nerdexam
Snowflake

SOL-C01 · Question #42

A Snowflake account has multiple custom roles, including DATA ADMIN', 'ANALYST , and 'REPORTING'. The DATA ADMIN role should be able to grant all privileges on any object in the 'SALES' database to ot

The correct answer is A. Grant the 'OWNERSHIP privilege on the ` SALES' database to the 'DATA_ADMIN' role. Then, set. Option A is correct because in Snowflake, OWNERSHIP is the only privilege that implicitly includes the ability to grant any privilege on an object to other roles - without needing to specify WITH GRANT OPTION separately. By granting OWNERSHIP of the SALES database to DATA_ADMIN,

Snowflake Account and Security

Question

A Snowflake account has multiple custom roles, including DATA ADMIN', 'ANALYST , and 'REPORTING'. The DATA ADMIN role should be able to grant all privileges on any object in the 'SALES' database to other roles. Which of the following approaches is the MOST secure and efficient way to achieve this?

Options

  • AGrant the 'OWNERSHIP privilege on the ` SALES' database to the 'DATA_ADMIN' role. Then, set
  • BGrant the 'ALL PRIVILEGES' on the 'SALES' database and all its objects to the `DATA_ADMIN'
  • CGrant USAGE on the 'SALES' database to the 'DATA ADMIN' role and manually grant all other
  • DCreate a custom role hierarchy where 'DATA_ADMIN' inherits all privileges from the
  • EGrant the OWNERSHIP privilege on the SALES database to the DATA ADMIN role. When an

How the community answered

(48 responses)
  • A
    67% (32)
  • B
    19% (9)
  • C
    4% (2)
  • D
    2% (1)
  • E
    8% (4)

Explanation

Option A is correct because in Snowflake, OWNERSHIP is the only privilege that implicitly includes the ability to grant any privilege on an object to other roles - without needing to specify WITH GRANT OPTION separately. By granting OWNERSHIP of the SALES database to DATA_ADMIN, that role becomes the authoritative grantor for all objects within it, which is both powerful and cleanly scoped.

Why the distractors fail:

  • B - ALL PRIVILEGES grants the ability to use every privilege but does not include the right to grant those privileges to other roles; you'd also need WITH GRANT OPTION on every object, making this incomplete and cumbersome.
  • C - Manually granting individual privileges is neither efficient nor scalable, and still doesn't automatically confer the ability to re-grant to others.
  • D - Role hierarchy (inheritance) controls what a role can do, not whether it can delegate those privileges; it doesn't solve the grant-forwarding requirement.
  • E - Likely describes OWNERSHIP with an added condition (e.g., a GRANT OPTION caveat or extra step) that makes it redundant or less clean than simply granting OWNERSHIP as in A.

Memory tip: Think "Own it to loan it" - in Snowflake, only the owner of an object has the built-in authority to loan out (grant) its privileges to other roles.

Topics

#Snowflake RBAC#OWNERSHIP privilege#Database privileges#Privilege delegation

Community Discussion

No community discussion yet for this question.

Full SOL-C01 Practice