我正试图为雪花中的标记分配一个屏蔽策略,但我遇到了所需权限的问题,或者根据我使用的角色缺少对象。
如何进行:
use database DATABASE;
use schema SCHEMA;
--CREATE TAG
create or replace tag sensitive_values;
--CREATE MASKING POLICY
create or replace masking policy values_mask as (val int) returns int ->
case
when current_role() in ('SYSADMIN') then val
else null
end;
--ASSOCIATE MASKING POILCY AND TAG
alter tag DATABASE.SCHEMA.sensitive_values set masking policy values_mask;
当我使用角色SECURITYADMIN时,我会出现以下错误:SQL compilation error: Database 'DATABASE' does not exist or not authorized.
当我使用角色SYSADMIN时,我会出现以下错误:SQL access control error: Insufficient privileges to operate on tag 'SENSITIVE_VALUES'
我错过了什么?
根据@TomMeacham的建议,我创建了一个特定的角色来管理我的标签:
--CREATE ROLE
use role securityadmin;
create role tag_admin comment = "Admin role manage tag";
GRANT USAGE ON DATABASE DATABASE_NAME TO ROLE tag_admin;
GRANT USAGE ON SCHEMA DATABASE_NAME.SCHEMA_NAME TO ROLE tag_admin;
grant create masking policy on schema DATABASE_NAME.SCHEMA_NAME to role tag_admin;
grant create tag on schema DATABASE_NAME.SCHEMA_NAME to role tag_admin;
use role accountadmin;
grant apply tag on account to tag_admin;
grant apply masking policy on account to role tag_admin;
GRANT ROLE tag_admin TO USER USER_NAME;
--ASSIGN TAG TO MASKING POLICY
use role tag_admin;
use database DATABASE_NAME;
use schema SCHEMA_NAME;
alter tag DATABASE_NAME.SCHEMA_NAME.sensitive_values set masking policy values_mask;
现在,标记被分配给屏蔽策略。