In Snowflake's role model, every session has exactly one Primary Role and zero or more Secondary Roles. The Primary Role is the traditional role you switch to with USE ROLE; when Secondary Roles are enabled, the privileges of every other role granted to the user are also evaluated at query time. This drastically reduces the operational overhead of constantly running USE ROLE to swap roles.
-- Enable Secondary Roles in the session (use privileges from every granted role)
USE SECONDARY ROLES ALL;
-- Disable Secondary Roles (evaluate only the Primary Role)
USE SECONDARY ROLES NONE;
-- Check the current Secondary Roles setting
SELECT CURRENT_SECONDARY_ROLES();
-- Check the current Primary Role
SELECT CURRENT_ROLE();
-- Change the default for a user
ALTER USER analyst_user
SET DEFAULT_SECONDARY_ROLES = ('ALL');
-- Revert the default to NONE
ALTER USER analyst_user
SET DEFAULT_SECONDARY_ROLES = ();When Secondary Roles are enabled, Snowflake combines the role hierarchies of the Primary Role and every Secondary Role to check privileges on the objects referenced by a query. The query succeeds as long as any role hierarchy in scope has the required privilege (for example, SELECT).
| Aspect | SECONDARY ROLES = NONE | SECONDARY ROLES = ALL |
|---|---|---|
| Privileges evaluated | Primary Role hierarchy only | Primary Role + every granted role's hierarchy |
| Return value of CURRENT_ROLE() | Primary Role name | Primary Role name (unchanged) |
| IS_ROLE_IN_SESSION() | TRUE only for the Primary Role hierarchy | TRUE for every granted role's hierarchy |
| OWNER of newly created objects | Primary Role | Primary Role (unchanged) |
| ROLE_NAME in audit logs | Primary Role | Primary Role |
| SECONDARY_ROLE in audit logs | Empty | ALL |
| CURRENT_ROLE() inside a Masking Policy | Returns the Primary Role | Returns the Primary Role (Secondary Roles ignored) |
| IS_ROLE_IN_SESSION() inside a Row Access Policy | Evaluates only the Primary Role hierarchy | Evaluates every granted role's hierarchy |
Let's walk through the behavior for a user who has ANALYST_ROLE (Primary) and DATA_ENGINEER_ROLE (a Secondary Role candidate) granted.
-- Set ANALYST as the Primary Role
USE ROLE ANALYST_ROLE;
-- In this state, tables owned by DATA_ENGINEER_ROLE are not accessible
SELECT * FROM raw.events; -- ERROR: Insufficient privileges
-- Enable Secondary Roles
USE SECONDARY ROLES ALL;
-- DATA_ENGINEER_ROLE's privileges are now also evaluated, so access succeeds
SELECT * FROM raw.events; -- success
-- CURRENT_ROLE() still returns ANALYST_ROLE
SELECT CURRENT_ROLE(); -- 'ANALYST_ROLE'
-- IS_ROLE_IN_SESSION() can confirm both roles
SELECT IS_ROLE_IN_SESSION('DATA_ENGINEER_ROLE'); -- TRUE
SELECT IS_ROLE_IN_SESSION('ANALYST_ROLE'); -- TRUEWhen Secondary Roles are enabled, the ROLE_NAME column of SNOWFLAKE.ACCOUNT_USAGE.QUERY_HISTORY records the Primary Role. Whether Secondary Roles were actually used is not directly recorded in QUERY_HISTORY, so for a complete audit picture you need to join it with LOGIN_HISTORY or SESSIONS.
