-- current user (accountadmin): rsahu
use role useradmin;
create role r1;
use role useradmin;
create role r2;
use role useradmin;
grant role r1 to user rsahu;
grant role r2 to user rsahu;
use role sysadmin;
grant create database on account to role r1;
use role r1;
create database db1;
show grants on database db1; -- ownership by r1
use role r2;
drop database db1; -- success, how?
rsahu
has different roles granted to it: accountadmin, useradmin, sysadmin, securityadmin, r1 and r2
.
Using role r2
, how did the last statement succeeded even though r2
does not have any privilege on db1
?
TIA!
Secondary roles may be used. Before you switch to role r2, use the command below and try the drop.
use secondary roles none;
https://docs.snowflake.com/en/sql-reference/sql/use-secondary-roles