SOL-C01 · Question #31
A Snowflake administrator needs to implement RBAC for accessing a highly sensitive dataset. They decide to create several custom roles: 'DATA OWNER, DATA CURATOR, 'DATA ANALYST, and DATA READER. The r
The correct answer is A. Option A. Option A correctly implements all four role requirements by granting DATA OWNER privileges WITH GRANT OPTION, which is the Snowflake mechanism that allows a role to pass privileges to other roles - without this clause, ownership semantics are incomplete. DATA CURATOR receives DML
Question
A Snowflake administrator needs to implement RBAC for accessing a highly sensitive dataset. They decide to create several custom roles: 'DATA OWNER, DATA CURATOR, 'DATA ANALYST, and DATA READER. The requirement is that 'DATA OWNER should be able to grant privileges to other roles, but the 'DATA CURATOR should only be able to modify the data but not grant any permissions. 'DATA ANALYST' should have the ability to create temporary tables to assist with analysis, and the 'DATA READER should only have SELECT privileges on the data. Which of the following SQL commands would correctly fulfill these requirements?
Exhibit
Options
- AOption A
- BOption B
- COption C
- DOption D
- EOption E
How the community answered
(22 responses)- A59% (13)
- B18% (4)
- C5% (1)
- D14% (3)
- E5% (1)
Explanation
Option A correctly implements all four role requirements by granting DATA OWNER privileges WITH GRANT OPTION, which is the Snowflake mechanism that allows a role to pass privileges to other roles - without this clause, ownership semantics are incomplete. DATA CURATOR receives DML privileges (INSERT, UPDATE, DELETE) but deliberately omits WITH GRANT OPTION, enforcing the "modify but not delegate" constraint. DATA ANALYST is granted CREATE TEMPORARY TABLE on the schema (not the broader CREATE TABLE), and DATA READER receives only SELECT - no write or DDL permissions.
The distractors typically fail in one or more of these ways: using OWNERSHIP instead of WITH GRANT OPTION for DATA OWNER (ownership transfers the role, not delegated grant ability); accidentally including WITH GRANT OPTION on DATA CURATOR (violating the no-grant requirement); granting CREATE TABLE instead of CREATE TEMPORARY TABLE to DATA ANALYST (too broad); or giving DATA READER additional privileges like INSERT or REFERENCES.
Memory tip: Think of the phrase "Own it, Curate it, Analyze it, Read it" - each verb maps to increasing restriction. Only the OWNER needs WITH GRANT OPTION; everything below that line never passes privileges downward.
Topics
Community Discussion
No community discussion yet for this question.
