SNOWFLAKE 数据库角色¶
当账户预置后,SNOWFLAKE 数据库自动导入。此数据库是 Snowflake 使用 Secure Data Sharing 为组织和账户提供对象元数据和其他使用指标的示例。
访问 SNOWFLAKE 数据库中的架构对象由不同的 数据库角色 所控制。以下部分描述了每个 SNOWFLAKE 数据库角色、其关联的权限以及该角色被授予访问权限的关联架构对象。
ACCOUNT_USAGE 架构¶
ACCOUNT_USAGE 架构有四个已定义的 SNOWFLAKE 数据库角色,每个角色均被授予特定视图的 SELECT 权限。
角色 |
目的和描述 |
|---|---|
OBJECT_VIEWER |
OBJECT_VIEWER 角色提供对对象元数据的可见性。 |
USAGE_VIEWER |
USAGE_VIEWER 角色提供对历史使用信息的可见性。 |
GOVERNANCE_VIEWER |
GOVERNANCE_VIEWER 角色提供与数据治理相关的信息的可见性。 |
SECURITY_VIEWER |
SECURITY_VIEWER 角色提供对基于安全的信息的可见性。 |
访问 ACCOUNT_USAGE 视图所需的数据库角色¶
OBJECT_VIEWER、USAGE_VIEWER、GOVERNANCE_VIEWER 和 SECURITY_VIEWER 角色具有 SELECT 权限查询 SNOWFLAKE 共享数据库中的 Account Usage 视图。使用下表来确定哪个数据库角色有权访问视图。
视图 |
数据库角色 |
|---|---|
GOVERNANCE_VIEWER |
|
SECURITY_VIEWER |
|
GOVERNANCE_VIEWER |
|
GOVERNANCE_VIEWER |
|
GOVERNANCE_VIEWER |
|
USAGE_VIEWER |
|
SECURITY_VIEWER |
|
SECURITY_VIEWER |
|
USAGE_VIEWER |
|
SECURITY_VIEWER |
|
SECURITY_VIEWER |
|
USAGE_VIEWER |
|
USAGE_VIEWER |
|
USAGE_VIEWER |
|
OBJECT_VIEWER |
|
USAGE_VIEWER |
|
USAGE_VIEWER |
|
USAGE_VIEWER |
|
USAGE_VIEWER |
|
OBJECT_VIEWER |
|
OBJECT_VIEWER |
|
GOVERNANCE_VIEWER |
|
GOVERNANCE_VIEWER |
|
USAGE_VIEWER |
|
USAGE_VIEWER |
|
USAGE_VIEWER |
|
USAGE_VIEWER |
|
USAGE_VIEWER |
|
USAGE_VIEWER |
|
USAGE_VIEWER |
|
USAGE_VIEWER |
|
USAGE_VIEWER |
|
USAGE_VIEWER |
|
USAGE_VIEWER |
|
USAGE_VIEWER |
|
USAGE_VIEWER |
|
USAGE_VIEWER |
|
USAGE_VIEWER |
|
SECURITY_VIEWER |
|
GOVERNANCE_VIEWER |
|
GOVERNANCE_VIEWER |
|
USAGE_VIEWER 或 GOVERNANCE_VIEWER |
|
USAGE_VIEWER 或 GOVERNANCE_VIEWER |
|
USAGE_VIEWER |
|
USAGE_VIEWER |
|
USAGE_VIEWER |
|
OBJECT_VIEWER |
|
USAGE_VIEWER |
|
USAGE_VIEWER |
|
OBJECT_VIEWER |
|
USAGE_VIEWER |
|
USAGE_VIEWER |
|
OBJECT_VIEWER |
|
OBJECT_VIEWER |
|
OBJECT_VIEWER |
|
SECURITY_VIEWER |
|
SECURITY_VIEWER |
|
SECURITY_VIEWER |
|
USAGE_VIEWER |
|
OBJECT_VIEWER |
|
USAGE_VIEWER |
|
OBJECT_VIEWER |
|
OBJECT_VIEWER |
|
SECURITY_VIEWER |
|
USAGE_VIEWER |
|
SECURITY_VIEWER |
|
GOVERNANCE_VIEWER |
|
SECURITY_VIEWER |
|
USAGE_VIEWER |
|
SECURITY_VIEWER |
|
GOVERNANCE_VIEWER |
|
USAGE_VIEWER |
|
USAGE_VIEWER |
|
USAGE_VIEWER |
|
SECURITY_VIEWER |
|
SECURITY_VIEWER |
|
SECURITY_VIEWER |
|
