Part of the “Mastering dbt” series. Access to the full Study Guide. Let’s connect on LinkedIn!
Notes from the Grants documentation.
Grants can be defined for models, seeds, and snapshots to manage access to the datasets at build time. For resources with this config, dbt will run any grant or revoke statements when you run it. The grants will also be included in the JSON manifest.
Grants are usually defined in YAML files as a resource config. However, in specific cases, they might need to be defined in manual statements written in hooks:
Apply grants to objects other than views and tables.
More granular access permissions (row or column level, for instance)
Apply them with advanced capabilities not offered out-of-the-box by dbt or that are adapter-specific.
Configuring grants
Like other configs, grants can be declared in dbt_project.yml, in a properties file, or in the resource itself.
The grants config also follows the config inheritance pattern of other configs: the more specific config takes precedence.
However, an exclusive feature of this config is the “add and merge” behaviour. Say you have a group of models that has a grant configuration at properties.yml level, but you need a particular model to have additional users. Here’s how you can achieve this:
Conditional grants
Like any other config, you can use Jinja for more specific configurations. In the example below, the user access depends on the environment:
Revoking grants
If you need to completely remove the access previously granted, deleting the grants configuration won’t do it. You need to give it an empty list, instead:
