Snowflake

Snowflake Secondary Roles: Privilege Evaluation and Audit Impact

2026-03-26
更新: 2026-03-27
NicheeLab Editorial Team

In Snowflake's role model, every session has exactly one Primary Role and zero or more Secondary Roles. The Primary Role is the traditional role you switch to with USE ROLE; when Secondary Roles are enabled, the privileges of every other role granted to the user are also evaluated at query time. This drastically reduces the operational overhead of constantly running USE ROLE to swap roles.

Basic Syntax

-- Enable Secondary Roles in the session (use privileges from every granted role)
USE SECONDARY ROLES ALL;

-- Disable Secondary Roles (evaluate only the Primary Role)
USE SECONDARY ROLES NONE;

-- Check the current Secondary Roles setting
SELECT CURRENT_SECONDARY_ROLES();

-- Check the current Primary Role
SELECT CURRENT_ROLE();

-- Change the default for a user
ALTER USER analyst_user
  SET DEFAULT_SECONDARY_ROLES = ('ALL');

-- Revert the default to NONE
ALTER USER analyst_user
  SET DEFAULT_SECONDARY_ROLES = ();

Privilege Evaluation Logic

When Secondary Roles are enabled, Snowflake combines the role hierarchies of the Primary Role and every Secondary Role to check privileges on the objects referenced by a query. The query succeeds as long as any role hierarchy in scope has the required privilege (for example, SELECT).

Detailed Comparison of Privilege Evaluation

AspectSECONDARY ROLES = NONESECONDARY ROLES = ALL
Privileges evaluatedPrimary Role hierarchy onlyPrimary Role + every granted role's hierarchy
Return value of CURRENT_ROLE()Primary Role namePrimary Role name (unchanged)
IS_ROLE_IN_SESSION()TRUE only for the Primary Role hierarchyTRUE for every granted role's hierarchy
OWNER of newly created objectsPrimary RolePrimary Role (unchanged)
ROLE_NAME in audit logsPrimary RolePrimary Role
SECONDARY_ROLE in audit logsEmptyALL
CURRENT_ROLE() inside a Masking PolicyReturns the Primary RoleReturns the Primary Role (Secondary Roles ignored)
IS_ROLE_IN_SESSION() inside a Row Access PolicyEvaluates only the Primary Role hierarchyEvaluates every granted role's hierarchy

Real-World Scenario

Let's walk through the behavior for a user who has ANALYST_ROLE (Primary) and DATA_ENGINEER_ROLE (a Secondary Role candidate) granted.

-- Set ANALYST as the Primary Role
USE ROLE ANALYST_ROLE;

-- In this state, tables owned by DATA_ENGINEER_ROLE are not accessible
SELECT * FROM raw.events;  -- ERROR: Insufficient privileges

-- Enable Secondary Roles
USE SECONDARY ROLES ALL;

-- DATA_ENGINEER_ROLE's privileges are now also evaluated, so access succeeds
SELECT * FROM raw.events;  -- success

-- CURRENT_ROLE() still returns ANALYST_ROLE
SELECT CURRENT_ROLE();  -- 'ANALYST_ROLE'

-- IS_ROLE_IN_SESSION() can confirm both roles
SELECT IS_ROLE_IN_SESSION('DATA_ENGINEER_ROLE');  -- TRUE
SELECT IS_ROLE_IN_SESSION('ANALYST_ROLE');         -- TRUE

Audit Log Impact

When Secondary Roles are enabled, the ROLE_NAME column of SNOWFLAKE.ACCOUNT_USAGE.QUERY_HISTORY records the Primary Role. Whether Secondary Roles were actually used is not directly recorded in QUERY_HISTORY, so for a complete audit picture you need to join it with LOGIN_HISTORY or SESSIONS.

-- Audit Secondary Roles usage per session
SELECT
  s.session_id,
  s.user_name,
  s.login_event_id,
  q.role_name AS primary_role,
  q.query_text,
  q.start_time
FROM SNOWFLAKE.ACCOUNT_USAGE.SESSIONS s
JOIN SNOWFLAKE.ACCOUNT_USAGE.QUERY_HISTORY q
  ON s.session_id = q.session_id
WHERE q.start_time >= DATEADD(DAY, -7, CURRENT_TIMESTAMP())
  AND q.query_text ILIKE '%USE SECONDARY ROLES%'
ORDER BY q.start_time DESC;

Policy Design Considerations

  • Limits of CURRENT_ROLE(): If a Masking Policy or Row Access Policy uses CURRENT_ROLE() for access control, Secondary Role privileges are not considered. Replace CURRENT_ROLE() with IS_ROLE_IN_SESSION() to evaluate Secondary Roles as well.
  • Tension with least privilege: Secondary Roles ALL is convenient but carries the risk of applying privileges from unintended roles. In environments handling sensitive data, prefer IS_ROLE_IN_SESSION()-based policy design.
  • Managing DEFAULT_SECONDARY_ROLES: Must be set per user via ALTER USER, so any bulk change requires a script.

