-
Notifications
You must be signed in to change notification settings - Fork 230
Commit
This commit does not belong to any branch on this repository, and may belong to a fork outside of the repository.
- Loading branch information
1 parent
05d5149
commit 2c851fc
Showing
10 changed files
with
315 additions
and
9 deletions.
There are no files selected for viewing
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
4 changes: 2 additions & 2 deletions
4
demo/citibike_jinja/scripts/V1.1__initial_database_objects.sql
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| Original file line number | Diff line number | Diff line change |
|---|---|---|
| @@ -0,0 +1,47 @@ | ||
| -- This script is provided as a sample setup to use database roles, warehouse, admin role, deploy role as an example. | ||
| -- YOu may choose to have your own RBAC and SCHEMACHANGE database setup depending on your organization objectives. | ||
| -- Set these to personalize your deployment | ||
| SET SERVICE_USER_PASSWORD = 'CHANGEME'; | ||
| SET ADMIN_USER = 'CHANGEME'; | ||
| SET TARGET_DB_NAME = 'SCHEMACHANGE_DEMO'; -- Name of database that will have the SCHEMACHANGE Schema for change tracking. | ||
|
|
||
| -- Dependent Variables; Change the naming pattern if you want but not necessary | ||
| SET ADMIN_ROLE = $TARGET_DB_NAME || '_ADMIN'; -- This role will own the database and schemas. | ||
| SET DEPLOY_ROLE = $TARGET_DB_NAME || '_DEPLOY'; -- This role will be granted privileges to create objects in any schema in the database | ||
| SET SERVICE_USER = $TARGET_DB_NAME || '_SVC_USER'; -- This user will be granted the Deploy role. | ||
| SET WAREHOUSE_NAME = $TARGET_DB_NAME || '_WH'; | ||
| SET AC_U = '_AC_U_' || $WAREHOUSE_NAME; | ||
| SET AC_O = '_AC_O_' || $WAREHOUSE_NAME; | ||
|
|
||
| USE ROLE USERADMIN; | ||
| -- Service user used to run SCHEMACHANGE deployments | ||
| CREATE USER IF NOT EXISTS IDENTIFIER($SERVICE_USER) WITH PASSWORD=$SERVICE_USER_PASSWORD MUST_CHANGE_PASSWORD=FALSE; | ||
| -- Role granted to a human user to manage the database permissions and database roles. | ||
| CREATE ROLE IF NOT EXISTS IDENTIFIER($ADMIN_ROLE); | ||
| CREATE ROLE IF NOT EXISTS IDENTIFIER($DEPLOY_ROLE); | ||
| CREATE ROLE IF NOT EXISTS IDENTIFIER($AC_U); | ||
| CREATE ROLE IF NOT EXISTS IDENTIFIER($AC_O); | ||
| GRANT ROLE IDENTIFIER($AC_U) TO ROLE IDENTIFIER($AC_O); | ||
