[SNOW-200] Create analyst database roles

admin/future_grants/V1.3.0__data_warehouse_analyst_read.sql

@@ -0,0 +1,93 @@
+---- SYNAPSE_DATA_WAREHOUSE ----
+-- SYNAPSE
+GRANT SELECT, REFERENCES
+	ON FUTURE TABLES
+	IN SCHEMA SYNAPSE_DATA_WAREHOUSE.SYNAPSE
+	TO DATABASE ROLE SYNAPSE_DATA_WAREHOUSE.SYNAPSE_TABLE_READ;
+GRANT SELECT, MONITOR
+	ON FUTURE DYNAMIC TABLES
+	IN SCHEMA SYNAPSE_DATA_WAREHOUSE.SYNAPSE
+	TO DATABASE ROLE SYNAPSE_DATA_WAREHOUSE.SYNAPSE_TABLE_READ;
+GRANT USAGE, READ
+	ON FUTURE STAGES
+	IN SCHEMA SYNAPSE_DATA_WAREHOUSE.SYNAPSE
+	TO DATABASE ROLE SYNAPSE_DATA_WAREHOUSE.SYNAPSE_STAGE_READ;
+GRANT SELECT, REFERENCES
+	ON FUTURE VIEWS
+	IN SCHEMA SYNAPSE_DATA_WAREHOUSE.SYNAPSE
+	TO DATABASE ROLE SYNAPSE_DATA_WAREHOUSE.SYNAPSE_VIEW_READ;
+GRANT MONITOR
+	ON FUTURE TASKS
+	IN SCHEMA SYNAPSE_DATA_WAREHOUSE.SYNAPSE
+	TO DATABASE ROLE SYNAPSE_DATA_WAREHOUSE.SYNAPSE_TASK_READ;
+
+-- SYNAPSE_RAW
+GRANT SELECT, REFERENCES
+	ON FUTURE TABLES
+	IN SCHEMA SYNAPSE_DATA_WAREHOUSE.SYNAPSE_RAW
+	TO DATABASE ROLE SYNAPSE_DATA_WAREHOUSE.SYNAPSE_RAW_TABLE_READ;
+GRANT USAGE, READ
+	ON FUTURE STAGES
+	IN SCHEMA SYNAPSE_DATA_WAREHOUSE.SYNAPSE_RAW
+	TO DATABASE ROLE SYNAPSE_DATA_WAREHOUSE.SYNAPSE_RAW_STAGE_READ;
+GRANT SELECT
+	ON FUTURE STREAMS
+	IN SCHEMA SYNAPSE_DATA_WAREHOUSE.SYNAPSE_RAW
+	TO DATABASE ROLE SYNAPSE_DATA_WAREHOUSE.SYNAPSE_RAW_STREAM_READ;
+GRANT MONITOR
+	ON FUTURE TASKS
+	IN SCHEMA SYNAPSE_DATA_WAREHOUSE.SYNAPSE_RAW
+	TO DATABASE ROLE SYNAPSE_DATA_WAREHOUSE.SYNAPSE_RAW_TASK_READ;
+
+-- SCHEMACHANGE
+GRANT SELECT, REFERENCES
+	ON FUTURE TABLES
+	IN SCHEMA SYNAPSE_DATA_WAREHOUSE.SCHEMACHANGE
+	TO DATABASE ROLE SYNAPSE_DATA_WAREHOUSE.SCHEMACHANGE_TABLE_READ;
+
+---- SYNAPSE_DATA_WAREHOUSE_DEV ----
+-- SYNAPSE
+GRANT SELECT, REFERENCES
+	ON FUTURE TABLES
+	IN SCHEMA SYNAPSE_DATA_WAREHOUSE_DEV.SYNAPSE
+	TO DATABASE ROLE SYNAPSE_DATA_WAREHOUSE_DEV.SYNAPSE_TABLE_READ;
+GRANT SELECT, MONITOR
+	ON FUTURE DYNAMIC TABLES
+	IN SCHEMA SYNAPSE_DATA_WAREHOUSE_DEV.SYNAPSE
+	TO DATABASE ROLE SYNAPSE_DATA_WAREHOUSE_DEV.SYNAPSE_TABLE_READ;
+GRANT USAGE, READ
+	ON FUTURE STAGES
+	IN SCHEMA SYNAPSE_DATA_WAREHOUSE_DEV.SYNAPSE
+	TO DATABASE ROLE SYNAPSE_DATA_WAREHOUSE_DEV.SYNAPSE_STAGE_READ;
+GRANT SELECT, REFERENCES
+	ON FUTURE VIEWS
+	IN SCHEMA SYNAPSE_DATA_WAREHOUSE_DEV.SYNAPSE
+	TO DATABASE ROLE SYNAPSE_DATA_WAREHOUSE_DEV.SYNAPSE_VIEW_READ;
