 权限。
ENABLE_TEMPLATE_AUTO_APPROVAL	`GRANT_PRIVILEGE_ON_OBJECT_TO_ROLE('MANAGE TEMPLATE AUTO APPROVAL', 'COLLABORATION', '{collaboration name}', '{role name}')` `GRANT_PRIVILEGE_ON_OBJECT_TO_ROLE('UPDATE', 'COLLABORATION', '{collaboration name}', '{role name}')` `GRANT_PRIVILEGE_ON_ACCOUNT_TO_ROLE('CREATE COLLABORATION', '{role name}')`, plus all additional account-level privileges `GRANT_PRIVILEGE_ON_ACCOUNT_TO_ROLE('JOIN COLLABORATION', '{role name}')`, plus all additional account-level privileges
DISABLE_TEMPLATE_AUTO_APPROVAL	`GRANT_PRIVILEGE_ON_OBJECT_TO_ROLE('MANAGE TEMPLATE AUTO APPROVAL', 'COLLABORATION', '{collaboration name}', '{role name}')` `GRANT_PRIVILEGE_ON_OBJECT_TO_ROLE('UPDATE', 'COLLABORATION', '{collaboration name}', '{role name}')` `GRANT_PRIVILEGE_ON_ACCOUNT_TO_ROLE('CREATE COLLABORATION', '{role name}')`, plus all additional account-level privileges `GRANT_PRIVILEGE_ON_ACCOUNT_TO_ROLE('JOIN COLLABORATION', '{role name}')`, plus all additional account-level privileges
GET_CONFIGURATION	`GRANT_PRIVILEGE_ON_OBJECT_TO_ROLE('MANAGE TEMPLATE AUTO APPROVAL', 'COLLABORATION', '{collaboration name}', '{role name}')` `GRANT_PRIVILEGE_ON_OBJECT_TO_ROLE('READ', 'COLLABORATION', '{collaboration name}', '{role name}')` `GRANT_PRIVILEGE_ON_ACCOUNT_TO_ROLE('CREATE COLLABORATION', '{role name}')`, plus all additional account-level privileges `GRANT_PRIVILEGE_ON_ACCOUNT_TO_ROLE('JOIN COLLABORATION', '{role name}')`, plus all additional account-level privileges
SET_CONFIGURATION	`GRANT_PRIVILEGE_ON_OBJECT_TO_ROLE('MANAGE TEMPLATE AUTO APPROVAL', 'COLLABORATION', '{collaboration name}', '{role name}')` `GRANT_PRIVILEGE_ON_OBJECT_TO_ROLE('UPDATE', 'COLLABORATION', '{collaboration name}', '{role name}')` `GRANT_PRIVILEGE_ON_ACCOUNT_TO_ROLE('CREATE COLLABORATION', '{role name}')`, plus all additional account-level privileges `GRANT_PRIVILEGE_ON_ACCOUNT_TO_ROLE('JOIN COLLABORATION', '{role name}')`, plus all additional account-level privileges
REGISTER_DATA_OFFERING	Default registry: `GRANT_PRIVILEGE_ON_ACCOUNT_TO_ROLE('REGISTER DATA OFFERING', '{role name}')` Custom registry: You have read and write privileges on any custom registry that you created yourself. To access a custom registry created by another user, you need `GRANT_PRIVILEGE_ON_OBJECT_TO_ROLE('REGISTER', 'REGISTRY', '{registry name}', '{role name}')`. 此外，调用方还需要以下 RBAC 权限：源表/视图的 SELECT 权限。包含源表的数据库和架构的 USAGE 权限。规范中引用的任何策略对象的 USAGE 权限。
LINK_DATA_OFFERING	`GRANT_PRIVILEGE_ON_ACCOUNT_TO_ROLE('CREATE COLLABORATION', '{role name}')`, plus all additional account-level privileges `GRANT_PRIVILEGE_ON_ACCOUNT_TO_ROLE('JOIN COLLABORATION', '{role name}')`, plus all additional account-level privileges Additionally, the caller must have the REFERENCE_USAGE privilege with GRANT OPTION on any data to be shared. If you don’t, you’ll get a “missing reference usage grant” error. Learn how to handle this issue. If the data offering is in a custom registry, you must also have privileges granted by calling `GRANT_PRIVILEGE_ON_OBJECT_TO_ROLE('READ', 'REGISTRY', '{registry name}', '{role name}')`.
UNLINK_DATA_OFFERING	`GRANT_PRIVILEGE_ON_ACCOUNT_TO_ROLE('CREATE COLLABORATION', '{role name}')`, plus all additional account-level privileges `GRANT_PRIVILEGE_ON_ACCOUNT_TO_ROLE('JOIN COLLABORATION', '{role name}')`, plus all additional account-level privileges The `UPDATE` privilege on a collaboration doesn’t grant access to this procedure. Additionally, only the role that called JOIN can successfully unlink data offerings, because the underlying share is owned by the joining role.