|
|
||
|
|
||
| -- Role hierarchy tied to SYSADMIN; | ||
| USE ROLE SECURITYADMIN; | ||
| GRANT ROLE IDENTIFIER($DEPLOY_ROLE) TO ROLE IDENTIFIER($ADMIN_ROLE); | ||
| GRANT ROLE IDENTIFIER($ADMIN_ROLE) TO ROLE SYSADMIN; | ||
|
|
||
| GRANT ROLE IDENTIFIER($DEPLOY_ROLE) TO USER IDENTIFIER($SERVICE_USER); | ||
| GRANT ROLE IDENTIFIER($ADMIN_ROLE) TO USER IDENTIFIER($ADMIN_USER); | ||
|
|
||
| USE ROLE SYSADMIN; | ||
| CREATE DATABASE IF NOT EXISTS IDENTIFIER($TARGET_DB_NAME); | ||
|
|
||
| USE ROLE SECURITYADMIN; | ||
| GRANT OWNERSHIP ON DATABASE IDENTIFIER($TARGET_DB_NAME) TO ROLE IDENTIFIER($ADMIN_ROLE) WITH GRANT OPTION; | ||
|
|
||
| USE ROLE SYSADMIN; | ||
| CREATE WAREHOUSE IF NOT EXISTS IDENTIFIER($WAREHOUSE_NAME); | ||
| USE ROLE SECURITYADMIN; | ||
| GRANT OWNERSHIP ON WAREHOUSE IDENTIFIER($WAREHOUSE_NAME) TO ROLE IDENTIFIER($ADMIN_ROLE) WITH GRANT OPTION; | ||
| GRANT USAGE ON WAREHOUSE IDENTIFIER($WAREHOUSE_NAME) TO ROLE IDENTIFIER($AC_U); | ||
| GRANT OPERATE ON WAREHOUSE IDENTIFIER($WAREHOUSE_NAME) TO ROLE IDENTIFIER($AC_O); | ||
| GRANT ROLE IDENTIFIER($AC_U) TO ROLE IDENTIFIER($DEPLOY_ROLE); |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| Original file line number | Diff line number | Diff line change |
|---|---|---|
| @@ -0,0 +1,65 @@ | ||
| SET TARGET_SCHEMA_NAME = 'SCHEMACHANGE'; | ||
| SET TARGET_DB_NAME = 'SCHEMACHANGE_DEMO'; -- Name of database that will have the SCHEMACHANGE Schema for change tracking. | ||
| -- Dependent Variables; Change the naming pattern if you want but not necessary | ||
| SET ADMIN_ROLE = $TARGET_DB_NAME || '_ADMIN'; -- This role will own the database and schemas. | ||
| SET DEPLOY_ROLE = $TARGET_DB_NAME || '_DEPLOY'; -- This role will be granted privileges to create objects in any schema in the database | ||
| SET WAREHOUSE_NAME = $TARGET_DB_NAME || '_WH'; | ||
| SET SCHEMACHANGE_NAMESPACE = $TARGET_DB_NAME || '.' || $TARGET_SCHEMA_NAME; | ||
| SET SC_M = 'SC_M_' || $TARGET_SCHEMA_NAME; | ||
| SET SC_R = 'SC_R_' || $TARGET_SCHEMA_NAME; | ||
| SET SC_W = 'SC_W_' || $TARGET_SCHEMA_NAME; | ||
| SET SC_C = 'SC_C_' || $TARGET_SCHEMA_NAME; | ||
|
|
||
| USE ROLE IDENTIFIER($ADMIN_ROLE); | ||
| USE DATABASE IDENTIFIER($TARGET_DB_NAME); | ||
| USE WAREHOUSE IDENTIFIER($WAREHOUSE_NAME); | ||
|
|
||
| CREATE DATABASE ROLE IF NOT EXISTS DB_M; | ||
| CREATE DATABASE ROLE IF NOT EXISTS DB_R; | ||
