Add grant_schema_procedure_usage macros for managing procedure usage privileges

Author: jonhopper-dataengineers

CHANGELOG.md

@@ -1,6 +1,10 @@
 # Data Engineers Snowflake DataOps Utils Project Changelog
 This file contains the changelog for the Data Engineers Snowflake DataOps Utils project, detailing updates, fixes, and enhancements made to the project over time.
 
+## v0.3.9 2024-06-10 - Grant Object For Procedures
+
+* added macro `grant_procedure_usage` to enable the ability to grant usage of a stored procedure to a role
+
 ## v0.3.8.5 2025-08-25 - Grant Usage to Application
 
 * added grant usage to application for `sp_sync_` in the `grant_privileges` macro

README.md

@@ -61,6 +61,8 @@ Below is a catalogue of publicly supported macros grouped by domain. Internal he
 - `grant_schema_operate`
 - `grant_schema_operate_specific`
 - `grant_schema_ownership`
+- `grant_schema_procedure_usage`
+- `grant_schema_procedure_usage_specific`
 - `grant_schema_read`
 - `grant_schema_read_specific`
 - `grant_share_read`
@@ -160,6 +162,7 @@ High-level macro intent summary:
 - `grant_schema_read*`: Ensures read usage, SELECT/REFERENCE privileges, optional future grants.
 - `grant_schema_monitor*`: Grants MONITOR on tasks/pipes + schema usage.
 - `grant_schema_operate*`: Grants OPERATE on tasks/pipes + schema usage.
+- `grant_schema_procedure_usage*`: Grants USAGE on all procedures + schema usage, with future grants.
 - `grant_share_read*`: Manages secure view exposure to outbound shares (revokes unmanaged, grants managed).
 - `grant_object`: Reconciles privilege sets on specific objects (TABLE/VIEW/PROCEDURE/FUNCTION/etc).
 - `grant_privileges`: Environment-aware bundle orchestrator.