LINK_LOCAL_DATA_OFFERING	`GRANT_PRIVILEGE_ON_OBJECT_TO_ROLE('UPDATE', 'COLLABORATION', '{collaboration name}', '{role name}')` `GRANT_PRIVILEGE_ON_ACCOUNT_TO_ROLE('CREATE COLLABORATION', '{role name}')`, plus all additional account-level privileges `GRANT_PRIVILEGE_ON_ACCOUNT_TO_ROLE('JOIN COLLABORATION', '{role name}')`, plus all additional account-level privileges
UNLINK_LOCAL_DATA_OFFERING	`GRANT_PRIVILEGE_ON_OBJECT_TO_ROLE('UPDATE', 'COLLABORATION', '{collaboration name}', '{role name}')` `GRANT_PRIVILEGE_ON_ACCOUNT_TO_ROLE('CREATE COLLABORATION', '{role name}')`, plus all additional account-level privileges `GRANT_PRIVILEGE_ON_ACCOUNT_TO_ROLE('JOIN COLLABORATION', '{role name}')`, plus all additional account-level privileges
VIEW_REGISTERED_DATA_OFFERINGS	默认注册表： `GRANT_PRIVILEGE_ON_ACCOUNT_TO_ROLE('VIEW REGISTERED DATA OFFERINGS', '{role name}')` `GRANT_PRIVILEGE_ON_ACCOUNT_TO_ROLE('CREATE COLLABORATION', '{role name}')`, plus all additional account-level privileges `GRANT_PRIVILEGE_ON_ACCOUNT_TO_ROLE('JOIN COLLABORATION', '{role name}')`, plus all additional account-level privileges Custom registry: You have read and write privileges on any custom registry that you created yourself. To access a custom registry created by another user, you need `GRANT_PRIVILEGE_ON_OBJECT_TO_ROLE('READ', 'REGISTRY', '{registry name}', '{role name}')`.
VIEW_DATA_OFFERINGS	`GRANT_PRIVILEGE_ON_OBJECT_TO_ROLE('VIEW DATA OFFERINGS', 'COLLABORATION', '{collaboration name}', '{role name}')` `GRANT_PRIVILEGE_ON_OBJECT_TO_ROLE('READ', 'COLLABORATION', '{collaboration name}', '{role name}')` `GRANT_PRIVILEGE_ON_ACCOUNT_TO_ROLE('CREATE COLLABORATION', '{role name}')`, plus all additional account-level privileges `GRANT_PRIVILEGE_ON_ACCOUNT_TO_ROLE('JOIN COLLABORATION', '{role name}')`, plus all additional account-level privileges 此外，要查看在自定义注册表中注册的对象，您需要该注册表的 READ 权限。
REGISTER_CODE_SPEC	Default registry: `GRANT_PRIVILEGE_ON_ACCOUNT_TO_ROLE('REGISTER CODE SPEC', '{role name}')` Custom registry: You have read and write privileges on any custom registry that you created yourself. To access a custom registry created by another user, you need `GRANT_PRIVILEGE_ON_OBJECT_TO_ROLE('REGISTER', 'REGISTRY', '{registry name}', '{role name}')`.
VIEW_REGISTERED_CODE_SPECS	默认注册表： `GRANT_PRIVILEGE_ON_ACCOUNT_TO_ROLE('VIEW REGISTERED CODE SPECS', '{role name}')` `GRANT_PRIVILEGE_ON_ACCOUNT_TO_ROLE('CREATE COLLABORATION', '{role name}')`, plus all additional account-level privileges `GRANT_PRIVILEGE_ON_ACCOUNT_TO_ROLE('JOIN COLLABORATION', '{role name}')`, plus all additional account-level privileges Custom registry: You have read and write privileges on any custom registry that you created yourself. To access a custom registry created by another user, you need `GRANT_PRIVILEGE_ON_OBJECT_TO_ROLE('READ', 'REGISTRY', '{registry name}', '{role name}')`.
