Which roles can make grant decisions to objects within a managed access schema? (Choose two.)
Which roles can make grant decisions to objects within a managed access schema? (Choose two.)
In a managed access schema, only roles with the MANAGE GRANTS privilege can make grant decisions. Two predefined roles that inherently possess this privilege are ACCOUNTADMIN and SECURITYADMIN. Therefore, these roles can make grant decisions within a managed access schema.
Can grant object privileges in a managed access schema: 1. SECURITYADMIN or higher 2. Schema owner 3. Any role with the MANAGE GRANTS privilege
AB https://docs.snowflake.com/en/user-guide/security-access-control-configure#label-managed-access-schemas
AB - SECURITYADMIN or higher....higher is only AccountAdmin https://docs.snowflake.com/en/user-guide/security-access-control-configure#label-managed-access-schemas
A and B are correct: https://docs.snowflake.com/en/sql-reference/sql/grant-privilege Only the SECURITYADMIN and ACCOUNTADMIN system roles have the MANAGE GRANTS privilege; however, the privilege can be granted to custom roles. https://docs.snowflake.com/en/user-guide/security-access-control-configure With managed access schemas, object owners lose the ability to make grant decisions. Only the schema owner (i.e. the role with the OWNERSHIP privilege on the schema) or a role with the MANAGE GRANTS privilege can grant privileges on objects in the schema, including future grants, centralizing privilege management. Since SECURITYADMIN and ACCOUNTADMIN have the MANAGE GRANTS global privilege, they can grant privileges on objects in a managed access schema.