# Lab 2: Identity and Access

👉 In this lesson, we'll learn how to create databases using Snowsight (Snowflake's web UI) and administer access to objects such as databases, schemas, and tables.

To begin, let's grab **context information** we will use throughout this lab. 

- Click the **Start** button to activate this notebook.

- Run the following Python cell.

#### :warning: Each time a new session is started for this notebook, you need to rerun the cell below to configure "variables" for use in later cells. :warning:

In [None]:
import streamlit as st
from snowflake.snowpark.context import get_active_session
session = get_active_session()
user = session.get_current_user().strip('"')
your_db = user + '_DB'
print('Your current CONTEXT information:')
print('---------------------------------')
print(session)
print('Your current USER is ' + user)

## Create a New Database 📓

In this lab you will use the Snowsight interface to create a new database. We have listed the steps below, but first, please read through these notes and tips.

- You will need to make sure to use the `(animal)_CREATE_DB_RL` role
    - This role has been pre-created by the Education Services team.
    - It is not a built-in system role.
    - A minimal set of privileges have been granted to it - enough for the following lab exercises.

Name the database according to the animal username you have been assigned for this class. Run the Python code block in the cell below to confirm this.
- You don't have to understand what this is doing for now. Just go ahead, run the code, and note the output.

In [None]:
print('Use this name for your new database: ' + your_db)

### Open the Database page in a new browser tab or window. 🥋

Open the Snowsight Object Browser in a new browser tab or window.

1. Hover over the **Databases** icon to the left of your Notebook.

1. Right-click on the **Databases** link that appears in the dialog that appears and select your preferred target - a new tab or a new window.

1. Taking this action means we leave this Snowflake Notebook page uninterrupted and can switch back to its instructions easily.

![Open Databases page (image)](https://edu-cdev-images.s3.us-west-2.amazonaws.com/ob/ob_open_databases_page_1.png)

### Create the new database. 🥋

1. Ensure you are set to `(animal)_CREATE_DB_RL` in the role selector, bottom left (where **animal** is your assigned username).

1. Click the blue **+ Database** button, top right.

1. Enter the name for your database in the **Name** field in the dialog box (leave Comment empty). Use the name provided a few cells above this one.

1. Click the **Create** button.

![Create Databases path (image)](https://edu-cdev-images.s3.us-west-2.amazonaws.com/ob/ob_create_database_dialog_1.png)

### Review the new database in the Object Browser.

1. :eyes: :point_right: Your new database should appear under the Object Browser and as a line item under the Databases listing page to the right of the middle column.

![Databases listing page (image)](https://edu-cdev-images.s3.us-west-2.amazonaws.com/ob/ob_databases_listing_page_1.png)

### Run code to confirm the database has been created. 🥋

We can **also** run SQL commands to confirm that your database object has been created. Try out the `SHOW` command. This is useful for viewing general information about objects in your Snowflake environment.

:flashlight:  We saved the name of your database in a Python variable earlier. We can use this in cells in our notebook by referencing it inside two sets of squiggly brackets {{}}. Snowflake will replace this placeholder with the saved value before running the command in the cell. 

💡 **Hint:** Note that we use code to explicitly set our context in the following SQL cell to use the role `(animal)_CREATE_DB_RL`. Snowflake Notebooks do not automatically inherit the role from the Snowsight window in which they are running. Instead, they operate independently, each maintaining its own Snowflake session.

In [None]:
USE ROLE {{user}}_create_db_rl;
SHOW DATABASES LIKE '%{{your_db}}%';

### Switch your role to `(animal)_LEARNER_RL`. 🥋

1. Using the **Databases** page you opened in a new window or tab, locate the role selector in the bottom-left of the Snowsight interface.

1. Change the currently selected role from `(animal)_CREATE_DB_RL` to `(animal)_LEARNER_RL`.

You may need to refresh the Object Browser (circular arrow at top) or even the web browser tab to see the role change effects.

:eyes: :point_right:  Your new database should **DISAPPEAR** from view in the Object Browser and Database listing panes.

![Databases listing page 2 (image)](https://edu-cdev-images.s3.us-west-2.amazonaws.com/ob/ob_databases_listing_page_2.png)

## Explore Your Database 🥋

### Switch your role back to `(animal)_CREATE_DB_RL`

1. Locate the role selector in the bottom-left of the Snowsight interface.

1. Change the currently selected role from `(animal)_LEARNER_RL` to `(animal)_CREATE_DB_RL`.

You may need to refresh the Object Browser (circular arrow at top) or even the web browser tab to see the role change effects.

:eyes: :point_right: Your new database should **REAPPEAR** in the Object Browser and Database listing panes.

![Databases listing page (image)](https://edu-cdev-images.s3.us-west-2.amazonaws.com/ob/ob_databases_listing_page_1.png)


### Explore the Database You Created 🥋

1. Using the Database page shown above, click on your new database name in the middle column.

1. :eyes: :point_right: A list of schemas for your new database unfolds, and related information for both **Database Details** and **Schemas** can be accessed in the right panel.

1. Note also that when we select a database in the Object Browser, a blue `+ Schema` schema-creation button appears at the top right.

