Understanding the exact permissions applied to any object in Snowflake begins with mastering the snowflake show grants command. This utility provides a clear, human-readable list of all privileges granted to a specific role or user, making it an essential part of daily administration. Without this visibility, security teams cannot confidently audit access or troubleshoot why a particular session fails to read a table.
How the Command Works in Practice
The snowflake show grants command accepts a target entity, such as a user or role, and returns every permission currently assigned directly or indirectly. The output includes the object type, name, and the specific privilege, allowing administrators to map complex grant chains with precision. This is distinct from simply viewing a role’s definition, since it surfaces effective access that may come from nested parent roles or future grants.
Common Use Cases for Administrators
Verifying that a new analyst role can select from production tables without overprivileged access.
Auditing temporary privileges assigned during a data migration project.
Confirming that a custom integration role has the minimal rights needed for an ETL pipeline.
Documenting compliance evidence for external regulatory reviews.
Syntax and Key Parameters
The core syntax is straightforward, typically written as SHOW GRANTS TO ROLE or SHOW GRANTS TO USER . You can also scope the results by adding optional filters, such as a specific schema or object, which helps when you only need to review access within a particular namespace. The command respects the current session’s warehouse and context, so ensure the correct role is active before executing it.
Interpreting the Result Set Correctly
Reading the result set accurately requires attention to the granted_on and privilege columns, because a privilege granted on a schema does not automatically imply access to every table inside it. Snowflake’s inheritance rules mean that a role can obtain privileges on child objects, but the show grants output will list each level explicitly when queried at that level. Understanding this hierarchy prevents confusion when a user appears to have access in testing but not in production.
Best Practices for Security and Maintenance
Run the command regularly as part of a scheduled access review to detect privilege creep.
Combine it with role hierarchy documentation to ensure no unintended inheritance paths exist.
Automate output capture into a secure audit store to maintain a historical record for compliance.
Use least privilege by granting at the most specific object level required for the task.
Troubleshooting Common Issues
If the results seem incomplete, check that you are executing the command with an admin-level role that can view grants across the organization. Some grants may appear missing if the target entity was recently modified, due to metadata caching, so repeating the query after a short wait often resolves the discrepancy. When nested roles are involved, remember to query grants on each parent role to build the complete picture of effective access.
Integrating with Broader Governance Workflows
Teams treat the snowflake show grants output as a reliable source of truth for access reviews, incident response, and change management processes. By scripting the command into deployment pipelines, organizations can enforce that new objects do not receive broad access by default. This discipline reduces the attack surface and aligns with frameworks like SOC 2, where strict control over data visibility is mandatory.