| CREATE DATABASE ROLE IF NOT EXISTS DB_W; | ||
| CREATE DATABASE ROLE IF NOT EXISTS DB_C; | ||
|
|
||
| GRANT DATABASE ROLE DB_C TO ROLE IDENTIFIER($DEPLOY_ROLE); | ||
|
|
||
| CREATE DATABASE ROLE IF NOT EXISTS IDENTIFIER($SC_M); | ||
| CREATE DATABASE ROLE IF NOT EXISTS IDENTIFIER($SC_R); | ||
| CREATE DATABASE ROLE IF NOT EXISTS IDENTIFIER($SC_W); | ||
| CREATE DATABASE ROLE IF NOT EXISTS IDENTIFIER($SC_C); | ||
|
|
||
| GRANT DATABASE ROLE IDENTIFIER($SC_M) TO DATABASE ROLE DB_M; | ||
| GRANT DATABASE ROLE IDENTIFIER($SC_R) TO DATABASE ROLE DB_R; | ||
| GRANT DATABASE ROLE IDENTIFIER($SC_W) TO DATABASE ROLE DB_W; | ||
| GRANT DATABASE ROLE IDENTIFIER($SC_C) TO DATABASE ROLE DB_C; | ||
| GRANT DATABASE ROLE IDENTIFIER($SC_M) TO DATABASE ROLE IDENTIFIER($SC_R); | ||
| GRANT DATABASE ROLE IDENTIFIER($SC_R) TO DATABASE ROLE IDENTIFIER($SC_W); | ||
| GRANT DATABASE ROLE IDENTIFIER($SC_W) TO DATABASE ROLE IDENTIFIER($SC_C); | ||
|
|
||
| CREATE SCHEMA IF NOT EXISTS IDENTIFIER($TARGET_SCHEMA_NAME) WITH MANAGED ACCESS; | ||
| -- USE SCHEMA INFORMATION_SCHEMA; | ||
| -- DROP SCHEMA IF EXISTS PUBLIC; | ||
|
|
||
| USE SCHEMA IDENTIFIER($SCHEMACHANGE_NAMESPACE); | ||
| -- SCHEMA | ||
| -- SC_M | ||
| GRANT USAGE ON DATABASE IDENTIFIER($TARGET_DB_NAME) TO DATABASE ROLE IDENTIFIER($SC_M); | ||
| GRANT USAGE ON SCHEMA IDENTIFIER($SCHEMACHANGE_NAMESPACE) TO DATABASE ROLE IDENTIFIER($SC_M); | ||
| -- SC_R | ||
| GRANT MONITOR ON DATABASE IDENTIFIER($TARGET_DB_NAME) TO DATABASE ROLE IDENTIFIER($SC_R); | ||
| GRANT MONITOR ON SCHEMA IDENTIFIER($SCHEMACHANGE_NAMESPACE) TO DATABASE ROLE IDENTIFIER($SC_R); | ||
| -- SC_W | ||
| -- None | ||
| -- SC_C | ||
| GRANT MODIFY, APPLYBUDGET, ADD SEARCH OPTIMIZATION ON SCHEMA IDENTIFIER($SCHEMACHANGE_NAMESPACE) TO DATABASE ROLE IDENTIFIER($SC_C); | ||
|
|
||
| -- TABLES | ||
| -- SC_M | ||
| GRANT REFERENCES ON ALL TABLES IN SCHEMA IDENTIFIER($SCHEMACHANGE_NAMESPACE) TO DATABASE ROLE IDENTIFIER($SC_M); | ||
| GRANT REFERENCES ON FUTURE TABLES IN SCHEMA IDENTIFIER($SCHEMACHANGE_NAMESPACE) TO DATABASE ROLE IDENTIFIER($SC_M); | ||
| -- SC_R | ||
| GRANT SELECT ON ALL TABLES IN SCHEMA IDENTIFIER($SCHEMACHANGE_NAMESPACE) TO DATABASE ROLE IDENTIFIER($SC_R); | ||
| GRANT SELECT ON FUTURE TABLES IN SCHEMA IDENTIFIER($SCHEMACHANGE_NAMESPACE) TO DATABASE ROLE IDENTIFIER($SC_R); | ||
