In Snowflake, when you create a custom role and grant it to another role, what is the effect on the privileges of the parent role?
Think about how role inheritance works in Snowflake.
In Snowflake, when a role is granted to another role, the parent role inherits all privileges of the granted role. This allows hierarchical privilege management.
Which Snowflake SQL command correctly creates a custom role named data_analyst and grants it the privilege to select from the sales_data schema?
Remember that to select data, the role needs SELECT privilege on the schema or tables.
The correct way is to create the role and grant SELECT privilege on the schema. Granting on database or table named sales_data is incorrect because sales_data is a schema, not a database or table.
You want to design a Snowflake role hierarchy to separate duties between data engineers and data analysts. Which design best enforces that data engineers can manage tables but cannot query data, while data analysts can query data but cannot manage tables?
Think about how granting roles affects privilege inheritance and separation.
To enforce separation of duties, roles should be distinct without granting one to the other. Data engineers get management privileges; data analysts get query privileges only.
Which practice helps prevent privilege escalation when creating custom roles in Snowflake?
Think about the principle of least privilege.
Granting only necessary privileges minimizes risk of privilege escalation. Avoid giving powerful roles like ACCOUNTADMIN to users directly.
Consider the following Snowflake role hierarchy: role_A is granted to role_B, and role_B is granted to role_C. If role_A is revoked from role_B, what is the effect on role_C?
Consider how privilege inheritance works through role grants.
Since role_C inherits privileges from role_B, which in turn inherits from role_A, revoking role_A from role_B breaks the chain. Therefore, role_C loses privileges from role_A.