Grants a role to a user, group, or service principal. Idempotent: re-granting an existing assignment succeeds without error.
GRANT ROLE <role_name> TO [USER | GROUP | SERVICE PRINCIPAL] <grantee>## Overview GRANT ROLE assigns a role to a principal. The principal then gains every privilege accumulated on the role (and on any role the role inherits from). ## Behavior - Both the role and the grantee must already exist; the Control Plane rejects grants targeting unknown principals. - The grant is idempotent: re-granting an existing assignment succeeds with no error. - Group grants take effect for every member of the group. Adding a user to a group via ALTER GROUP ADD USER immediately picks up the role's privileges; removing the user reverses that. - Inheritance is honored at evaluation time. Granting role A to a principal also gives them every privilege held by every ancestor of A. ## Access Control Requires the `ManageRoles` privilege. ## Compatibility DeltaForge extension.
| Name | Type | Description |
|---|---|---|
role_name | Specifies the role to grant. Must already exist. | |
grantee_type | Specifies the grantee kind. Valid values: `USER`, `GROUP`, `SERVICE PRINCIPAL`. Defaults to `USER` when omitted. `SERVICE_PRINCIPAL` (with underscore) is also accepted. | |
grantee | Specifies the principal name. Must already exist as the indicated kind. |
-- Grant to a user (USER is the default)
GRANT ROLE analyst TO bob;-- Grant to a user explicitly
GRANT ROLE analyst TO USER bob;-- Grant to a group
GRANT ROLE data_engineer TO GROUP platform_team;-- Grant to a service principal
GRANT ROLE pipeline_runner TO SERVICE PRINCIPAL etl_runner;