![Databases listing page 3(image)](https://edu-cdev-images.s3.us-west-2.amazonaws.com/ob/ob_databases_listing_page_3.png)

### Run code to display additional information about the new database created.

In addition to the `SHOW` command we tried earlier, we can run a `DESCRIBE` command against the new database to get a readout on the schemas it contains. Try this with the following:

In [None]:
-- This will provide you with a list of schemas (automatically created for you!) inside your new database.
DESCRIBE DATABASE {{your_db}};

## Databases and Schemas. 📓

Databases group datasets (tables and other objects) together. A second-level organizational grouping within a database is called a **schema**. Every time you create a database, Snowflake will **automatically** create two schemas for you.

1. The `INFORMATION_SCHEMA` schema holds a collection of views. The `INFORMATION_SCHEMA` schema cannot be deleted (dropped), renamed, or moved.

1. The `PUBLIC` schema is created empty, and you can populate it with tables, views, and other objects over time. The `PUBLIC` schema can be dropped, renamed, or moved anytime.  

## Transfer Ownership of Your Database and Schema to the Role `(animal)_LEARNER_RL`. 🥋

In this exercise, we will transfer the `PUBLIC` schema in your new database, and then the database itself, to the ownership of the role `(animal)_LEARNER_RL.` The schema is an object **contained** within a database, so this will be transferred first, then the "outer" object - the database.

Once again, we will use the Database page to complete this work.

### Transfer ownership of the `PUBLIC` schema.

1. Double-check that you have confirmed `(animal)_CREATE_DB_RL` in the role selector, bottom-left.

1. Select your new database name.

1. Then select the `PUBLIC` schema name in the Object Browser (middle column - highlighted in blue in the following image).

1. Click on the ellipsis (three dots) next to the blue **+ Create** button at the top right of the Snowsight interface.

1. A drop-down menu appears - select the **Transfer Ownership** option.

![Databases listing page 3(image)](https://edu-cdev-images.s3.us-west-2.amazonaws.com/ob/ob_transfer_schema_ownership_1.png)

1. Click the dropdown arrow for the **Transfer to** selectbox.

1. You can use the **Search** option to find the role from the list - choose `(animal)_LEARNER_RL`.

1. Then click the blue **Transfer** button.

:eyes: :point_right: You should see a message saying _"Ownership successfully transferred"_ for your schema.

![Transfer ownership dialog (image)](https://edu-cdev-images.s3.us-west-2.amazonaws.com/ob/ob_transfer_dialog_1.png)

### Transfer ownership of the database. 🥋

Utilizing a similar workflow, we can also transfer ownership of the new database to the `(animal)_LEARNER_RL` role from the Database page.

1. Double-check that you have confirmed (animal)_CREATE_DB_RL in the role selector, bottom-left.

1. Select the name of your new database in the middle column of the Object Browser (highlighted in blue in the following image).

1. Click on the ellipis (three dots) next to the blue `+ Schema` top right of the Snowsight interface.

A dropdown menu appears - select the **Transfer Ownership** option.

![Transfer database ownership (image)](https://edu-cdev-images.s3.us-west-2.amazonaws.com/ob/ob_transfer_db_ownership_1.png)

1. Click the dropdown arrow for the **Transfer to** selectbox.

1. You can use the **Search** option to find the role from the list - choose `(animal)_LEARNER_RL`.

1. Then click the blue **Transfer** button.

:eyes: :point_right: You should see a message saying _"Ownership successfully transferred"_ for your database.

### Switch Your Role Back to `(animal)_LEARNER_RL` 🥋

1. Locate the role selector in the bottom-left of the Snowsight interface.

1. Change the currently selected role from `(animal)_CREATE_DB_RL` to `(animal)_LEARNER_RL`.

You may need to refresh the browser tab to ensure the role change has taken effect. 

:eyes: :point_right: Your new database and its `PUBLIC` schema should **APPEAR** in the Object Browser and Database listing panes. It will no longer be visible to the `(animal)_CREATE_DB_RL`.

![Databases listing page 4 (image)](https://edu-cdev-images.s3.us-west-2.amazonaws.com/ob/ob_databases_listing_page_4.png)

## How Does Changing Your Role Affect What Databases You Can See? 📓 

When you change your role...you change what you can **SEE** and **DO** with databases, schemas, tables, views, and more! This is easily observable when navigating about using the Snowsight interface.

### Try it out. 🥋

1. Select `(animal)_LEARNER_RL` using the role selector (bottom-left in Snowsight).

1. View the list of Databases.

1. Change your role to `(animal)_CREATE_DB_RL`.

1. Notice that for some roles, not all databases are visible. How many databases can this role see now?

**NOTE**: When using Snowflake, something might seem to disappear often. You may see a **" Does Not Exist error"** when you know the item has been created. In those instances, you should begin by checking your role!!

## Challenge Exercise 🎯 

This is a Challenge Exercise! Challenge Exercises differ from others because we don't give you step-by-step instructions. Instead, we give you the end goal and expect you to complete the work with the skills you learned in earlier labs. Challenge Exercises are required. 

