Grants a single privilege on a zone to a user or role.
GRANT <privilege> ON ZONE <zone> TO {USER | ROLE} <grantee>## Overview GRANT ON ZONE grants a single privilege on a zone to a user or role. Zone-level grants control visibility of and creation rights inside the zone; they do not propagate automatically to schemas or tables underneath. ## Behavior - The privilege grant is hierarchically scoped: USAGE on a zone lets the grantee see schemas; it does not imply USAGE on those schemas. To allow schema visibility you must also grant USAGE on each relevant schema. - The grant is idempotent. Re-granting the same (privilege, zone, grantee) tuple succeeds with no error and does not duplicate the entry. - The Control Plane validates that the privilege is meaningful for a zone. Attempting to grant a privilege that does not apply to zones is rejected at execution time. - When the zone is dropped, all grants on the zone are removed automatically. ## Access Control Requires the `ManageGrants` privilege on the zone. ## Compatibility DeltaForge extension.
| Name | Type | Description |
|---|---|---|
privilege | Specifies the privilege to grant. Valid privileges for a zone include `USAGE` (visibility into the zone) and `CREATE` (create schemas in the zone). | |
zone | Specifies the zone. | |
grantee_type | Specifies the grantee kind: `USER` or `ROLE`. | |
grantee | Specifies the user or role name. |
-- Allow a role to see schemas in a zone
GRANT USAGE ON ZONE gold TO ROLE analyst;-- Allow a user to create schemas in a zone
GRANT CREATE ON ZONE silver TO USER pipeline_owner;