| -- SC_W | ||
| GRANT INSERT, UPDATE, DELETE, TRUNCATE, EVOLVE SCHEMA ON ALL TABLES IN SCHEMA IDENTIFIER($SCHEMACHANGE_NAMESPACE) TO DATABASE ROLE IDENTIFIER($SC_W); | ||
| GRANT INSERT, UPDATE, DELETE, TRUNCATE, EVOLVE SCHEMA ON FUTURE TABLES IN SCHEMA IDENTIFIER($SCHEMACHANGE_NAMESPACE) TO DATABASE ROLE IDENTIFIER($SC_W); | ||
| -- SC_C | ||
| GRANT CREATE TABLE ON SCHEMA IDENTIFIER($SCHEMACHANGE_NAMESPACE) TO DATABASE ROLE IDENTIFIER($SC_C); |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| Original file line number | Diff line number | Diff line change |
|---|---|---|
| @@ -0,0 +1,83 @@ | ||
| SET TARGET_SCHEMA_NAME = 'CITIBIKE_DEMO'; | ||
| SET TARGET_DB_NAME = 'SCHEMACHANGE_DEMO'; -- Name of database that will have the SCHEMACHANGE Schema for change tracking. | ||
| -- Dependent Variables; Change the naming pattern if you want but not necessary | ||
| SET ADMIN_ROLE = $TARGET_DB_NAME || '_ADMIN'; -- This role will own the database and schemas. | ||
| SET DEPLOY_ROLE = $TARGET_DB_NAME || '_DEPLOY'; -- This role will be granted privileges to create objects in any schema in the database | ||
| SET WAREHOUSE_NAME = $TARGET_DB_NAME || '_WH'; | ||
| SET SCHEMACHANGE_NAMESPACE = $TARGET_DB_NAME || '.' || $TARGET_SCHEMA_NAME; | ||
| SET SC_M = 'SC_M_' || $TARGET_SCHEMA_NAME; | ||
| SET SC_R = 'SC_R_' || $TARGET_SCHEMA_NAME; | ||
| SET SC_W = 'SC_W_' || $TARGET_SCHEMA_NAME; | ||
| SET SC_C = 'SC_C_' || $TARGET_SCHEMA_NAME; | ||
|
|
||
| USE ROLE IDENTIFIER($ADMIN_ROLE); | ||
| USE DATABASE IDENTIFIER($TARGET_DB_NAME); | ||
| USE WAREHOUSE IDENTIFIER($WAREHOUSE_NAME); | ||
|
|
||
| CREATE DATABASE ROLE IF NOT EXISTS IDENTIFIER($SC_M); | ||
| CREATE DATABASE ROLE IF NOT EXISTS IDENTIFIER($SC_R); | ||
| CREATE DATABASE ROLE IF NOT EXISTS IDENTIFIER($SC_W); | ||
| CREATE DATABASE ROLE IF NOT EXISTS IDENTIFIER($SC_C); | ||
|
|
||
| GRANT DATABASE ROLE IDENTIFIER($SC_M) TO DATABASE ROLE DB_M; | ||
| GRANT DATABASE ROLE IDENTIFIER($SC_R) TO DATABASE ROLE DB_R; | ||
| GRANT DATABASE ROLE IDENTIFIER($SC_W) TO DATABASE ROLE DB_W; | ||
| GRANT DATABASE ROLE IDENTIFIER($SC_C) TO DATABASE ROLE DB_C; | ||
| GRANT DATABASE ROLE IDENTIFIER($SC_M) TO DATABASE ROLE IDENTIFIER($SC_R); | ||
| GRANT DATABASE ROLE IDENTIFIER($SC_R) TO DATABASE ROLE IDENTIFIER($SC_W); | ||
| GRANT DATABASE ROLE IDENTIFIER($SC_W) TO DATABASE ROLE IDENTIFIER($SC_C); | ||