Good Luck!

---

### Create a New Database 🎯 

Create a new database and name it **(animal)_**`UTIL_DB`. This database and the `PUBLIC` schema should be owned by `(animal)_LEARNER_RL`. Run the Python code in the cell below to confirm what you should name this new database.

**HINT**: If you set your role to `(animal)_LEARNER_RL` before you create the database, it will automatically be owned by this role. You won't have to do any transfers of ownership. 

If you forget to set your role to `(animal)_LEARNER_RL` before creating the database, you will need to transfer ownership to it. 

In [None]:
your_util_db = user + '_UTIL_DB'
print('Use this name for your new database: ' + your_util_db)

### Check your work. 🎯 

There should be three named databases (prefixed with your unique animal username) accessible from by `(animal)_LEARNER_RL`:

- (animal)**_DB**

- (animal)**RESOURCES_DB**

- (animal)**_UTIL_DB**

You can review the listings in the Databases page in Snowsight, as we have done previously, or we could run a SQL query to confirm. Try it out in the following cell:

In [None]:
USE ROLE {{user}}_learner_rl;
SHOW databases like '{{user}}%';

### Challenge exercise review.

- What databases do you see? 

- Are your two newly created databases listed?

If not, review the earlier steps in this lesson and see if you can correct the issue.

When you have confirmed your databases, the task is complete, and you can proceed.

## Challenge Exercise 🎯 

In Snowflake, roles don't need to own objects to view or interact with them. Permission to perform certain actions with objects can also be delegated to roles using the `GRANT` command. The Snowsight interface provides options to perform actions to change access to objects. 

Take a look at the following Snowsight screen. The following explanation will help you understand how to perform these steps yourself shortly.

- Selecting a schema in the Object Browser reveals the Schema details panel to the right.

- Note the `+ Privilege` button - click this to launch the **Grant new privileges on** dialog.

- The **Role** dropdown is the name of the role you would like to give (grant) permissions on the schema to. When you click into this, a **Search roles** option appears - use this to locate your role.

- The **Privileges** dropdown contains a list of Snowflake permissions across a wide range of objects.

- **USAGE** provides basic access to view and interact with a schema.

![Grant privileges (image)](https://edu-cdev-images.s3.us-west-2.amazonaws.com/ob/ob_grant_privileges_1.png)

Use Your knowledge to perform the following actions:

### Grant `USAGE` on a schema to a role.

- Work as the `(animal)_LEARNER_RL`.
- Use Snowsight to grant `USAGE` on the schema **(animal)_DB.PUBLIC**.
- Grant this to the role `(animal)_CREATE_DB_RL`.

### Grant `USAGE` on a database to a role.

- Work as the `(animal)_LEARNER_RL`. 
- Use Snowsight to grant `USAGE` on the database **(animal)_DB**. 
- Grant this to the role `(animal)_CREATE_DB_RL`.

### Challenge exercise review.

- When working as the role `(animal)_CREATE_DB_RL`, can you see both the **(animal)_DB** database and its **PUBLIC** schema in the Snowsight Object Browser?

If not, then review the earlier steps in this lesson and see if you can correct the issue.

When you have confirmed, the task is complete, and you can proceed.

## Test Your Knowledge. 🔎

Run the following Python cell to present a Streamlit-driven widget and answer the questions about Snowflake features and functionality. You don't have to understand what this is doing for now. Just go ahead and run the code.

You need to answer these questions correctly to proceed to the next section.

In [None]:
question = "Based on your work in this lab which of the following statements seem true about database ownership?"
options = ["Pick selection below...",
           "A) SYSADMIN owns most of the databases", 
           "B) SECURITYADMIN owns most of the databases", 
           "C) Ownership of a database initially resides with the role that creates it", 
           "D) We cannot transfer ownership of a database to a different role after it has been created"]

st.divider()
user_answer = st.radio(question, options, index=0)
if user_answer:
    if user_answer == "Pick selection below...":
        ''
    else:
        answer = '8f8f9ab7ecc9134b245a2368e80d08d3'
        response = session.sql(f"call common_db.resources.quiz_temp('{answer}', '{user_answer}', 'False')").collect()
        if response:
            value = response[0]['QUIZ_TEMP']
        st.write(value)

In [None]:
question = "If you know a database exists but suddenly cannot see it, or you get an error message that says it doesn't exist, what should you check first?"
options = ["Pick selection below...",
           "A) Your current USER name", 
           "B) Your default ROLE", 
           "C) Your current ACCOUNT", 
           "D) Your current ROLE"]

st.divider()
user_answer = st.radio(question, options, index=0)
if user_answer:
    if user_answer == "Pick selection below...":
        ''
    else:
        answer = '14d34f7989d4ba5d82a939acf9ad62d0'
        response = session.sql(f"call common_db.resources.quiz_temp('{answer}', '{user_answer}', 'False')").collect()
        if response:
            value = response[0]['QUIZ_TEMP']
        st.write(value)

## Next Steps

If you have completed the lab steps and answered the **Knowledge Test** questions correctly, please proceed to the next Notebook when advised by your Snowflake instructor.