SOL-C01 · Question #35
A data engineer needs to grant a business analyst role ('BI ANALYST) the ability to query data in a specific schema ('SALES DATA) within a database ('REPORTING DB'). The business analyst should also b
The correct answer is D. GRANT USAGE ON DATABASE REPORTING DB TO ROLE BI ANALYST; GRANT USAGE ON. Option D correctly follows the principle of least privilege by granting USAGE on the database and schema (which provides navigation access without modification rights), SELECT on tables in SALES_DATA (read-only query access), and CREATE TEMPORARY TABLE on the schema - covering ex
Question
A data engineer needs to grant a business analyst role ('BI ANALYST) the ability to query data in a specific schema ('SALES DATA) within a database ('REPORTING DB'). The business analyst should also be able to create temporary tables for their analysis but should not be able to modify the underlying tables. Which of the following set of commands is the MOST SECURE and LEAST PRIVILEGED way to achieve this?
Options
- AGRANT USAGE ON DATABASE REPORTING DB TO ROLE BI ANALYST; GRANT SELECT ON
- BGRANT USAGE ON DATABASE REPORTING DB TO ROLE BI ANALYST; GRANT SELECT ON
- CGRANT ALL ON DATABASE REPORTING DB TO ROLE BI ANALYST; GRANT SELECT ON ALL
- DGRANT USAGE ON DATABASE REPORTING DB TO ROLE BI ANALYST; GRANT USAGE ON
- EGRANT USAGE ON DATABASE REPORTING DB TO ROLE BI ANALYST; GRANT SELECT ON
How the community answered
(30 responses)- A10% (3)
- B7% (2)
- C3% (1)
- D57% (17)
- E23% (7)
Explanation
Option D correctly follows the principle of least privilege by granting USAGE on the database and schema (which provides navigation access without modification rights), SELECT on tables in SALES_DATA (read-only query access), and CREATE TEMPORARY TABLE on the schema - covering exactly what the analyst needs, nothing more.
Why the distractors fail:
- A & B likely omit
USAGE ON SCHEMA, which Snowflake requires as a prerequisite before any schema-level privileges take effect - without it, the role cannot even see the schema's objects. - C uses
GRANT ALL, which is the clearest violation: it hands over destructive privileges likeINSERT,UPDATE,DELETE, andDROP, directly contradicting the "should not modify underlying tables" requirement. - E likely grants
SELECTbut omitsCREATE TEMPORARY TABLE, leaving the analyst unable to build the temporary working tables the question explicitly requires.
Memory tip: Think of Snowflake privileges as a locked filing cabinet - USAGE on database is the building key, USAGE on schema is the room key, and SELECT/CREATE TEMPORARY TABLE are the specific things you're allowed to do once inside. You need all three layers or the role hits a wall, and you should never hand over the master key (ALL) when a specific key will do.
Topics
Community Discussion
No community discussion yet for this question.