+GRANT MONITOR
+	ON FUTURE TASKS
+	IN SCHEMA SYNAPSE_DATA_WAREHOUSE_DEV.SYNAPSE
+	TO DATABASE ROLE SYNAPSE_DATA_WAREHOUSE_DEV.SYNAPSE_TASK_READ;
+
+-- SYNAPSE_RAW
+GRANT SELECT, REFERENCES
+	ON FUTURE TABLES
+	IN SCHEMA SYNAPSE_DATA_WAREHOUSE_DEV.SYNAPSE_RAW
+	TO DATABASE ROLE SYNAPSE_DATA_WAREHOUSE_DEV.SYNAPSE_RAW_TABLE_READ;
+GRANT USAGE, READ
+	ON FUTURE STAGES
+	IN SCHEMA SYNAPSE_DATA_WAREHOUSE_DEV.SYNAPSE_RAW
+	TO DATABASE ROLE SYNAPSE_DATA_WAREHOUSE_DEV.SYNAPSE_RAW_STAGE_READ;
+GRANT SELECT
+	ON FUTURE STREAMS
+	IN SCHEMA SYNAPSE_DATA_WAREHOUSE_DEV.SYNAPSE_RAW
+	TO DATABASE ROLE SYNAPSE_DATA_WAREHOUSE_DEV.SYNAPSE_RAW_STREAM_READ;
+GRANT MONITOR
+	ON FUTURE TASKS
+	IN SCHEMA SYNAPSE_DATA_WAREHOUSE_DEV.SYNAPSE_RAW
+	TO DATABASE ROLE SYNAPSE_DATA_WAREHOUSE_DEV.SYNAPSE_RAW_TASK_READ;
+
+-- SCHEMACHANGE
+GRANT SELECT, REFERENCES
+	ON FUTURE TABLES
+	IN SCHEMA SYNAPSE_DATA_WAREHOUSE_DEV.SCHEMACHANGE
+	TO DATABASE ROLE SYNAPSE_DATA_WAREHOUSE_DEV.SCHEMACHANGE_TABLE_READ;

admin/grants.sql

@@ -505,6 +505,128 @@ GRANT ROLE SYNAPSE_DATA_WAREHOUSE_ANALYST TO ROLE SYNAPSE_DATA_WAREHOUSE_ADMIN;
 GRANT ROLE SYNAPSE_DATA_WAREHOUSE_DEV_ADMIN TO ROLE SYSADMIN;
 GRANT ROLE SYNAPSE_DATA_WAREHOUSE_DEV_ANALYST TO ROLE SYNAPSE_DATA_WAREHOUSE_DEV_ADMIN;
 
+---- RBAC reconfiguration of data warehouse ----
+-- The following grants provide read access on most 
+-- objects presently within the data warehouse.
+
+---- SYNAPSE_DATA_WAREHOUSE ----
+-- Grant the aggregate roles usage on their respective schema
+GRANT USAGE, MONITOR
+    ON SCHEMA SYNAPSE_DATA_WAREHOUSE.SYNAPSE
+    TO DATABASE ROLE SYNAPSE_DATA_WAREHOUSE.SYNAPSE_ALL_ANALYST;
+GRANT USAGE, MONITOR
+    ON SCHEMA SYNAPSE_DATA_WAREHOUSE.SYNAPSE_RAW
+    TO DATABASE ROLE SYNAPSE_DATA_WAREHOUSE.SYNAPSE_RAW_ALL_ANALYST;
+GRANT USAGE, MONITOR
+    ON SCHEMA SYNAPSE_DATA_WAREHOUSE.SCHEMACHANGE
+    TO DATABASE ROLE SYNAPSE_DATA_WAREHOUSE.SCHEMACHANGE_ALL_ANALYST;
+
+-- Grant object-type-specific privileges to the appropriate object-type-specific role
+-- SYNAPSE
+GRANT SELECT, REFERENCES
+	ON ALL TABLES
+	IN SCHEMA SYNAPSE_DATA_WAREHOUSE.SYNAPSE
+	TO DATABASE ROLE SYNAPSE_DATA_WAREHOUSE.SYNAPSE_TABLE_READ;
+GRANT SELECT, MONITOR
+	ON ALL DYNAMIC TABLES
+	IN SCHEMA SYNAPSE_DATA_WAREHOUSE.SYNAPSE
+	TO DATABASE ROLE SYNAPSE_DATA_WAREHOUSE.SYNAPSE_TABLE_READ;
+GRANT USAGE, READ
+	ON ALL STAGES