USAGE_VIEWER |
|
OBJECT_VIEWER |
|
OBJECT_VIEWER |
|
USAGE_VIEWER |
|
USAGE_VIEWER |
|
SECURITY_VIEWER |
|
SECURITY_VIEWER |
|
USAGE_VIEWER |
|
OBJECT_VIEWER |
|
GOVERNANCE_VIEWER、SECURITY_VIEWER |
|
USAGE_VIEWER |
|
GOVERNANCE_VIEWER |
|
GOVERNANCE_VIEWER |
|
OBJECT_VIEWER |
|
GOVERNANCE_VIEWER |
|
GOVERNANCE_VIEWER |
|
USAGE_VIEWER、GOVERNANCE_VIEWER |
|
GOVERNANCE_VIEWER |
|
GOVERNANCE_VIEWER |
|
OBJECT_VIEWER |
|
USAGE_VIEWER |
|
USAGE_VIEWER |
|
OBJECT_VIEWER |
|
USAGE_VIEWER |
|
OBJECT_VIEWER |
|
SECURITY_VIEWER |
|
GOVERNANCE_VIEWER |
|
OBJECT_VIEWER |
|
USAGE_VIEWER |
|
USAGE_VIEWER |
|
SECURITY_VIEWER |
|
OBJECT_VIEWER |
|
OBJECT_VIEWER |
|
OBJECT_VIEWER |
|
OBJECT_VIEWER |
|
OBJECT_VIEWER |
|
OBJECT_VIEWER |
|
OBJECT_VIEWER |
|
USAGE_VIEWER |
|
USAGE_VIEWER |
|
OBJECT_VIEWER |
|
SECURITY_VIEWER |
|
SECURITY_VIEWER |
|
SECURITY_VIEWER |
|
OBJECT_VIEWER |
|
OBJECT_VIEWER |
|
OBJECT_VIEWER |
|
OBJECT_VIEWER |
|
OBJECT_VIEWER |
|
USAGE_VIEWER |
|
USAGE_VIEWER |
|
USAGE_VIEWER |
|
USAGE_VIEWER |
|
OBJECT_VIEWER |
|
GOVERNANCE_VIEWER |
|
GOVERNANCE_VIEWER |
|
USAGE_VIEWER |
|
USAGE_VIEWER |
|
OBJECT_VIEWER |
|
USAGE_VIEWER |
|
USAGE_VIEWER |
|
USAGE_VIEWER |
|
USAGE_VIEWER |
|
OBJECT_VIEWER |
|
GOVERNANCE_VIEWER |
|
OBJECT_VIEWER 或 GOVERNANCE_VIEWER |
|
USAGE_VIEWER |
|
SECURITY_VIEWER |
|
SECURITY_VIEWER |
|
OBJECT_VIEWER |
|
USAGE_VIEWER |
|
USAGE_VIEWER |
|
USAGE_VIEWER |
READER_ACCOUNT_USAGE 架构¶
READER_USAGE_VIEWER SNOWFLAKE 数据库角色已被授予所有 READER_ACCOUNT_USAGE 视图的 SELECT 权限。由于阅读者账户由客户创建,READER_USAGE_VIEWER 角色预计会被授予那些用于监控阅读者账户使用情况的角色。
ORGANIZATION_USAGE 架构¶
ORGANIZATION_USAGE_VIEWER、ORGANIZATION_BILLING_VIEWER 和 ORGANIZATION_ACCOUNTS_VIEWER SNOWFLAKE 数据库角色被授予共享 SNOWFLAKE 数据库中 Organization Usage 视图的 SELECT 权限。
视图 |
ORGANIZATION_BILLING_VIEWER 角色 |
ORGANIZATION_USAGE_VIEWER 角色 |
ORGANIZATION_ACCOUNTS_VIEWER 角色 |
|---|---|---|---|
✔ |
|||
✔ |
|||
✔ |
|||
✔ |
|||
✔ |
|||
✔ |
|||
✔ |
|||
✔ |
|||
✔ |
|||
✔ |
|||
✔ |
|||
✔ |
|||
✔ |
|||
✔ |
|||
✔ |
|||
✔ |
|||
✔ |
|||
✔ |
|||
✔ |
|||
✔ |
|||
✔ |
|||
✔ |
|||
✔ |
|||
✔ |
CORE 架构¶
CORE_VIEWER SNOWFLAKE 数据库角色被授予包含共享 SNOWFLAKE 数据库的所有 Snowflake 账户中的 PUBLIC 角色。USAGE 权限被授予所有 Snowflake 定义的函数和 CORE 架构中的捆绑包。