|
|
||
| CREATE SCHEMA IF NOT EXISTS IDENTIFIER($TARGET_SCHEMA_NAME) WITH MANAGED ACCESS; | ||
| -- USE SCHEMA INFORMATION_SCHEMA; | ||
| -- DROP SCHEMA IF EXISTS PUBLIC; | ||
|
|
||
| USE SCHEMA IDENTIFIER($SCHEMACHANGE_NAMESPACE); | ||
| -- SCHEMA | ||
| -- SC_M | ||
| GRANT USAGE ON DATABASE IDENTIFIER($TARGET_DB_NAME) TO DATABASE ROLE IDENTIFIER($SC_M); | ||
| GRANT USAGE ON SCHEMA IDENTIFIER($SCHEMACHANGE_NAMESPACE) TO DATABASE ROLE IDENTIFIER($SC_M); | ||
| -- SC_R | ||
| GRANT MONITOR ON DATABASE IDENTIFIER($TARGET_DB_NAME) TO DATABASE ROLE IDENTIFIER($SC_R); | ||
| GRANT MONITOR ON SCHEMA IDENTIFIER($SCHEMACHANGE_NAMESPACE) TO DATABASE ROLE IDENTIFIER($SC_R); | ||
| -- SC_W | ||
| -- None | ||
| -- SC_C | ||
| GRANT MODIFY, APPLYBUDGET, ADD SEARCH OPTIMIZATION ON SCHEMA IDENTIFIER($SCHEMACHANGE_NAMESPACE) TO DATABASE ROLE IDENTIFIER($SC_C); | ||
|
|
||
| -- TABLES | ||
| -- SC_M | ||
| GRANT REFERENCES ON ALL TABLES IN SCHEMA IDENTIFIER($SCHEMACHANGE_NAMESPACE) TO DATABASE ROLE IDENTIFIER($SC_M); | ||
| GRANT REFERENCES ON FUTURE TABLES IN SCHEMA IDENTIFIER($SCHEMACHANGE_NAMESPACE) TO DATABASE ROLE IDENTIFIER($SC_M); | ||
| -- SC_R | ||
| GRANT SELECT ON ALL TABLES IN SCHEMA IDENTIFIER($SCHEMACHANGE_NAMESPACE) TO DATABASE ROLE IDENTIFIER($SC_R); | ||
| GRANT SELECT ON FUTURE TABLES IN SCHEMA IDENTIFIER($SCHEMACHANGE_NAMESPACE) TO DATABASE ROLE IDENTIFIER($SC_R); | ||
| -- SC_W | ||
| GRANT INSERT, UPDATE, DELETE, TRUNCATE, EVOLVE SCHEMA ON ALL TABLES IN SCHEMA IDENTIFIER($SCHEMACHANGE_NAMESPACE) TO DATABASE ROLE IDENTIFIER($SC_W); | ||
| GRANT INSERT, UPDATE, DELETE, TRUNCATE, EVOLVE SCHEMA ON FUTURE TABLES IN SCHEMA IDENTIFIER($SCHEMACHANGE_NAMESPACE) TO DATABASE ROLE IDENTIFIER($SC_W); | ||
| -- SC_C | ||
| GRANT CREATE TABLE ON SCHEMA IDENTIFIER($SCHEMACHANGE_NAMESPACE) TO DATABASE ROLE IDENTIFIER($SC_C); | ||
|
|
||
| -- STAGES | ||
| -- SC_M | ||
| GRANT USAGE ON ALL STAGES IN SCHEMA IDENTIFIER($SCHEMACHANGE_NAMESPACE) TO DATABASE ROLE IDENTIFIER($SC_M); | ||
| GRANT USAGE ON FUTURE STAGES IN SCHEMA IDENTIFIER($SCHEMACHANGE_NAMESPACE) TO DATABASE ROLE IDENTIFIER($SC_M); | ||
| -- SC_R | ||
| GRANT READ ON ALL STAGES IN SCHEMA IDENTIFIER($SCHEMACHANGE_NAMESPACE) TO DATABASE ROLE IDENTIFIER($SC_R); | ||
| GRANT READ ON FUTURE STAGES IN SCHEMA IDENTIFIER($SCHEMACHANGE_NAMESPACE) TO DATABASE ROLE IDENTIFIER($SC_R); | ||
