Skip to content
PlaidCloud

SHOW_GRANTS (Lakehouse v1)

Lists privileges explicitly granted to a user, to a role, or on a specific object.

SQL Syntax

Section titled “SQL Syntax”
SHOW_GRANTS('role', '<role_name>')
SHOW_GRANTS('user', '<user_name>')
SHOW_GRANTS('stage', '<stage_name>')
SHOW_GRANTS('udf', '<udf_name>')
SHOW_GRANTS('table', '<table_name>', '<catalog_name>', '<db_name>')
SHOW_GRANTS('database', '<db_name>', '<catalog_name>')

Configuring enable_expand_roles Setting

Section titled “Configuring enable_expand_roles Setting”

The enable_expand_roles setting controls whether the SHOW_GRANTS function expands role inheritance when displaying privileges.

  • enable_expand_roles=1 (default):

    • SHOW_GRANTS recursively expands inherited privileges, meaning that if a role has been granted another role, it will display all the inherited privileges.
    • Users will also see all privileges granted through their assigned roles.

  • enable_expand_roles=0:

    • SHOW_GRANTS only displays privileges that are directly assigned to the specified role or user.
    • However, the result will still include GRANT ROLE statements to indicate role inheritance.

For example, role a has the SELECT privilege on t1, and role b has the SELECT privilege on t2:

SELECT grants FROM show_grants('role', 'a') ORDER BY object_id;


┌──────────────────────────────────────────────────────┐
│                        grants                        │
├──────────────────────────────────────────────────────┤
GRANT SELECT ON 'default'.'default'.'t1' TO ROLE `a`
└──────────────────────────────────────────────────────┘


SELECT grants FROM show_grants('role', 'b') ORDER BY object_id;


┌──────────────────────────────────────────────────────┐
│                        grants                        │
├──────────────────────────────────────────────────────┤
GRANT SELECT ON 'default'.'default'.'t2' TO ROLE `b`
└──────────────────────────────────────────────────────┘

If you grant role b to role a and check the grants on role a again, you can see than the SELECT privilege on t2 is now included in role a:

GRANT ROLE b TO ROLE a;
SELECT grants FROM show_grants('role', 'a') ORDER BY object_id;


┌──────────────────────────────────────────────────────┐
│                        grants                        │
├──────────────────────────────────────────────────────┤
GRANT SELECT ON 'default'.'default'.'t1' TO ROLE `a`
GRANT SELECT ON 'default'.'default'.'t2' TO ROLE `a`
└──────────────────────────────────────────────────────┘

If you set enable_expand_roles to 0 and check the grants on role a again, the result will show the GRANT ROLE statement instead of listing the specific privileges inherited from role b:

SET enable_expand_roles=0;
SELECT grants FROM show_grants('role', 'a') ORDER BY object_id;


┌──────────────────────────────────────────────────────┐
│                        grants                        │
├──────────────────────────────────────────────────────┤
GRANT SELECT ON 'default'.'default'.'t1' TO ROLE `a`
GRANT ROLE b to ROLE `a`
GRANT ROLE public to ROLE `a`
└──────────────────────────────────────────────────────┘

SQL Examples

Section titled “SQL Examples”

This example illustrates how to list privileges granted to a user, a role, and on a specific object.

-- Create a new user
CREATE USER 'user1' IDENTIFIED BY 'password';


-- Create a new role
CREATE ROLE analyst;


-- Grant the analyst role to the user
GRANT ROLE analyst TO 'user1';


-- Create a stage
CREATE STAGE my_stage;


-- Grant privileges on the stage to the role
GRANT READ ON STAGE my_stage TO ROLE analyst;


-- List privileges granted to the user
SELECT * FROM SHOW_GRANTS('user', 'user1');


┌───────────────────────────────────────────────────────────────────────────────────────────────────────────────┐
│ privileges │ object_name │     object_id    │ grant_to │  name  │                    grants                   │
├────────────┼─────────────┼──────────────────┼──────────┼────────┼─────────────────────────────────────────────┤
Read       │ my_stage    │             NULL │ USER     │ user1  │ GRANT Read ON STAGE my_stage TO 'user1'@'%'
└───────────────────────────────────────────────────────────────────────────────────────────────────────────────┘


-- List privileges granted to the role
SELECT * FROM SHOW_GRANTS('role', 'analyst');


┌───────────────────────────────────────────────────────────────────────────────────────────────────────────────────┐
│ privileges │ object_name │     object_id    │ grant_to │   name  │                     grants                     │
├────────────┼─────────────┼──────────────────┼──────────┼─────────┼────────────────────────────────────────────────┤
Read       │ my_stage    │             NULLROLE     │ analyst │ GRANT Read ON STAGE my_stage TO ROLE `analyst`
└───────────────────────────────────────────────────────────────────────────────────────────────────────────────────┘


-- List privileges granted on the stage
SELECT * FROM SHOW_GRANTS('stage', 'my_stage');


┌─────────────────────────────────────────────────────────────────────────────────────┐
│ privileges │ object_name │     object_id    │ grant_to │   name  │      grants      │
├────────────┼─────────────┼──────────────────┼──────────┼─────────┼──────────────────┤
Read       │ my_stage    │             NULLROLE     │ analyst │                  │
└─────────────────────────────────────────────────────────────────────────────────────┘