macros/grants/grant_procedure_usage.sql

@@ -0,0 +1,128 @@
+{% macro grant_schema_procedure_usage(exclude_schemas, grant_roles) %}
+    {% if flags.WHICH not in ['run','run-operation'] %}{% do log('grant_schema_procedure_usage: skip (context)', info=True) %}{% do return(none) %}{% endif %}
+    {% set dry_run = var('grants_dry_run', false) %}
+    {% if 'INFORMATION_SCHEMA' not in exclude_schemas %}{% do exclude_schemas.append('INFORMATION_SCHEMA') %}{% endif %}
+    {% set include_schemas = dbt_dataengineers_utils._grants_collect_schemas(exclude_schemas) %}
+    {% if include_schemas | length == 0 %}{% do log('grant_schema_procedure_usage: no schemas to process', info=True) %}{% do return(none) %}{% endif %}
+    {% do log('grant_schema_procedure_usage: processing ' ~ (include_schemas | length) ~ ' schemas for roles: ' ~ (grant_roles | join(', ')), info=True) %}
+    {% do dbt_dataengineers_utils.grant_schema_procedure_usage_specific(include_schemas, grant_roles, true, dry_run) %}
+{% endmacro %}
+
+{% macro grant_schema_procedure_usage_specific(schemas, grant_roles, revoke_current_grants, dry_run) %}
+    {% if flags.WHICH not in ['run','run-operation'] %}{% do return(none) %}{% endif %}
+    {% if schemas | length == 0 or grant_roles | length == 0 %}{% do log('grant_schema_procedure_usage_specific: nothing to do', info=True) %}{% do return(none) %}{% endif %}
+    {% set total_revokes = 0 %}
+    {% set total_grants = 0 %}
+    {% for schema in schemas %}
+        {% set existing_roles = [] %}
+
+        {# Get list of procedures in the schema using the pattern provided #}
+        {% set proc_query %}
+            show procedures in schema {{ target.database }}.{{ schema }}
+            ->>
+            select
+                "name" as object_name,
+                "schema_name" as routine_schema,
+                SUBSTR(
+                    "arguments",
+                    POSITION('(' IN "arguments") + 1,
+                    POSITION(')' IN "arguments") - POSITION('(' IN "arguments") - 1
+                ) AS arguments,
+                concat("name", '(',
+                    SUBSTR(
+                        "arguments",
+                        POSITION('(' IN "arguments") + 1,
+                        POSITION(')' IN "arguments") - POSITION('(' IN "arguments") - 1
+                    ),
+                ')') as routine_name
+            from $1
+            where "is_builtin" = 'N'
+        {% endset %}
+
+        {# First run show procedures to populate result_scan #}
+        {% set show_proc_stmt = 'show procedures in schema ' ~ target.database ~ '.' ~ schema %}
+        {% set _ = run_query(show_proc_stmt) %}
+
+        {# Now get the formatted procedure list #}
+        {% set proc_results = run_query(proc_query) %}
+        {% set procedures = [] %}
+
+        {% if execute and proc_results %}
+            {% for row in proc_results %}
+                {% set full_proc_name = row.routine_name %}
+                {% do procedures.append(full_proc_name) %}
+            {% endfor %}
+        {% endif %}
+
+        {% if procedures | length == 0 %}
+            {% do log('grant_schema_procedure_usage_specific: no procedures found in schema ' ~ schema, info=True) %}
+        {% else %}
+            {% do log('grant_schema_procedure_usage_specific: found ' ~ (procedures | length) ~ ' procedures in schema ' ~ schema, info=True) %}
+
+            {# Check existing grants for each procedure #}
+            {% for procedure in procedures %}
+                {% set grant_query %}
+                    show grants on procedure {{ target.database }}.{{ schema }}.{{ procedure }}
+                {% endset %}
+                {% set grant_results = run_query(grant_query) %}
+
+                {% if execute and grant_results %}
+                    {% for row in grant_results %}
+                        {% set priv = row.privilege %}{% set grantee = row.grantee_name %}
+                        {% if priv == 'USAGE' %}
+                            {% if grantee not in grant_roles %}
+                                {% if revoke_current_grants %}
+                                    {% set stmt = 'revoke usage on procedure ' ~ target.database ~ '.' ~ schema ~ '.' ~ procedure ~ ' from role ' ~ grantee ~ ';' %}
+                                    {% do log(stmt, info=True) %}
+                                    {% if not dry_run %}{% set _ = run_query(stmt) %}{% endif %}
+                                    {% set total_revokes = total_revokes + 1 %}
+                                {% endif %}
+                            {% else %}
+                                {% if grantee not in existing_roles %}
+                                    {% do existing_roles.append(grantee) %}
+                                {% endif %}
+                            {% endif %}
+                        {% endif %}
+                    {% endfor %}
+                {% endif %}
+            {% endfor %}
+
+            {# Grant schema usage first #}
+            {% for role in grant_roles %}
+                {% set schema_stmt = 'grant usage on schema ' ~ target.database ~ '.' ~ schema ~ ' to role ' ~ role ~ ';' %}
+                {% do log(schema_stmt, info=True) %}
+                {% if not dry_run %}{% set _ = run_query(schema_stmt) %}{% endif %}
+                {% set total_grants = total_grants + 1 %}
+            {% endfor %}
+
+            {# Grant procedure usage #}
+            {% for role in grant_roles %}
+                {% set needs_grant = true %}
+                {# Check if role already has USAGE on any procedure in this schema #}
+                {% for procedure in procedures %}
+                    {% set grant_query %}
+                        show grants on procedure {{ target.database }}.{{ schema }}.{{ procedure }}
+                    {% endset %}
+                    {% set grant_results = run_query(grant_query) %}
+                    {% if execute and grant_results %}
+                        {% for row in grant_results %}
+                            {% if row.privilege == 'USAGE' and row.grantee_name == role %}
+                                {% set needs_grant = false %}
+                                {% break %}
+                            {% endif %}
+                        {% endfor %}
+                    {% endif %}
+                    {% if not needs_grant %}{% break %}{% endif %}
+                {% endfor %}
+
+                {% if needs_grant %}
+                    {% set stmt = 'grant usage on all procedures in schema ' ~ target.database ~ '.' ~ schema ~ ' to role ' ~ role ~ ';' %}
+                    {% do log(stmt, info=True) %}
+                    {% if not dry_run %}{% set _ = run_query(stmt) %}{% endif %}
+                    {% set total_grants = total_grants + 1 %}
+                {% endif %}
+            {% endfor %}
+        {% endif %}
+    {% endfor %}
+    {% do log('grant_schema_procedure_usage_specific summary: ' ~ total_revokes ~ ' revokes, ' ~ total_grants ~ ' grants (dry_run=' ~ dry_run ~ ')', info=True) %}
+{% endmacro %}

macros/grants/grants.yml

@@ -269,3 +269,33 @@ macros:
       - name: sample_schema
         type: string
         description: Schema to scope sample grant operations to
+
+  - name: grant_schema_procedure_usage
+    description: Grant USAGE privilege on all procedures in all schemas to specified roles.
+    docs:
+      show: true
+    arguments:
+      - name: exclude_schemas
+        type: List[string]
+        description: List of schemas to exclude from procedure grants
+      - name: grant_roles
+        type: List[string]
+        description: List of roles to grant procedure usage to
+
+  - name: grant_schema_procedure_usage_specific
+    description: Grant USAGE privilege on all procedures in specific schemas to specified roles.
+    docs:
+      show: true
+    arguments:
+      - name: schemas
+        type: List[string]
+        description: List of schemas to include for procedure grants
+      - name: grant_roles
+        type: List[string]
+        description: List of roles to grant procedure usage to
+      - name: revoke_current_grants
+        type: boolean
+        description: Whether to revoke existing grants from roles not in grant_roles
+      - name: dry_run
+        type: boolean
+        description: Whether to run in dry-run mode (log statements without executing)

packages.yml

@@ -1,3 +1,3 @@
 packages:
   - package: dbt-labs/dbt_utils
-    version: "1.3.0"
+    version: "1.3.1"