+	IN SCHEMA SYNAPSE_DATA_WAREHOUSE.SYNAPSE
+	TO DATABASE ROLE SYNAPSE_DATA_WAREHOUSE.SYNAPSE_STAGE_READ;
+GRANT SELECT, REFERENCES
+	ON ALL VIEWS
+	IN SCHEMA SYNAPSE_DATA_WAREHOUSE.SYNAPSE
+	TO DATABASE ROLE SYNAPSE_DATA_WAREHOUSE.SYNAPSE_VIEW_READ;
+GRANT MONITOR
+	ON ALL TASKS
+	IN SCHEMA SYNAPSE_DATA_WAREHOUSE.SYNAPSE
+	TO DATABASE ROLE SYNAPSE_DATA_WAREHOUSE.SYNAPSE_TASK_READ;
+
+-- SYNAPSE_RAW
+GRANT SELECT, REFERENCES
+	ON ALL TABLES
+	IN SCHEMA SYNAPSE_DATA_WAREHOUSE.SYNAPSE_RAW
+	TO DATABASE ROLE SYNAPSE_DATA_WAREHOUSE.SYNAPSE_RAW_TABLE_READ;
+GRANT USAGE, READ
+	ON ALL STAGES
+	IN SCHEMA SYNAPSE_DATA_WAREHOUSE.SYNAPSE_RAW
+	TO DATABASE ROLE SYNAPSE_DATA_WAREHOUSE.SYNAPSE_RAW_STAGE_READ;
+GRANT SELECT
+	ON ALL STREAMS
+	IN SCHEMA SYNAPSE_DATA_WAREHOUSE.SYNAPSE_RAW
+	TO DATABASE ROLE SYNAPSE_DATA_WAREHOUSE.SYNAPSE_RAW_STREAM_READ;
+GRANT MONITOR
+	ON ALL TASKS
+	IN SCHEMA SYNAPSE_DATA_WAREHOUSE.SYNAPSE_RAW
+	TO DATABASE ROLE SYNAPSE_DATA_WAREHOUSE.SYNAPSE_RAW_TASK_READ;
+
+-- SCHEMACHANGE
+GRANT SELECT, REFERENCES
+	ON ALL TABLES
+	IN SCHEMA SYNAPSE_DATA_WAREHOUSE.SCHEMACHANGE
+	TO DATABASE ROLE SYNAPSE_DATA_WAREHOUSE.SCHEMACHANGE_TABLE_READ;
+
+---- SYNAPSE_DATA_WAREHOUSE_DEV ----
+-- Grant the aggregate roles usage on their respective schema
+GRANT USAGE, MONITOR
+    ON SCHEMA SYNAPSE_DATA_WAREHOUSE_DEV.SYNAPSE
+    TO DATABASE ROLE SYNAPSE_DATA_WAREHOUSE_DEV.SYNAPSE_ALL_ANALYST;
+GRANT USAGE, MONITOR
+    ON SCHEMA SYNAPSE_DATA_WAREHOUSE_DEV.SYNAPSE_RAW
+    TO DATABASE ROLE SYNAPSE_DATA_WAREHOUSE_DEV.SYNAPSE_RAW_ALL_ANALYST;
+GRANT USAGE, MONITOR
+    ON SCHEMA SYNAPSE_DATA_WAREHOUSE_DEV.SCHEMACHANGE
+    TO DATABASE ROLE SYNAPSE_DATA_WAREHOUSE_DEV.SCHEMACHANGE_ALL_ANALYST;
+
+-- Grant object-type-specific privileges to the appropriate object-type-specific role
+-- SYNAPSE
+GRANT SELECT, REFERENCES
+	ON ALL TABLES
+	IN SCHEMA SYNAPSE_DATA_WAREHOUSE_DEV.SYNAPSE
+	TO DATABASE ROLE SYNAPSE_DATA_WAREHOUSE_DEV.SYNAPSE_TABLE_READ;
+GRANT SELECT, MONITOR
+	ON ALL DYNAMIC TABLES
+	IN SCHEMA SYNAPSE_DATA_WAREHOUSE_DEV.SYNAPSE
+	TO DATABASE ROLE SYNAPSE_DATA_WAREHOUSE_DEV.SYNAPSE_TABLE_READ;
+GRANT USAGE, READ
+	ON ALL STAGES
+	IN SCHEMA SYNAPSE_DATA_WAREHOUSE_DEV.SYNAPSE
+	TO DATABASE ROLE SYNAPSE_DATA_WAREHOUSE_DEV.SYNAPSE_STAGE_READ;
+GRANT SELECT, REFERENCES
+	ON ALL VIEWS
+	IN SCHEMA SYNAPSE_DATA_WAREHOUSE_DEV.SYNAPSE