| -- SC_W | ||
| GRANT READ,WRITE ON ALL STAGES IN SCHEMA IDENTIFIER($SCHEMACHANGE_NAMESPACE) TO DATABASE ROLE IDENTIFIER($SC_W); | ||
| GRANT READ,WRITE ON FUTURE STAGES IN SCHEMA IDENTIFIER($SCHEMACHANGE_NAMESPACE) TO DATABASE ROLE IDENTIFIER($SC_W); | ||
| -- SC_C | ||
| GRANT CREATE STAGE ON SCHEMA IDENTIFIER($SCHEMACHANGE_NAMESPACE) TO DATABASE ROLE IDENTIFIER($SC_C); | ||
|
|
||
|
|
||
| -- FILE FORMATS | ||
| -- SC_M | ||
| GRANT USAGE ON ALL FILE FORMATS IN SCHEMA IDENTIFIER($SCHEMACHANGE_NAMESPACE) TO DATABASE ROLE IDENTIFIER($SC_M); | ||
| GRANT USAGE ON FUTURE FILE FORMATS IN SCHEMA IDENTIFIER($SCHEMACHANGE_NAMESPACE) TO DATABASE ROLE IDENTIFIER($SC_M); | ||
| -- SC_R | ||
| -- N/A | ||
| -- SC_W | ||
| -- N/A | ||
| -- SC_C | ||
| GRANT CREATE FILE FORMAT ON SCHEMA IDENTIFIER($SCHEMACHANGE_NAMESPACE) TO DATABASE ROLE IDENTIFIER($SC_C); |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| Original file line number | Diff line number | Diff line change |
|---|---|---|
| @@ -0,0 +1,83 @@ | ||
| SET TARGET_SCHEMA_NAME = 'CITIBIKE_DEMO_JINJA'; | ||
| SET TARGET_DB_NAME = 'SCHEMACHANGE_DEMO'; -- Name of database that will have the SCHEMACHANGE Schema for change tracking. | ||
| -- Dependent Variables; Change the naming pattern if you want but not necessary | ||
| SET ADMIN_ROLE = $TARGET_DB_NAME || '_ADMIN'; -- This role will own the database and schemas. | ||
| SET DEPLOY_ROLE = $TARGET_DB_NAME || '_DEPLOY'; -- This role will be granted privileges to create objects in any schema in the database | ||
| SET WAREHOUSE_NAME = $TARGET_DB_NAME || '_WH'; | ||
| SET SCHEMACHANGE_NAMESPACE = $TARGET_DB_NAME || '.' || $TARGET_SCHEMA_NAME; | ||
| SET SC_M = 'SC_M_' || $TARGET_SCHEMA_NAME; | ||
| SET SC_R = 'SC_R_' || $TARGET_SCHEMA_NAME; | ||
| SET SC_W = 'SC_W_' || $TARGET_SCHEMA_NAME; | ||
| SET SC_C = 'SC_C_' || $TARGET_SCHEMA_NAME; | ||
|
|
||
| USE ROLE IDENTIFIER($ADMIN_ROLE); | ||
| USE DATABASE IDENTIFIER($TARGET_DB_NAME); | ||
| USE WAREHOUSE IDENTIFIER($WAREHOUSE_NAME); | ||
|
|
||
| CREATE DATABASE ROLE IF NOT EXISTS IDENTIFIER($SC_M); | ||
| CREATE DATABASE ROLE IF NOT EXISTS IDENTIFIER($SC_R); | ||
| CREATE DATABASE ROLE IF NOT EXISTS IDENTIFIER($SC_W); | ||
| CREATE DATABASE ROLE IF NOT EXISTS IDENTIFIER($SC_C); | ||
|
|
||
| GRANT DATABASE ROLE IDENTIFIER($SC_M) TO DATABASE ROLE DB_M; | ||
