I'm trying to assign a masking policy to tag in snowflake but I'm having trouble with required privilege or object missing depending on the role I'm using.
How I proceed :
use database DATABASE;
use schema SCHEMA;
--CREATE TAG
create or replace tag sensitive_values;
--CREATE MASKING POLICY
create or replace masking policy values_mask as (val int) returns int ->
case
when current_role() in ('SYSADMIN') then val
else null
end;
--ASSOCIATE MASKING POILCY AND TAG
alter tag DATABASE.SCHEMA.sensitive_values set masking policy values_mask;
When I'm using the role SECURITYADMIN I have this error: SQL compilation error: Database 'DATABASE' does not exist or not authorized.
When I'm using the role SYSADMIN I have this error : SQL access control error: Insufficient privileges to operate on tag 'SENSITIVE_VALUES'
What am I missing ?
As suggested by @TomMeacham, I have create a specific role to manage my tag:
--CREATE ROLE
use role securityadmin;
create role tag_admin comment = "Admin role manage tag";
GRANT USAGE ON DATABASE DATABASE_NAME TO ROLE tag_admin;
GRANT USAGE ON SCHEMA DATABASE_NAME.SCHEMA_NAME TO ROLE tag_admin;
grant create masking policy on schema DATABASE_NAME.SCHEMA_NAME to role tag_admin;
grant create tag on schema DATABASE_NAME.SCHEMA_NAME to role tag_admin;
use role accountadmin;
grant apply tag on account to tag_admin;
grant apply masking policy on account to role tag_admin;
GRANT ROLE tag_admin TO USER USER_NAME;
--ASSIGN TAG TO MASKING POLICY
use role tag_admin;
use database DATABASE_NAME;
use schema SCHEMA_NAME;
alter tag DATABASE_NAME.SCHEMA_NAME.sensitive_values set masking policy values_mask;
Now the tag is assign to the masking policy.