VIEW_CODE_SPECS	`GRANT_PRIVILEGE_ON_OBJECT_TO_ROLE('READ', 'COLLABORATION', '{collaboration name}', '{role name}')` `GRANT_PRIVILEGE_ON_ACCOUNT_TO_ROLE('CREATE COLLABORATION', '{role name}')`, plus all additional account-level privileges `GRANT_PRIVILEGE_ON_ACCOUNT_TO_ROLE('JOIN COLLABORATION', '{role name}')`, plus all additional account-level privileges 此外，要查看在自定义注册表中注册的对象，您需要该注册表的 READ 权限。
VIEW_UPDATE_REQUESTS	`GRANT_PRIVILEGE_ON_OBJECT_TO_ROLE('READ', 'COLLABORATION', '{collaboration name}', '{role name}')` `GRANT_PRIVILEGE_ON_OBJECT_TO_ROLE('UPDATE', 'COLLABORATION', '{collaboration name}', '{role name}')` `GRANT_PRIVILEGE_ON_ACCOUNT_TO_ROLE('CREATE COLLABORATION', '{role name}')`, plus all additional account-level privileges `GRANT_PRIVILEGE_ON_ACCOUNT_TO_ROLE('JOIN COLLABORATION', '{role name}')`, plus all additional account-level privileges
APPROVE_UPDATE_REQUEST	`GRANT_PRIVILEGE_ON_OBJECT_TO_ROLE('MANAGE UPDATE REQUEST', 'COLLABORATION', '{collaboration name}', '{role name}')` `GRANT_PRIVILEGE_ON_OBJECT_TO_ROLE('UPDATE', 'COLLABORATION', '{collaboration name}', '{role name}')` `GRANT_PRIVILEGE_ON_ACCOUNT_TO_ROLE('CREATE COLLABORATION', '{role name}')`, plus all additional account-level privileges `GRANT_PRIVILEGE_ON_ACCOUNT_TO_ROLE('JOIN COLLABORATION', '{role name}')`, plus all additional account-level privileges
REJECT_UPDATE_REQUEST	`GRANT_PRIVILEGE_ON_OBJECT_TO_ROLE('MANAGE UPDATE REQUEST', 'COLLABORATION', '{collaboration name}', '{role name}')` `GRANT_PRIVILEGE_ON_OBJECT_TO_ROLE('UPDATE', 'COLLABORATION', '{collaboration name}', '{role name}')` `GRANT_PRIVILEGE_ON_ACCOUNT_TO_ROLE('CREATE COLLABORATION', '{role name}')`, plus all additional account-level privileges `GRANT_PRIVILEGE_ON_ACCOUNT_TO_ROLE('JOIN COLLABORATION', '{role name}')`, plus all additional account-level privileges
INITIALIZE	`GRANT_PRIVILEGE_ON_ACCOUNT_TO_ROLE('CREATE COLLABORATION', '{role name}')`, plus all additional account-level privileges 有关所需的其他角色权限，请参阅 GRANT_PRIVILEGE_ON_ACCOUNT_TO_ROLE。
TEARDOWN	`GRANT_PRIVILEGE_ON_ACCOUNT_TO_ROLE('CREATE COLLABORATION', '{role name}')`, plus all additional account-level privileges `GRANT_PRIVILEGE_ON_ACCOUNT_TO_ROLE('JOIN COLLABORATION', '{role name}')`, plus all additional account-level privileges 有关所需的其他角色权限，请参阅 GRANT_PRIVILEGE_ON_ACCOUNT_TO_ROLE。
GET_STATUS	`GRANT_PRIVILEGE_ON_OBJECT_TO_ROLE('READ', 'COLLABORATION', '{collaboration name}', '{role name}')` `GRANT_PRIVILEGE_ON_ACCOUNT_TO_ROLE('CREATE COLLABORATION', '{role name}')`, plus all additional account-level privileges `GRANT_PRIVILEGE_ON_ACCOUNT_TO_ROLE('JOIN COLLABORATION', '{role name}')`, plus all additional account-level privileges
ENABLE_EXTERNAL_TABLE_ANALYSIS _FOR_COLLABORATION	You must use a role that has been granted the MANAGE FIREWALL_CONFIGURATION privilege on the account.