| GRANT DATABASE ROLE IDENTIFIER($SC_R) TO DATABASE ROLE DB_R; | ||
| GRANT DATABASE ROLE IDENTIFIER($SC_W) TO DATABASE ROLE DB_W; | ||
| GRANT DATABASE ROLE IDENTIFIER($SC_C) TO DATABASE ROLE DB_C; | ||
| GRANT DATABASE ROLE IDENTIFIER($SC_M) TO DATABASE ROLE IDENTIFIER($SC_R); | ||
| GRANT DATABASE ROLE IDENTIFIER($SC_R) TO DATABASE ROLE IDENTIFIER($SC_W); | ||
| GRANT DATABASE ROLE IDENTIFIER($SC_W) TO DATABASE ROLE IDENTIFIER($SC_C); | ||
|
|
||
| CREATE SCHEMA IF NOT EXISTS IDENTIFIER($TARGET_SCHEMA_NAME) WITH MANAGED ACCESS; | ||
| -- USE SCHEMA INFORMATION_SCHEMA; | ||
| -- DROP SCHEMA IF EXISTS PUBLIC; | ||
|
|
||
| USE SCHEMA IDENTIFIER($SCHEMACHANGE_NAMESPACE); | ||
| -- SCHEMA | ||
| -- SC_M | ||
| GRANT USAGE ON DATABASE IDENTIFIER($TARGET_DB_NAME) TO DATABASE ROLE IDENTIFIER($SC_M); | ||
| GRANT USAGE ON SCHEMA IDENTIFIER($SCHEMACHANGE_NAMESPACE) TO DATABASE ROLE IDENTIFIER($SC_M); | ||
| -- SC_R | ||
| GRANT MONITOR ON DATABASE IDENTIFIER($TARGET_DB_NAME) TO DATABASE ROLE IDENTIFIER($SC_R); | ||
| GRANT MONITOR ON SCHEMA IDENTIFIER($SCHEMACHANGE_NAMESPACE) TO DATABASE ROLE IDENTIFIER($SC_R); | ||
| -- SC_W | ||
| -- None | ||
| -- SC_C | ||
| GRANT MODIFY, APPLYBUDGET, ADD SEARCH OPTIMIZATION ON SCHEMA IDENTIFIER($SCHEMACHANGE_NAMESPACE) TO DATABASE ROLE IDENTIFIER($SC_C); | ||
|
|
||
| -- TABLES | ||
| -- SC_M | ||
| GRANT REFERENCES ON ALL TABLES IN SCHEMA IDENTIFIER($SCHEMACHANGE_NAMESPACE) TO DATABASE ROLE IDENTIFIER($SC_M); | ||
| GRANT REFERENCES ON FUTURE TABLES IN SCHEMA IDENTIFIER($SCHEMACHANGE_NAMESPACE) TO DATABASE ROLE IDENTIFIER($SC_M); | ||
| -- SC_R | ||
| GRANT SELECT ON ALL TABLES IN SCHEMA IDENTIFIER($SCHEMACHANGE_NAMESPACE) TO DATABASE ROLE IDENTIFIER($SC_R); | ||
| GRANT SELECT ON FUTURE TABLES IN SCHEMA IDENTIFIER($SCHEMACHANGE_NAMESPACE) TO DATABASE ROLE IDENTIFIER($SC_R); | ||
| -- SC_W | ||
| GRANT INSERT, UPDATE, DELETE, TRUNCATE, EVOLVE SCHEMA ON ALL TABLES IN SCHEMA IDENTIFIER($SCHEMACHANGE_NAMESPACE) TO DATABASE ROLE IDENTIFIER($SC_W); | ||
| GRANT INSERT, UPDATE, DELETE, TRUNCATE, EVOLVE SCHEMA ON FUTURE TABLES IN SCHEMA IDENTIFIER($SCHEMACHANGE_NAMESPACE) TO DATABASE ROLE IDENTIFIER($SC_W); | ||
| -- SC_C | ||
| GRANT CREATE TABLE ON SCHEMA IDENTIFIER($SCHEMACHANGE_NAMESPACE) TO DATABASE ROLE IDENTIFIER($SC_C); | ||
|
|
||
| -- STAGES | ||
| -- SC_M | ||