Migration Pattern: CURRENT_ROLE() to IS_ROLE_IN_SESSION()

-- Before: Masking Policy based on CURRENT_ROLE()
CREATE OR REPLACE MASKING POLICY mask_ssn AS (val STRING)
  RETURNS STRING →
  CASE
    WHEN CURRENT_ROLE() IN ('HR_ADMIN', 'COMPLIANCE')
      THEN val
    ELSE '***-**-****'
  END;

-- After: based on IS_ROLE_IN_SESSION() (Secondary Roles aware)
CREATE OR REPLACE MASKING POLICY mask_ssn AS (val STRING)
  RETURNS STRING →
  CASE
    WHEN IS_ROLE_IN_SESSION('HR_ADMIN')
      OR IS_ROLE_IN_SESSION('COMPLIANCE')
      THEN val
    ELSE '***-**-****'
  END;

Check Your Understanding

Security & Governance

問題 1

A user has ANALYST set as the Primary Role and runs USE SECONDARY ROLES ALL. The user has also been granted DATA_ENGINEER. They query a table whose Row Access Policy uses the condition CURRENT_ROLE() = 'DATA_ENGINEER'. What happens?

  1. Access succeeds with DATA_ENGINEER privileges and the Row Access Policy condition evaluates to TRUE, so all rows are visible.
  2. Access to the table succeeds using DATA_ENGINEER privileges, but CURRENT_ROLE() returns ANALYST, so the Row Access Policy condition is FALSE and rows are filtered out.
  3. Secondary Roles disable Row Access Policy evaluation, so all rows are visible.
  4. Even with Secondary Roles enabled, DATA_ENGINEER's privileges cannot be used, so the query itself errors out.

正解: B

With Secondary Roles ALL enabled, table-access privileges (such as SELECT) are evaluated against the Primary Role plus every Secondary Role, so DATA_ENGINEER's privileges let the user reach the table. However, CURRENT_ROLE() always returns the Primary Role (ANALYST), so the Row Access Policy condition CURRENT_ROLE() = 'DATA_ENGINEER' evaluates to FALSE. Using IS_ROLE_IN_SESSION('DATA_ENGINEER') instead would evaluate to TRUE.

Frequently Asked Questions

How do Row Access Policies and Masking Policies behave when Secondary Roles are enabled?

When USE SECONDARY ROLES ALL is enabled, queries evaluate privileges from the Primary Role and all granted roles. However, if a Row Access Policy or Masking Policy uses CURRENT_ROLE(), CURRENT_ROLE() still returns only the Primary Role. To evaluate Secondary Role privileges in a policy, use IS_ROLE_IN_SESSION() instead. Enabling Secondary Roles in environments whose policies rely on CURRENT_ROLE() can create unexpected data visibility, so consider migrating to IS_ROLE_IN_SESSION().

Which role owns objects created while Secondary Roles are enabled?

Object ownership (the OWNERSHIP privilege) is always granted to the Primary Role. Secondary Roles only extend the privileges evaluated at query time and have no effect on the ownership of objects created via DDL. The practice of setting the right Primary Role with USE ROLE before creating an object remains unchanged when Secondary Roles are enabled.

Is USE SECONDARY ROLES ALL session-scoped, or does it affect the whole account?

USE SECONDARY ROLES ALL is a session-scoped setting and does not affect other sessions or users. However, if the DEFAULT_SECONDARY_ROLES user parameter is set to 'ALL', Secondary Roles are automatically enabled for that user's new sessions. Set it with ALTER USER u SET DEFAULT_SECONDARY_ROLES = ('ALL'), and revert it with ALTER USER u SET DEFAULT_SECONDARY_ROLES = ().

Check what you learned with practice questions

Practice with certification-focused question sets

無料で問題を解いてみる
Author

NicheeLab Editorial Team

NicheeLab editorial team focused on data engineering and cloud certification learning. Content is structured around practical study needs and official exam domains.


Related articles
Snowflake

Snowflake Certifications: All 11 Exams Explained (2026)

Every SnowPro certification — Associate, Core, Specialty, Ad...

Snowflake

Snowflake Exam Difficulty Ranking: All 11 Certs Compared (2026)

All 11 SnowPro exams ranked by difficulty with study-time es...

Snowflake

Snowflake Study Guide: Fastest Pass Route by Exam (2026)

How to pass SnowPro certifications efficiently — official ma...

Snowflake

SnowPro Core (COF-C03): Complete Exam Guide (2026)

Pass the SnowPro Core exam — six domains, scope, sample ques...

Snowflake

SnowPro Associate Platform (SOL-C01): Complete Guide (2026)

The entry-level SnowPro Associate exam — scope, weighting, s...

Browse all Snowflake articles (103)
© 2026 NicheeLab All rights reserved.