创建组织列表¶
创建组织列表,以在组织内安全地共享数据产品。在创建组织列表之前,请查看先决条件、已知限制和注意事项。
先决条件¶
您的组织有一个 ORGADMIN 角色。(组织账户 是可选的。)
已知限制¶
Support for organizational listings in government regions is currently in preview with the following limitations:
Creating custom organization profiles in government regions isn't supported.
The ACCESS_HISTORY 视图 in the organization account isn't available.
Organizational listings created from commercial or Virtual Private Snowflake (VPS) accounts don't show up when searching, filtering, or browsing listings.
您必须使用 API 来定位特定区域。
支持的数据产品:Snowflake Native App Framework 和共享。
包含 Snowflake Native App 的组织列表不支持访问或发现目标角色。
在使用组织列表时,不支持以下功能:
Provider Studio Analytics。
阅读者账户。
您不能使用 Snowsight 指定组织列表中的特定区域。
注意事项¶
在您定位整个组织之前,先检查外部租户。在将数据产品添加到组织列表之前,请调整您的目标账户,除非您打算与外部租户共享它们。
每个共享可以附加到一个列表。
每个原生应用程序可以附加到一个或多个列表。
对于包含组织列表的账户的组织变更(例如合并),请联系 Snowflake 支持部门。
访问控制要求¶
使用此处提供的信息来确定执行组织列表 SQL 命令必须具有的特定角色和权限。
有关创建具有指定权限集的自定义角色的说明,请参阅 创建自定义角色。
有关对 安全对象 执行 SQL 操作的相应角色和权限授予的一般信息,请参阅 访问控制概述。
分配组织列表权限¶
要创建组织列表,角色必须具有创建共享所需的权限(如 共享创建和管理 所示),以及从中创建组织列表所需的权限(如 使用共享创建组织列表所需的权限 所示)。
更改组织列表所需的权限¶
要更改列表,需要下面其中一项权限。
角色 |
备注 |
|---|---|
OWNERSHIP |
可以 |
带 grants 选项的 MODIFY |
可以在向角色授予修改权限后 grant modify on data exchange listing <listing_name> to role <role_name>
|
使用或查询组织列表¶
要直接使用组织列表,您可以参考 统一列表定位器 (ULL),无需任何其他权限。如果您需要安装列表,则需要以下权限:
权限 |
对象 |
备注 |
|---|---|---|
IMPORT ORGANIZATION LISTING |
ACCOUNT |
导入组织列表。 |
CREATE 数据库 |
ACCOUNT |
创建数据库并安装列表对象。 |
管理列表自动履行设置¶
Before managing auto-fulfillment settings for your organization listing, ensure that you have the necessary roles to manage auto-fulfilling the listing. See the auto-fulfillment required privileges for more information.
权限 |
对象 |
备注 |
|---|---|---|
MANAGE LISTING AUTO FULFILLMENT |
ACCOUNT |
配置自动履行设置。 |
在 Snowsight 或 SQL 中创建组织列表¶
Create an organizational listing.
Sign in to Snowsight.
In the navigation menu, select Data sharing » Provider Studio.
Select + Create Listing » Internal Marketplace.
Select + Data Product.
In the + Data Product dialog, click + Select.
Navigate to a data product such as a table, view or other data product.
Alternatively, search for and choose a data product to share.
Select Done when complete.
Select Save.
Specify who can access the listing (the target accounts, roles, and regions).
Select + Access Control. The Access and discovery dialog displays.
完成 Grant access 部分:
字段
描述
Who can access this data product?
选择以下选项之一:
Entire organization: Anyone in the organization can access the listing.
If Entire organization is selected and cross-cloud auto-fulfillment is enabled on your account, then you'll be prompted to review the auto-fulfillment refresh settings for the listing.
Selected accounts and roles: Only selected accounts and roles can access.
No accounts or roles are pre-approved: (Default) Data product will only be available by request.
Accounts
如果 Selected accounts and roles 已选择,请选择一个或多个帐户。
Optional. Select + Add another account to add second and subsequent accounts.
By default, all roles in the selected accounts can access the listing. Select Selected roles to grant access only to specific roles each selected account.
完成 Allow discovery 部分:
字段
描述
Who else can discover the listing and request access?
Select one of:
Entire organization: (Default) Anyone in the organization can discover listing and request access. This field is selected and disabled if Entire organization is specified for in the Grant access section.
Selected accounts and roles: Only selected accounts and roles can discover listing and request access.
Not discoverable by users without access: Only users with access can discover this listing.
Accounts
If Select accounts and roles is selected, select one or more accounts.
Optional. Select + Add another account to add second and subsequent accounts and grant access to specific roles.
Selected user roles
如果 Selected roles 已选中,请输入一个或多个角色以授予访问权限。
If Allow discovery is Selected accounts and roles, then select Set up request approval flow.
In the Set up request approval flow dialog, select one of the following options in the How should the request approval happen? list:
Manage requests in Snowflake: Enter the email address of the request approver and optionally specify additional roles that can approve requests.
Manage requests outside of Snowflake: Enter an email address for the request approver or enter a URL that points to an internal ticketing system.
备注
The Set up request approval flow button isn't available if the data product is accessible by the entire organization or if the data product is not discoverable by users without access.
Provide a title, and review the generated Uniform Listing Locator (ULL).
更改列表标题是可选的,但建议更改。有关更多信息,请参阅 统一列表定位器。
选择 Untitled Listing。
对于 Listing title,输入数据产品的描述性标题。
选择 Save 或 Cancel。
填写列表。
Enter addition information about listing page to guide consumers, such as description, data dictionary, usage examples, attributes and more.
Note that Support Contact is required.
Select Publish to make the listing available in the Internal Marketplace.
If you exit without publishing, the listing is saved as a draft that's ready for review or for the addition of descriptive metadata.
从共享创建组织列表,所需属性包含在 YAML 中(以 $$ 分隔符输入)。
清单 yaml 的以下部分指定了可以使用组织列表的账户:
organization_targets:
access:
本示例使用清单 YAML 中的必要设置创建列表。它针对同一区域同一账户中的同一角色,包括支持和审批联系人:
备注
support_contact 是必填项。如果提供了 discovery 目标,则 approver_contact 是必填项。
USE ROLE <organizational_listing_role>;
CREATE ORGANIZATION LISTING <organization_listing_name>
SHARE <share_name> AS
$$
title: "My title"
description: "One region, all accounts"
organization_profile: "INTERNAL"
organization_targets:
discovery:
- account: "<account_name>"
roles:
- "<role>"
access:
- account: "<account_name>"
roles:
- "<role>"
support_contact: "support@somedomain.com"
approver_contact: "approver@somedomain.com"
locations:
access_regions:
- name: "PUBLIC.<snowflake_region>"
$$;
有关组织列表的所有字段和值的完整列表,请参阅 组织列表清单引用。有关其他示例,请参阅 设置谁可以发现和访问组织列表。