-- Audit Secondary Roles usage per session
SELECT
s.session_id,
s.user_name,
s.login_event_id,
q.role_name AS primary_role,
q.query_text,
q.start_time
FROM SNOWFLAKE.ACCOUNT_USAGE.SESSIONS s
JOIN SNOWFLAKE.ACCOUNT_USAGE.QUERY_HISTORY q
ON s.session_id = q.session_id
WHERE q.start_time >= DATEADD(DAY, -7, CURRENT_TIMESTAMP())
AND q.query_text ILIKE '%USE SECONDARY ROLES%'
ORDER BY q.start_time DESC;-- Before: Masking Policy based on CURRENT_ROLE()
CREATE OR REPLACE MASKING POLICY mask_ssn AS (val STRING)
RETURNS STRING →
CASE
WHEN CURRENT_ROLE() IN ('HR_ADMIN', 'COMPLIANCE')
THEN val
ELSE '***-**-****'
END;
-- After: based on IS_ROLE_IN_SESSION() (Secondary Roles aware)
CREATE OR REPLACE MASKING POLICY mask_ssn AS (val STRING)
RETURNS STRING →
CASE
WHEN IS_ROLE_IN_SESSION('HR_ADMIN')
OR IS_ROLE_IN_SESSION('COMPLIANCE')
THEN val
ELSE '***-**-****'
END;Security & Governance
問題 1
A user has ANALYST set as the Primary Role and runs USE SECONDARY ROLES ALL. The user has also been granted DATA_ENGINEER. They query a table whose Row Access Policy uses the condition CURRENT_ROLE() = 'DATA_ENGINEER'. What happens?
正解: B
With Secondary Roles ALL enabled, table-access privileges (such as SELECT) are evaluated against the Primary Role plus every Secondary Role, so DATA_ENGINEER's privileges let the user reach the table. However, CURRENT_ROLE() always returns the Primary Role (ANALYST), so the Row Access Policy condition CURRENT_ROLE() = 'DATA_ENGINEER' evaluates to FALSE. Using IS_ROLE_IN_SESSION('DATA_ENGINEER') instead would evaluate to TRUE.
How do Row Access Policies and Masking Policies behave when Secondary Roles are enabled?
When USE SECONDARY ROLES ALL is enabled, queries evaluate privileges from the Primary Role and all granted roles. However, if a Row Access Policy or Masking Policy uses CURRENT_ROLE(), CURRENT_ROLE() still returns only the Primary Role. To evaluate Secondary Role privileges in a policy, use IS_ROLE_IN_SESSION() instead. Enabling Secondary Roles in environments whose policies rely on CURRENT_ROLE() can create unexpected data visibility, so consider migrating to IS_ROLE_IN_SESSION().
Which role owns objects created while Secondary Roles are enabled?
Object ownership (the OWNERSHIP privilege) is always granted to the Primary Role. Secondary Roles only extend the privileges evaluated at query time and have no effect on the ownership of objects created via DDL. The practice of setting the right Primary Role with USE ROLE before creating an object remains unchanged when Secondary Roles are enabled.
Is USE SECONDARY ROLES ALL session-scoped, or does it affect the whole account?
USE SECONDARY ROLES ALL is a session-scoped setting and does not affect other sessions or users. However, if the DEFAULT_SECONDARY_ROLES user parameter is set to 'ALL', Secondary Roles are automatically enabled for that user's new sessions. Set it with ALTER USER u SET DEFAULT_SECONDARY_ROLES = ('ALL'), and revert it with ALTER USER u SET DEFAULT_SECONDARY_ROLES = ().
Practice with certification-focused question sets
無料で問題を解いてみるNicheeLab Editorial Team
NicheeLab editorial team focused on data engineering and cloud certification learning. Content is structured around practical study needs and official exam domains.
Snowflake Certifications: All 11 Exams Explained (2026)
Every SnowPro certification — Associate, Core, Specialty, Ad...
Snowflake Exam Difficulty Ranking: All 11 Certs Compared (2026)
All 11 SnowPro exams ranked by difficulty with study-time es...
Snowflake Study Guide: Fastest Pass Route by Exam (2026)
How to pass SnowPro certifications efficiently — official ma...
SnowPro Core (COF-C03): Complete Exam Guide (2026)
Pass the SnowPro Core exam — six domains, scope, sample ques...
SnowPro Associate Platform (SOL-C01): Complete Guide (2026)
The entry-level SnowPro Associate exam — scope, weighting, s...