Wrong solution, should be A-E-F: In managed access schemas (i.e. schemas created using the CREATE SCHEMA … WITH MANAGED ACCESS syntax), object owners lose the ability to make grant decisions. Only the schema owner (i.e. the role with the OWNERSHIP privilege on the schema) or a role with the global MANAGE GRANTS privilege can grant privileges on objects in the schema.

https://docs.snowflake.com/en/user-guide/security-access-control-configure -SECURITYADMIN or higher -Schema owner -Any role with the MANAGE GRANTS privilege

Thank you! I was struggling with this solution because it doesn't match the Snowflake documentation. AEF should be correct.

https://docs.snowflake.com/en/user-guide/security-access-control-considerations#centralizing-grant-management-using-managed-access-schemas To further lock down object security, consider using managed access schemas. In a managed access schema, object owners lose the ability to make grant decisions. Only the schema owner (i.e. the role with the OWNERSHIP privilege on the schema) or a role with the MANAGE GRANTS privilege can grant privileges on objects in the schema, including future grants, centralizing privilege management. https://docs.snowflake.com/en/user-guide/security-access-control-considerations#using-the-accountadmin-role The security administrator (i.e users with the SECURITYADMIN system role) role includes the global MANAGE GRANTS privilege to grant or revoke privileges on objects in the account.