What privilege should a user be granted to change permissions for new objects in a managed access schema?
What privilege should a user be granted to change permissions for new objects in a managed access schema?
Granting the OWNERSHIP privilege on the schema is the appropriate permission for a user to change permissions for new objects in a managed access schema. In managed access schemas, the schema owner, who holds the OWNERSHIP privilege on the schema, is responsible for managing all privilege decisions, including future grants on objects within the schema. This centralizes the privilege management process, ensuring that only the schema owner can make these modifications.
It should be A because as both a & c answer are correct, the 'minimum' impacting option is Ownership
Answer -- A With managed access schemas, object owners lose the ability to make grant decisions. Only the schema owner (i.e. the role with the OWNERSHIP privilege on the schema) or a role with the MANAGE GRANTS privilege can grant privileges on objects in the schema, including future grants, centralizing privilege management.
so C is also correct?
Question itself is wrong, privileges are always granted to role, not to users. Users are always granted with roles
With managed access schemas, object owners lose the ability to make grant decisions. Only the schema owner (i.e. the role with the OWNERSHIP privilege on the schema) or a role with the MANAGE GRANTS privilege can grant privileges on objects in the schema, including future grants, centralizing privilege management.
Confuse between A&C In managed access schemas (i.e. schemas created using the CREATE SCHEMA … WITH MANAGED ACCESS syntax), either the schema owner (i.e. the role with the OWNERSHIP privilege on the schema) or a role with the global MANAGE GRANTS privilege can grant privileges on future objects in the schema.
Yes, this question shoud to hav "(Choose two.)"
Only the schema owner (i.e. the role with the OWNERSHIP privilege on the schema) or a role with the MANAGE GRANTS privilege can grant privileges on objects in the schema, including future grants, centralizing privilege management. [for a managed access schema] Here we are however talking about granting permission changes privilege for NEW objects. The schema owner would automatically be granted this privilege on all object within the schema he owns. But a MANAGE GRANTS privileged role could only assign privileges using the "future" keyword
Correct
A is correct
In managed access schemas (i.e. schemas created using the CREATE SCHEMA … WITH MANAGED ACCESS syntax), object owners lose the ability to make grant decisions. Only the schema owner (i.e. the role with the OWNERSHIP privilege on the schema) or a role with the global MANAGE GRANTS privilege can grant privileges on objects in the schema.
A should be the answer
A correct - based on comments here
https://docs.snowflake.com/en/sql-reference/sql/create-schema CREATE SCHEMA WITH MANAGED ACCESS Specifies a managed schema. Managed access schemas centralize privilege management with the schema owner. In regular schemas, the owner of an object (i.e. the role that has the OWNERSHIP privilege on the object) can grant further privileges on their objects to other roles. In managed schemas, the schema owner manages all privilege grants, including future grants, on objects in the schema. Object owners retain the OWNERSHIP privileges on the objects; however, only the schema owner can manage privilege grants on the objects.
AC are both correct With managed access schemas, object owners lose the ability to make grant decisions. Only the schema owner (i.e. the role with the OWNERSHIP privilege on the schema) or a role with the MANAGE GRANTS privilege can grant privileges on objects in the schema, including future grants, centralizing privilege management.
https://docs.snowflake.com/en/user-guide/security-access-control-configure
C is correct
A managed access schema is a way to centralize the management of access permissions for objects in a schema. This is done by limiting the ability to grant privileges to only the schema owner or roles with the MANAGE GRANTS privilege.
https://docs.snowflake.com/en/sql-reference/sql/grant-ownership#usage-notes A role that has the MANAGE GRANTS privilege can transfer ownership of an object to any role; in contrast, a role that does not have the MANAGE GRANTS privilege can only transfer ownership from itself to a child role within the role hierarchy. The transfer of ownership (GRANT OWNERSHIP) only affects existing objects at the time the command is issued. Any objects created after the command is issued are owned by the role in use when the object is created.
Hi I cannot find where you identified above explanation. Frankly, I never saw this idea related to future objects from the schema. I thought that owners ship of the schema will transform it in a regular schema (with DAC approach).