Permissions for Snowflake listings and shares Private Preview
This reference covers the privileges the Atlan service account needs to discover Snowflake listings and shares, what each privilege enables, and how to grant it.
For standard Snowflake connector permissions, see Set up Snowflake.
Listings and shares are account-level objects. Snowflake only returns the listings and shares that the querying role is privileged to see, so the grants you use to crawl databases, schemas, and tables don't automatically expose them. A role that crawls assets correctly can still see zero listings and shares until the grants below are added. Roles with broad access (for example ACCOUNTADMIN, or a user whose secondary roles already include these privileges) may see them without any extra grants, which can mask the requirement during testing.
When these permissions apply
Atlan discovers listings and shares using the Information Schema:
- Listings are read from
INFORMATION_SCHEMA.LISTINGS. - Shares are read from
INFORMATION_SCHEMA.SHARES.
Account Usage only shows objects your own account owns, so it misses inbound shares and can lag by up to 3 hours. The Information Schema shows both inbound and outbound shares, in real time. That's why Atlan always reads listings and shares from the Information Schema, even if your connection uses the account usage method for everything else.
This is controlled by the Enable listings and shares option on the connection, which is on by default. The grants below apply to the role configured on the Snowflake connection (referred to here as atlan_user_role).
These permissions are additive. Grant them in addition to the standard connector permissions.
Permissions for shares
A Snowflake share is either inbound (shared with your account by a provider) or outbound (a share your account creates to provide data to others). Both appear in INFORMATION_SCHEMA.SHARES, but they require different privileges.
Inbound shares
These are shares your account consumes from a provider.
| Privilege | Scope | What it enables |
|---|---|---|
IMPORT SHARE | Account | Lets the role see inbound shares in INFORMATION_SCHEMA.SHARES. Without it, inbound shares aren't returned and none are cataloged. |
IMPORTED PRIVILEGES | Each database imported through a share | Lets Atlan crawl the database created from an inbound share and build its object-level lineage. Without it, the imported database isn't ingested into Atlan. If the imported database already appears in your catalog, this grant is likely already in place. |
USE ROLE ACCOUNTADMIN;
GRANT IMPORT SHARE ON ACCOUNT TO ROLE atlan_user_role;
For each database imported through an inbound share that you want cataloged, replace <shared-database-name> with the imported database name:
USE ROLE ACCOUNTADMIN;
GRANT IMPORTED PRIVILEGES ON DATABASE "<shared-database-name>" TO ROLE atlan_user_role;
Snowflake blocks SHOW GRANTS TO SHARE on inbound shares, so Atlan derives the objects in an inbound share from the imported database. No grant beyond IMPORTED PRIVILEGES is needed for object-level detail on inbound shares.
Outbound shares
These are shares your account creates to provide data to other accounts.
To catalog an outbound share and the objects it contains, Atlan runs SHOW GRANTS TO SHARE, which Snowflake restricts to the share owner or ACCOUNTADMIN.
- If the connection role owns the outbound shares, or is
ACCOUNTADMIN, the shares and their object-level contents are cataloged. - If the connection role is neither, outbound shares may still be listed, but their object-level contents aren't populated.
There is no equivalent of IMPORT SHARE that exposes another role's outbound shares. To catalog outbound shares fully, run the connector with a role that owns them, or with ACCOUNTADMIN.
Permissions for listings
Listings require a usage grant on each listing. This grant can't be applied with SQL. Running the grant usage statement fails, so you must grant it from the Snowsight UI, per listing.
For each listing you want cataloged:
- In Snowsight, open the listing.
- Open the Settings panel.
- Under Privileges, next to View Listing, select the edit icon.
- Add
atlan_user_roleto View Listing.
Without this grant, the listing isn't returned in INFORMATION_SCHEMA.LISTINGS and isn't cataloged.
How Atlan behaves when permissions are missing
Listings and shares are treated as additive metadata, so missing permissions never block a crawl:
- The listings and shares preflight check is a soft check. It warns when the views aren't accessible but doesn't fail the connection test.
- If the role can't see listings or shares, those steps are skipped with a warning and the rest of the crawl completes normally.
If listings and shares don't appear in Atlan after a crawl, confirm the grants in this reference and re-run the crawl.
See also
- Set up Snowflake: Standard connector permissions and role setup.
- What does Atlan crawl from Snowflake: The Snowflake assets and metadata Atlan discovers and catalogs.