SOL-C01 · Question #28
You have a Snowflake database named 'SALES DB' containing schemas 'RAW' and 'TRANSFORMED'. The 'RAW' schema holds raw data ingested from various sources, and the 'TRANSFORMED' schema contains cleansed
The correct answer is C. GRANT USAGE ON DATABASE SALES DB TO ROLE DATA ANALYST; GRANT USAGE ON. Option C is correct because Snowflake requires a complete privilege chain: USAGE on the database to enter it, USAGE on the schema to navigate within it, and SELECT on the tables to read them - omitting any link in this chain breaks access entirely, and using only SELECT grants re
Question
You have a Snowflake database named 'SALES DB' containing schemas 'RAW' and 'TRANSFORMED'. The 'RAW' schema holds raw data ingested from various sources, and the 'TRANSFORMED' schema contains cleansed and transformed data ready for reporting. You need to grant the 'DATA ANALYST' role the ability to read all tables in the 'TRANSFORMED' schema but prevent them from modifying any objects. What is the MOST efficient and secure way to achieve this?
Options
- AGRANT SELECT ON ALL TABLES IN SCHEMA SALES DB.TRANSFORMED TO ROLE DATA
- BGRANT USAGE ON DATABASE SALES DB TO ROLE DATA ANALYST; GRANT SELECT ON
- CGRANT USAGE ON DATABASE SALES DB TO ROLE DATA ANALYST; GRANT USAGE ON
- DGRANT ALL PRIVILEGES ON SCHEMA SALES DB.TRANSFORMED TO ROLE DATA
- EGRANT SELECT ON SCHEMA SALES DB.TRANSFORMED TO ROLE DATA ANALYST;
How the community answered
(39 responses)- A26% (10)
- B18% (7)
- C44% (17)
- D10% (4)
- E3% (1)
Explanation
Option C is correct because Snowflake requires a complete privilege chain: USAGE on the database to enter it, USAGE on the schema to navigate within it, and SELECT on the tables to read them - omitting any link in this chain breaks access entirely, and using only SELECT grants read-only access, satisfying the security requirement.
Why the distractors fail:
- A - Grants
SELECTon tables but skipsUSAGEon both the database and schema; the role cannot even navigate to the tables. - B - Grants
USAGEon the database andSELECTon tables but omitsUSAGEon the schema, breaking the access chain at the schema level. - D -
GRANT ALL PRIVILEGESis overly permissive; it includesINSERT,UPDATE,DELETE, and other modification rights, violating the least-privilege requirement. - E -
GRANT SELECT ON SCHEMAis not valid syntax for table access in Snowflake; you cannot grantSELECTat the schema level to propagate it to tables - privileges must be granted on the objects themselves.
Memory tip: Think of Snowflake access as a nested door lock - Database → Schema → Table. You need a key (USAGE) for each door before you can read (SELECT) what's inside the last room. ALL PRIVILEGES hands over the master key, which is never the "secure" answer.
Topics
Community Discussion
No community discussion yet for this question.