0
0
Snowflakecloud~10 mins

Share security and governance in Snowflake - Step-by-Step Execution

Choose your learning style9 modes available
LearnWhyDeepVisualTryChallengeProjectRecallTime
Process Flow - Share security and governance
Create Share
Add Objects to Share
Grant Access to Consumers
Consumer Uses Share
Monitor and Govern Usage
Revoke or Modify Access
This flow shows how a data share is created, objects added, access granted, used by consumers, monitored, and access managed.
Execution Sample
Snowflake
CREATE SHARE my_share;
GRANT USAGE ON DATABASE my_db TO SHARE my_share;
GRANT USAGE ON SCHEMA my_db.my_schema TO SHARE my_share;
GRANT SELECT ON ALL TABLES IN SCHEMA my_db.my_schema TO SHARE my_share;
GRANT IMPORTED PRIVILEGES ON DATABASE my_shared_db TO ROLE consumer_role;
This code creates a share, adds database and schema objects, grants select permissions, and (consumer side) grants imported privileges to enable querying.
Process Table
StepActionObject AffectedPermission/State ChangeResult
1CREATE SHARE my_shareShare my_shareCreatedShare object ready to add data
2GRANT USAGE ON DATABASE my_db TO SHARE my_shareDatabase my_dbUsage granted to shareShare can reference database
3GRANT USAGE ON SCHEMA my_db.my_schema TO SHARE my_shareSchema my_schemaUsage granted to shareSchema included in share
4GRANT SELECT ON ALL TABLES IN SCHEMA my_db.my_schema TO SHARE my_shareTables in my_schemaSelect granted to shareShare can expose table data
5GRANT IMPORTED PRIVILEGES ON DATABASE my_shared_db TO ROLE consumer_roleconsumer_roleImported privileges grantedConsumer can query shared data
6Consumer queries shared dataShared tablesRead accessData accessed securely
7Monitor usageShare usage logsTrack queriesGovernance enforced
8Revoke or modify accessShare or consumerPermissions updatedAccess controlled as needed
💡 Access is controlled and monitored to maintain security and governance.
Status Tracker
VariableStartAfter Step 1After Step 2After Step 3After Step 4After Step 5Final
my_shareNoneCreatedHas usage on my_dbIncludes my_schemaHas select on tablesGranted to consumer_accountActive and shared
consumer_account_accessNoneNoneNoneNoneNoneGranted imported privilegesCan query shared data
Key Moments - 3 Insights
Why do we grant USAGE on the database to the share before adding schemas?
Granting USAGE on the database (see step 2) allows the share to reference objects inside it. Without this, adding schemas or tables to the share (steps 3 and 4) would fail.
How does granting SELECT on tables to the share affect consumer access?
Granting SELECT on tables (step 4) lets the share expose data. The consumer must then grant imported privileges on the shared database (step 5) to actually query the data.
What is the purpose of monitoring usage after sharing?
Monitoring usage (step 7) helps track who accessed data and how. This supports governance by ensuring data is used properly and securely.
Visual Quiz - 3 Questions
Test your understanding
Look at the execution table, at which step is the share first able to reference the database?
AStep 1
BStep 2
CStep 3
DStep 5
💡 Hint
Check the 'Permission/State Change' column for when USAGE on database is granted to the share.
According to the variable tracker, what is the state of 'consumer_account_access' after step 4?
AGranted imported privileges
BCan query shared data
CNone
DHas select on tables
💡 Hint
Look at the 'consumer_account_access' row and the column 'After Step 4' in the variable tracker.
If we revoke imported privileges from the consumer account, which step in the execution table would reflect this change?
AStep 8
BStep 7
CStep 6
DStep 5
💡 Hint
Step 8 mentions revoking or modifying access.
Concept Snapshot
Snowflake Share Security & Governance:
- Create a share to group data objects.
- Grant USAGE on database to share before adding schemas.
- Grant USAGE on schema to share.
- Grant SELECT on tables to share to expose data.
- Consumer grants imported privileges on shared DB to roles.
- Monitor usage for governance.
- Revoke or modify access to control security.
Full Transcript
This visual execution traces how Snowflake data sharing works for security and governance. First, a share is created. Then, usage permission on the database is granted to the share so it can reference objects. Next, usage on schema and select on tables are granted to the share. Consumer creates a database from the share and grants imported privileges to a role, allowing secure data access. Usage is monitored to enforce governance. Finally, access can be revoked or modified to maintain security. Variables track the share state and consumer access through each step. Key moments clarify why permissions must be granted in order and how monitoring supports governance. Quizzes test understanding of when permissions are granted and how access changes affect usage.