预算类¶
BUDGET_CREATOR Snowflake 数据库角色被授予 SNOWFLAKE.CORE 架构和架构中的 BUDGET 类的 USAGE 权限。此授权允许拥有 BUDGET_CREATOR 角色的用户创建 BUDGET 类实例。
有关更多信息,请参阅 创建自定义角色以创建预算。
标签对象¶
The CORE_VIEWER database role is granted the APPLY privilege on the classification system tags SNOWFLAKE.CORE.PRIVACY_CATEGORY and SNOWFLAKE.CORE.SEMANTIC_CATEGORY. These grants allow users with a role that is granted the CORE_VIEWER database role to assign these system tags to columns.
ALERT 架构¶
ALERT_VIEWER SNOWFLAKE 数据库角色被授予在此架构中定义的函数的 USAGE 权限。
ML 架构¶
ML_USER SNOWFLAKE 数据库角色被授予所有包含共享 SNOWFLAKE 数据库的 Snowflake 账户中的 PUBLIC 角色,使客户能够访问和使用 ML 函数。用户还拥有 ML 架构的 USAGE 权限才能调用这些函数。
MONITORING 架构¶
MONITORING_VIEWER 数据库角色具有 MONITORING 架构中所有视图的 SELECT 权限。
MONITORING_VIEWER 数据库角色被授予包含共享 SNOWFLAKE 数据库的所有 Snowflake 账户中的 PUBLIC 角色。
SNOWFLAKE.CLASSIFICATION_ADMIN 数据库角色¶
The SNOWFLAKE.CLASSIFICATION_ADMIN database role allows a data engineer or steward to create an instance of the CLASSIFICATION_PROFILE class. A classification profile is used to implement sensitive data classification.
SNOWFLAKE.CORTEX_AGENT_USER database role¶
You can use the SNOWFLAKE.CORTEX_AGENT_USER database role to grant your users access to Snowflake Cortex Agents API without granting access to other Cortex features. Using the Cortex Agents API requires either the SNOWFLAKE.CORTEX_USER database role or the SNOWFLAKE.CORTEX_AGENT_USER database role.
By default, the SNOWFLAKE.CORTEX_USER database role is granted to the PUBLIC role. For fine-grained access control, revoke access from the PUBLIC role and grant access to the SNOWFLAKE.CORTEX_AGENT_USER database role. For more information, see Set up access to the agent.
SNOWFLAKE.AI_FUNCTIONS_USER database role¶
The SNOWFLAKE.AI_FUNCTIONS_USER database role is used to grant customers access to Snowflake Cortex scalar AI functions (all Cortex AI functions except the aggregate functions AI_AGG and AI_SUMMARIZE_AGG) without granting access to Cortex services such as Cortex Agent, Cortex Analyst, Cortex Fine-tuning, or Cortex Search. Calling scalar AI functions requires either the SNOWFLAKE.CORTEX_USER database role or the SNOWFLAKE.AI_FUNCTIONS_USER database role.