+	TO DATABASE ROLE SYNAPSE_DATA_WAREHOUSE_DEV.SYNAPSE_VIEW_READ;
+GRANT MONITOR
+	ON ALL TASKS
+	IN SCHEMA SYNAPSE_DATA_WAREHOUSE_DEV.SYNAPSE
+	TO DATABASE ROLE SYNAPSE_DATA_WAREHOUSE_DEV.SYNAPSE_TASK_READ;
+
+-- SYNAPSE_RAW
+GRANT SELECT, REFERENCES
+	ON ALL TABLES
+	IN SCHEMA SYNAPSE_DATA_WAREHOUSE_DEV.SYNAPSE_RAW
+	TO DATABASE ROLE SYNAPSE_DATA_WAREHOUSE_DEV.SYNAPSE_RAW_TABLE_READ;
+GRANT USAGE, READ
+	ON ALL STAGES
+	IN SCHEMA SYNAPSE_DATA_WAREHOUSE_DEV.SYNAPSE_RAW
+	TO DATABASE ROLE SYNAPSE_DATA_WAREHOUSE_DEV.SYNAPSE_RAW_STAGE_READ;
+GRANT SELECT
+	ON ALL STREAMS
+	IN SCHEMA SYNAPSE_DATA_WAREHOUSE_DEV.SYNAPSE_RAW
+	TO DATABASE ROLE SYNAPSE_DATA_WAREHOUSE_DEV.SYNAPSE_RAW_STREAM_READ;
+GRANT MONITOR
+	ON ALL TASKS
+	IN SCHEMA SYNAPSE_DATA_WAREHOUSE_DEV.SYNAPSE_RAW
+	TO DATABASE ROLE SYNAPSE_DATA_WAREHOUSE_DEV.SYNAPSE_RAW_TASK_READ;
+
+-- SCHEMACHANGE
+GRANT SELECT, REFERENCES
+	ON ALL TABLES
+	IN SCHEMA SYNAPSE_DATA_WAREHOUSE_DEV.SCHEMACHANGE
+	TO DATABASE ROLE SYNAPSE_DATA_WAREHOUSE_DEV.SCHEMACHANGE_TABLE_READ;
+
 -- Allow SECURITYADMIN to deploy schemachange for versioned admin scripts
 GRANT USAGE
     ON DATABASE METADATA

synapse_data_warehouse/database_roles/V2.33.0__database_analyst_roles.sql

@@ -0,0 +1,96 @@
+USE DATABASE {{ database_name }}; --noqa: JJ01,PRS,TMP
+
+-- Create roles which will aggregate the object-type-specific roles 
+CREATE OR REPLACE DATABASE ROLE SYNAPSE_ALL_ANALYST;
+CREATE OR REPLACE DATABASE ROLE SYNAPSE_RAW_ALL_ANALYST;
+CREATE OR REPLACE DATABASE ROLE SCHEMACHANGE_ALL_ANALYST;
+
+-- Grant ownership of the analyst aggregate roles to their
+-- respective admin aggregate role
+GRANT OWNERSHIP
+    ON DATABASE ROLE SYNAPSE_ALL_ANALYST
+    TO ROLE SYNAPSE_ALL_ADMIN; --noqa: JJ01,PRS,TMP
+GRANT OWNERSHIP
+    ON DATABASE ROLE SYNAPSE_RAW_ALL_ANALYST
+    TO ROLE SYNAPSE_RAW_ALL_ADMIN; --noqa: JJ01,PRS,TMP
+GRANT OWNERSHIP
+    ON DATABASE ROLE SCHEMACHANGE_ALL_ANALYST
+    TO ROLE SCHEMACHANGE_ALL_ADMIN; --noqa: JJ01,PRS,TMP
+
+-- Grant analyst aggregate roles to the database analyst account role
+GRANT DATABASE ROLE SYNAPSE_ALL_ANALYST
+    TO ROLE {{ database_name }}_ANALYST; --noqa: JJ01,PRS,TMP
+GRANT DATABASE ROLE SYNAPSE_RAW_ALL_ANALYST
+    TO ROLE {{ database_name }}_ANALYST; --noqa: JJ01,PRS,TMP
+GRANT DATABASE ROLE SCHEMACHANGE_ALL_ANALYST
+    TO ROLE {{ database_name }}_ANALYST; --noqa: JJ01,PRS,TMP