VIEW_COLLABORATIONS	`GRANT_PRIVILEGE_ON_ACCOUNT_TO_ROLE('VIEW COLLABORATIONS', '{role name}')` `GRANT_PRIVILEGE_ON_OBJECT_TO_ROLE('READ', 'COLLABORATION', '{collaboration name}', '{role name}')` `GRANT_PRIVILEGE_ON_OBJECT_TO_ROLE('RUN', 'COLLABORATION', '{collaboration name}', '{role name}')` `GRANT_PRIVILEGE_ON_ACCOUNT_TO_ROLE('CREATE COLLABORATION', '{role name}')`, plus all additional account-level privileges `GRANT_PRIVILEGE_ON_ACCOUNT_TO_ROLE('JOIN COLLABORATION', '{role name}')`, plus all additional account-level privileges
REVIEW	`GRANT_PRIVILEGE_ON_ACCOUNT_TO_ROLE('REVIEW COLLABORATION', '{role name}')` `GRANT_PRIVILEGE_ON_ACCOUNT_TO_ROLE('CREATE COLLABORATION', '{role name}')`, plus all additional account-level privileges `GRANT_PRIVILEGE_ON_ACCOUNT_TO_ROLE('JOIN COLLABORATION', '{role name}')`, plus all additional account-level privileges 有关所需的其他角色权限，请参阅 GRANT_PRIVILEGE_ON_ACCOUNT_TO_ROLE。
JOIN	`GRANT_PRIVILEGE_ON_ACCOUNT_TO_ROLE('CREATE COLLABORATION', '{role name}')`, plus all additional account-level privileges `GRANT_PRIVILEGE_ON_ACCOUNT_TO_ROLE('JOIN COLLABORATION', '{role name}')`, plus all additional account-level privileges 有关所需的其他角色权限，请参阅 GRANT_PRIVILEGE_ON_ACCOUNT_TO_ROLE。
LEAVE	`GRANT_PRIVILEGE_ON_ACCOUNT_TO_ROLE('CREATE COLLABORATION', '{role name}')`, plus all additional account-level privileges `GRANT_PRIVILEGE_ON_ACCOUNT_TO_ROLE('JOIN COLLABORATION', '{role name}')`, plus all additional account-level privileges 有关所需的其他角色权限，请参阅 GRANT_PRIVILEGE_ON_ACCOUNT_TO_ROLE。
RUN	`GRANT_PRIVILEGE_ON_OBJECT_TO_ROLE('RUN', 'COLLABORATION', '{collaboration name}', '{role name}')` `GRANT_PRIVILEGE_ON_ACCOUNT_TO_ROLE('CREATE COLLABORATION', '{role name}')`, plus all additional account-level privileges `GRANT_PRIVILEGE_ON_ACCOUNT_TO_ROLE('JOIN COLLABORATION', '{role name}')`, plus all additional account-level privileges
VIEW_ACTIVITY_HISTORY	`GRANT_PRIVILEGE_ON_OBJECT_TO_ROLE('VIEW ACTIVITY HISTORY', 'COLLABORATION', '{collaboration name}', '{role name}')` `GRANT_PRIVILEGE_ON_ACCOUNT_TO_ROLE('CREATE COLLABORATION', '{role name}')`, plus all additional account-level privileges `GRANT_PRIVILEGE_ON_ACCOUNT_TO_ROLE('JOIN COLLABORATION', '{role name}')`, plus all additional account-level privileges
VIEW_ACTIVATIONS	`GRANT_PRIVILEGE_ON_OBJECT_TO_ROLE('VIEW ACTIVATIONS', 'COLLABORATION', '{collaboration name}', '{role name}')` `GRANT_PRIVILEGE_ON_OBJECT_TO_ROLE('RUN', 'COLLABORATION', '{collaboration name}', '{role name}')` `GRANT_PRIVILEGE_ON_ACCOUNT_TO_ROLE('CREATE COLLABORATION', '{role name}')`, plus all additional account-level privileges `GRANT_PRIVILEGE_ON_ACCOUNT_TO_ROLE('JOIN COLLABORATION', '{role name}')`, plus all additional account-level privileges
PROCESS_ACTIVATION	`GRANT_PRIVILEGE_ON_OBJECT_TO_ROLE('PROCESS ACTIVATION', 'COLLABORATION', '{collaboration name}', '{role name}')` `GRANT_PRIVILEGE_ON_ACCOUNT_TO_ROLE('CREATE COLLABORATION', '{role name}')`, plus all additional account-level privileges `GRANT_PRIVILEGE_ON_ACCOUNT_TO_ROLE('JOIN COLLABORATION', '{role name}')`, plus all additional account-level privileges
CREATE_REGISTRY	- `GRANT_PRIVILEGE_ON_ACCOUNT_TO_ROLE('CREATE REGISTRY', '{role name}')`
VIEW_REGISTRIES	`GRANT_PRIVILEGE_ON_ACCOUNT_TO_ROLE('VIEW REGISTRIES', '{role name}')` `GRANT_PRIVILEGE_ON_ACCOUNT_TO_ROLE('CREATE COLLABORATION', '{role name}')` `GRANT_PRIVILEGE_ON_ACCOUNT_TO_ROLE('JOIN COLLABORATION', '{role name}')` `GRANT_PRIVILEGE_ON_ACCOUNT_TO_ROLE('CREATE REGISTRY', '{role name}')`
GRANT_PRIVILEGE_ON_OBJECT_TO_ROLE	对于 Collaboration 对象：具有 CREATE COLLABORATION 或 JOIN COLLABORATION 的任何角色可以对任何 Collaboration 调用此过程。对于注册表对象：只有创建注册表的角色才能在该注册表上调用此过程。
GRANT_PRIVILEGE_ON_ACCOUNT_TO_ROLE	You need the ACCOUNTADMIN role, or a role with the MANAGE GRANTS global privilege, to run this procedure.