By default, this role is not granted to any roles. If you want users to have access to scalar AI functions, grant this database role to appropriate roles. For details, see Cortex LLM Functions required privileges.
SNOWFLAKE.CORTEX_EMBED_USER 数据库角色¶
The SNOWFLAKE.CORTEX_EMBED_USER database role is used to grant customers access to Snowflake Cortex embedding functions AI_EMBED, SNOWFLAKE.CORTEX.EMBED_768, and SNOWFLAKE.CORTEX_EMBED_TEXT_1024 without granting access to other Cortex features. Calling these embedding functions requires either the SNOWFLAKE.CORTEX_USER database role or the SNOWFLAKE.CORTEX_EMBED_USER database role. This role is not granted to any roles by default.
默认情况下,该角色不会被授予任何角色。如果希望用户能够访问嵌入函数,请将此数据库角色授予合适的角色。有关详细信息,请参见 Cortex LLM 函数所需权限。
SNOWFLAKE.CORTEX_REST_API_USER database role¶
The SNOWFLAKE.CORTEX_REST_API_USER database role is used to grant customers access to the Snowflake Cortex REST API without granting access to other Cortex features such as Cortex AI functions, Cortex Agent, Cortex Analyst, Cortex Fine-tuning, or Cortex Search. Using the Cortex REST API requires either the SNOWFLAKE.CORTEX_USER database role or the SNOWFLAKE.CORTEX_REST_API_USER database role.
By default, this role is not granted to any roles. If you want users to have access to the Cortex REST API without granting broader Cortex privileges, grant this database role to appropriate roles. For details, see Limiting access using the Cortex REST API user role.
SNOWFLAKE.CORTEX_USER 数据库角色¶
此 SNOWFLAKE.CORTEX_USER 数据库角色用于授予客户访问 Snowflake Cortex 特征的权限。默认情况下,此角色被授予 PUBLIC 角色。PUBLIC 角色会自动授予所有用户和角色,因此这允许账户中的所有用户使用 Snowflake Cortex LLM 函数。
如果您不希望所有用户都拥有此权限,则可撤销对 PUBLIC 角色的访问权限,然后将访问权限授予特定角色。有关详细信息,请参阅 Cortex LLM 函数所需权限。
SNOWFLAKE.COPILOT_USER 数据库角色¶
The SNOWFLAKE.COPILOT_USER database role allows customers to access Cortex Code features in Snowsight. Initially, this database role is granted to the PUBLIC role. The PUBLIC role is automatically granted to all users and roles, so this allows all users in your account to use Cortex Code. If you want to limit access to Cortex Code features in Snowsight, you can revoke access from the PUBLIC role and grant access to specific roles. For details, see 访问控制要求.
使用 SNOWFLAKE 数据库角色¶
管理员可以使用 GRANT DATABASE ROLE 将一个 SNOWFLAKE 数据库角色分配给另一个角色,然后可以将其授予用户。这将允许用户访问 SNOWFLAKE 数据库中的视图的特定子集。
在以下示例中创建了一个角色,可用于查看 SNOWFLAKE 数据库对象元数据,并执行以下操作:
创建自定义角色。
将 OBJECT_VIEWER 角色授予自定义角色。
将自定义角色授予用户。
要创建并授予自定义角色,请执行以下操作:
使用将用于授予对对象元数据的访问权限的 CREATE ROLE,来创建
CAN_VIEWMD角色。只有拥有 USERADMIN 系统角色或更高角色的用户或拥有账户 CREATE ROLE 权限的其他角色才能创建角色。
将 OBJECT_VIEWER 角色授予 CAN_VIEWMD 角色。
只有拥有 OWNERSHIP 角色的用户可以授予 SNOWFLAKE 数据库角色。有关更多信息,请参阅 GRANT DATABASE ROLE。
将
CAN_VIEWMD角色分配给用户smith。只有拥有 SECURITYADMIN 角色的用户可以将角色授予用户。有关其他选项,请参阅 GRANT ROLE。