Optionally deploy grants requiring ACCOUNTADMIN
?
#106
-
Hi @littleK0i, Enjoying the new permissions model - this is allowing us some great flexibility and the ability to drop some of our custom logic. In production, we're using an With the new permissions config in 0.27, this means our Have I missed a way to exclude these when running without Thanks! |
Beta Was this translation helpful? Give feedback.
Replies: 1 comment 1 reply
-
Ok, it's a tricky subject. Let's see if we can unpack it. SnowDDL currently relies on having Currently there are two modes in which SnowDDL can operate: "normal" mode and "SingleDB" mode. With "normal" mode it assumes that Adding any special rules around specific privileges requiring What you can do instead:
|
Beta Was this translation helpful? Give feedback.
Ok, it's a tricky subject. Let's see if we can unpack it.
SnowDDL currently relies on having
MANAGE GRANTS
privilege. It comes fromSECURITYADMIN
system role, which is granted toACCOUNTADMIN
.Currently there are two modes in which SnowDDL can operate: "normal" mode and "SingleDB" mode. With "normal" mode it assumes that
MANAGE GRANTS
are present, and in "SingleDB" mode it does not manage any grants at all.Adding any special rules around specific privileges requiring
ACCOUNTADMIN
orSECURITYADMIN
is probably not very productive, since... it is really hard to tell which privileges can be granted without hardcoding it. And if we do the hardcode, it will break once Snowflake decices to chan…