Skip to content

Snowflake role privileges

Snowflake access control works by giving roles sets of privileges on certain objects (databases, schema, tables, and so on).

For example, CREATE is a privilege that can be set on objects such as tables or schema and given to a custom or existing role. That role, when used by the Data Productivity Cloud, can then create tables. The ALL privilege gives a role every relevant available privilege on an object.

To connect your Snowflake account to the Data Productivity Cloud, the Snowflake role must have certain privileges enabled. Some examples are listed below.

Matillion recommends using a custom Snowflake role created specifically for the Data Productivity Cloud, rather than a role such as PUBLIC.

Read GRANT … TO ROLE to learn how to grant privileges to a role.

Required roles

Below is a table of role privileges required for optimal use of the Data Productivity Cloud. Omitting privileges may come at the cost of features within the Data Productivity Cloud.

Privilege Object Description
ALL Table Grants all privileges, except OWNERSHIP, on a table.
ALL External Table Grants all privileges, except OWNERSHIP, on an external table.
ALL View Grants all privileges, except OWNERSHIP, on a view.
ALL Schema Grants all privileges, except OWNERSHIP, on a schema.
ALL Stage Creation and general use of Snowflake stages.

The following sections offer some examples of how to grant these privileges.


Grant Usage on warehouse:

GRANT USAGE ON WAREHOUSE <warehouse-name> TO ROLE <role-name>;

Grant Operate on warehouse:

GRANT OPERATE ON WAREHOUSE <warehouse-name> TO ROLE <role-name>;


Grant Usage on database:

GRANT USAGE ON DATABASE <database-name> TO ROLE <role-name>;


Grant All on schema:

GRANT ALL ON SCHEMA <schema-name> TO ROLE <role-name>;


Grant delete on tables in schema:


Authentication methods

The Data Productivity Cloud currently supports the username/password authentication method for Snowflake. More authentication methods will be available in the future.

Multi-Factor Authentication connections aren't supported. We advise customers to set up a Snowflake Service Account User for use with Data Productivity Cloud projects.