+
+
+-- Create object-type-specific roles, grant ownership of each to
+-- their respective admin aggregate role, and grant each to the
+-- respective analyst aggregate role
+-- SYNAPSE
+CREATE OR REPLACE DATABASE ROLE SYNAPSE_TABLE_READ;
+CREATE OR REPLACE DATABASE ROLE SYNAPSE_STAGE_READ;
+CREATE OR REPLACE DATABASE ROLE SYNAPSE_VIEW_READ;
+CREATE OR REPLACE DATABASE ROLE SYNAPSE_TASK_READ;
+
+GRANT OWNERSHIP
+	ON DATABASE ROLE SYNAPSE_TABLE_READ
+	TO DATABASE ROLE SYNAPSE_ALL_ADMIN;
+GRANT OWNERSHIP
+	ON DATABASE ROLE SYNAPSE_STAGE_READ
+	TO DATABASE ROLE SYNAPSE_ALL_ADMIN;
+GRANT OWNERSHIP
+	ON DATABASE ROLE SYNAPSE_VIEW_READ
+	TO DATABASE ROLE SYNAPSE_ALL_ADMIN;
+GRANT OWNERSHIP
+	ON DATABASE ROLE SYNAPSE_TASK_READ
+	TO DATABASE ROLE SYNAPSE_ALL_ADMIN;
+
+GRANT DATABASE ROLE SYNAPSE_TABLE_READ
+	TO DATABASE ROLE SYNAPSE_ALL_ANALYST;
+GRANT DATABASE ROLE SYNAPSE_STAGE_READ
+	TO DATABASE ROLE SYNAPSE_ALL_ANALYST;
+GRANT DATABASE ROLE SYNAPSE_VIEW_READ
+	TO DATABASE ROLE SYNAPSE_ALL_ANALYST;
+GRANT DATABASE ROLE SYNAPSE_TASK_READ
+	TO DATABASE ROLE SYNAPSE_ALL_ANALYST;
+
+-- SYNAPSE_RAW
+CREATE OR REPLACE DATABASE ROLE SYNAPSE_RAW_TABLE_READ;
+CREATE OR REPLACE DATABASE ROLE SYNAPSE_RAW_STAGE_READ;
+CREATE OR REPLACE DATABASE ROLE SYNAPSE_RAW_STREAM_READ;
+CREATE OR REPLACE DATABASE ROLE SYNAPSE_RAW_TASK_READ;
+
+GRANT OWNERSHIP
+	ON DATABASE ROLE SYNAPSE_RAW_TABLE_READ
+	TO DATABASE ROLE SYNAPSE_RAW_ALL_ADMIN;
+GRANT OWNERSHIP
+	ON DATABASE ROLE SYNAPSE_RAW_STAGE_READ
+	TO DATABASE ROLE SYNAPSE_RAW_ALL_ADMIN;
+GRANT OWNERSHIP
+	ON DATABASE ROLE SYNAPSE_RAW_STREAM_READ
+	TO DATABASE ROLE SYNAPSE_RAW_ALL_ADMIN;
+GRANT OWNERSHIP
+	ON DATABASE ROLE SYNAPSE_RAW_TASK_READ
+	TO DATABASE ROLE SYNAPSE_RAW_ALL_ADMIN;
+
+GRANT DATABASE ROLE SYNAPSE_RAW_TABLE_READ
+	TO DATABASE ROLE SYNAPSE_RAW_ALL_ANALYST;
+GRANT DATABASE ROLE SYNAPSE_RAW_STAGE_READ
+	TO DATABASE ROLE SYNAPSE_RAW_ALL_ANALYST;
+GRANT DATABASE ROLE SYNAPSE_RAW_STREAM_READ
+	TO DATABASE ROLE SYNAPSE_RAW_ALL_ANALYST;
+GRANT DATABASE ROLE SYNAPSE_RAW_TASK_READ
+	TO DATABASE ROLE SYNAPSE_RAW_ALL_ANALYST;
+
+-- SCHEMACHANGE
+CREATE OR REPLACE DATABASE ROLE SCHEMACHANGE_TABLE_READ;
+
+GRANT OWNERSHIP
+	ON DATABASE ROLE SCHEMACHANGE_TABLE_READ
+	TO DATABASE ROLE SCHEMACHANGE_ALL_ADMIN;
+
+GRANT DATABASE ROLE SCHEMACHANGE_TABLE_READ
+	TO DATABASE ROLE SCHEMACHANGE_ALL_ANALYST;