| GRANT USAGE ON ALL STAGES IN SCHEMA IDENTIFIER($SCHEMACHANGE_NAMESPACE) TO DATABASE ROLE IDENTIFIER($SC_M); | ||
| GRANT USAGE ON FUTURE STAGES IN SCHEMA IDENTIFIER($SCHEMACHANGE_NAMESPACE) TO DATABASE ROLE IDENTIFIER($SC_M); | ||
| -- SC_R | ||
| GRANT READ ON ALL STAGES IN SCHEMA IDENTIFIER($SCHEMACHANGE_NAMESPACE) TO DATABASE ROLE IDENTIFIER($SC_R); | ||
| GRANT READ ON FUTURE STAGES IN SCHEMA IDENTIFIER($SCHEMACHANGE_NAMESPACE) TO DATABASE ROLE IDENTIFIER($SC_R); | ||
| -- SC_W | ||
| GRANT READ,WRITE ON ALL STAGES IN SCHEMA IDENTIFIER($SCHEMACHANGE_NAMESPACE) TO DATABASE ROLE IDENTIFIER($SC_W); | ||
| GRANT READ,WRITE ON FUTURE STAGES IN SCHEMA IDENTIFIER($SCHEMACHANGE_NAMESPACE) TO DATABASE ROLE IDENTIFIER($SC_W); | ||
| -- SC_C | ||
| GRANT CREATE STAGE ON SCHEMA IDENTIFIER($SCHEMACHANGE_NAMESPACE) TO DATABASE ROLE IDENTIFIER($SC_C); | ||
|
|
||
|
|
||
| -- FILE FORMATS | ||
| -- SC_M | ||
| GRANT USAGE ON ALL FILE FORMATS IN SCHEMA IDENTIFIER($SCHEMACHANGE_NAMESPACE) TO DATABASE ROLE IDENTIFIER($SC_M); | ||
| GRANT USAGE ON FUTURE FILE FORMATS IN SCHEMA IDENTIFIER($SCHEMACHANGE_NAMESPACE) TO DATABASE ROLE IDENTIFIER($SC_M); | ||
| -- SC_R | ||
| -- N/A | ||
| -- SC_W | ||
| -- N/A | ||
| -- SC_C | ||
| GRANT CREATE FILE FORMAT ON SCHEMA IDENTIFIER($SCHEMACHANGE_NAMESPACE) TO DATABASE ROLE IDENTIFIER($SC_C); |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| Original file line number | Diff line number | Diff line change |
|---|---|---|
| @@ -0,0 +1,15 @@ | ||
| SET TARGET_DB_NAME = 'SCHEMACHANGE_DEMO'; -- Name of database that will have the SCHEMACHANGE Schema for change tracking. | ||
|
|
||
| -- Dependent Variables; Change the naming pattern if you want but not necessary | ||
| SET ADMIN_ROLE = $TARGET_DB_NAME || '_ADMIN'; -- This role will own the database and schemas. | ||
| SET DEPLOY_ROLE = $TARGET_DB_NAME || '_DEPLOY'; -- This role will be granted privileges to create objects in any schema in the database | ||
| SET SERVICE_USER = $TARGET_DB_NAME || '_SVC_USER'; -- This user will be granted the Deploy role. | ||
| SET WAREHOUSE_NAME = $TARGET_DB_NAME || '_WH'; | ||
| SET AC_U = '_AC_U_' || $WAREHOUSE_NAME; | ||
| SET AC_O = '_AC_O_' || $WAREHOUSE_NAME; | ||
|
|
||
| USE ROLE IDENTIFIER($ADMIN_ROLE); | ||
|
|
||
| DROP DATABASE IF EXISTS IDENTIFIER($TARGET_DB_NAME); | ||
| DROP WAREHOUSE IF EXISTS IDENTIFIER($WAREHOUSE_NAME); | ||
|
|