* added macro grant_internal_share_read to apply select permissions on all tables and views

* added macro `create_internal_share` which will create a share which allows unsecured objects and grant reference usages on downstream databases
* updated macro `has_matching_nodes` to cater for line breaks in the arguments being passed in
* updated version of `dbt_utils` to 1.3.3

Author: jonhopper-dataengineers

CHANGELOG.md

@@ -1,7 +1,18 @@
 # Data Engineers Snowflake DataOps Utils Project Changelog
 This file contains the changelog for the Data Engineers Snowflake DataOps Utils project, detailing updates, fixes, and enhancements made to the project over time.
 
-## v0.3.9 2024-06-10 - Grant Object For Procedures
+## v0.3.10 - 2026-02-10 - Grant Shares
+
+* added macro `grant_internal_share_read` to apply `select` permissions on all tables and views
+* added macro `create_internal_share` which will create a share which allows unsecured objects and grant reference usages on downstream databases
+* updated macro `has_matching_nodes` to cater for line breaks in the arguments being passed in
+* updated version of `dbt_utils` to 1.3.3
+
+## v0.3.9.1 2025-07-10 - Tag Doc Fix
+
+* fixed issue hwhen
+
+## v0.3.9 2025-06-10 - Grant Object For Procedures
 
 * added macro `grant_procedure_usage` to enable the ability to grant usage of a stored procedure to a role
 

README.md

@@ -54,6 +54,7 @@ Below is a catalogue of publicly supported macros grouped by domain. Internal he
 - `grant_integration_ownership`
 - `grant_database_usage`
 - `grant_integration_usage`
+- `grant_internal_share_read`
 - `grant_object`
 - `grant_privileges`
 - `grant_schema_monitor`
@@ -111,6 +112,11 @@ Below is a catalogue of publicly supported macros grouped by domain. Internal he
 - `ref` (enhanced include_database)
 - `source` (enhanced include_database)
 
+**shares**
+
+- `create_internal_share`
+- `create_share`
+
 **tags**
 
 - `apply_meta_as_tags`

macros/dynamic_tables/dynamic_tables.yml

@@ -2,20 +2,26 @@ version: 2
 
 macros:
   - name: target_lag_environment
-    description: Set the dynamic table target lag duration based on the active target (prod/test/other) to tune freshness vs cost.
+    description: |
+      Returns the lag duration for a dynamic table based on the current target environment.
+      Accepts durations for prod, test, and other environments, and returns the appropriate value.
     docs:
       show: true
     arguments:
       - name: duration_prod
-        type: number
-        description: specifies the lag duration for the production environment
+        type: any
+        description: Lag duration for the production environment
       - name: duration_test
-        type: number
-        description: specifies the lag duration for the test environment
+        type: any
+        description: Lag duration for the test environment
       - name: duration_other
-        type: number
-        description: specifies the lag duration for other environments
+        type: any
+        description: Lag duration for other environments
+
   - name: target_warehouse_environment
-    description: Select the warehouse to be used for dynamic tables based on target environment (e.g. smaller warehouse for dev/test).
+    description: |
+      Returns the warehouse name to be used for dynamic tables based on the current target environment.
+      Uses DEV_WH for local-dev, otherwise DATAOPS_WH.
     docs:
-      show: true
+      show: true
+    arguments: []

macros/grants/grant_internal_share_read.sql

@@ -0,0 +1,33 @@
+{% macro grant_internal_share_read(share_name, exclude_schemas=[]) %}
+  {% set database = target.database %}
+  {% set schemas = dbt_dataengineers_utils._grants_collect_schemas(exclude_schemas) %}
+  {% do log("Granting SELECT on all tables and views in all schemas for share: " ~ share_name, info=True) %}
+  {% for schema in schemas %}
+    {# Get all tables in the schema #}
+    {% set tables_query %}
+      show tables in schema {{ database }}.{{ schema }};
+    {% endset %}
+    {% set tables_result = run_query(tables_query) %}
+    {% if execute and tables_result is not none %}
+      {% for row in tables_result %}
+        {% set grant_table_sql %}
+          grant select on table {{ database }}.{{ schema }}.{{ row.name }} to share {{ share_name }};
+        {% endset %}
+        {% do run_query(grant_table_sql) %}
+      {% endfor %}
+    {% endif %}
+    {# Get all views in the schema #}
+    {% set views_query %}
+      show views in schema {{ database }}.{{ schema }};
+    {% endset %}
+    {% set views_result = run_query(views_query) %}
+    {% if execute and views_result is not none %}
+      {% for row in views_result %}
+        {% set grant_view_sql %}
+          grant select on view {{ database }}.{{ schema }}.{{ row.name }} to share {{ share_name }};
+        {% endset %}
+        {% do run_query(grant_view_sql) %}
+      {% endfor %}
+    {% endif %}
+  {% endfor %}
+{% endmacro %}

macros/grants/grants.yml

@@ -9,6 +9,18 @@ version: 2
 # - Set var('grants_dry_run', true) in a dbt invocation to log all statements without executing them for newly refactored macros
 
 macros:
+  - name: grant_internal_share_read
+    description: Grants SELECT on all tables and views in all schemas of the target database to the specified share. Executes grant statements for each table and view found.
+    docs:
+      show: true
+    arguments:
+      - name: share_name
+        type: string
+        description: Name of the share to grant SELECT privileges to
+      - name: exclude_schemas
+        type: List[string]
+        description: List of schemas to exclude from granting
+
   - name: grant_database_ownership
     description: This macro grants ownership privileges to the specified rolename on the database.
     docs:
@@ -61,16 +73,24 @@ macros:
 
 
   - name: grant_object
-    description: This macro grants specific object permissions to specific roles.
+    description: |
+      Grants specified privileges on objects (TABLE, VIEW, SCHEMA, etc.) to the provided roles.
+      Handles both granting and revoking privileges based on current state, logging a summary of actions taken.
     docs:
       show: true
     arguments:
       - name: object_type
         type: string
-        description: Type of the object eg- TABLE, VIEW, SCHEMA
+        description: Type of the object (e.g., TABLE, VIEW, SCHEMA)
       - name: objects
         type: List[string]
         description: List of objects to apply the permission to (format = schema.object)
+      - name: grant_types
+        type: List[string]
+        description: List of privilege types to grant (e.g., SELECT, REFERENCES)
+      - name: grant_roles
+        type: List[string]
+        description: List of roles to grant privileges to
 
   - name: grant_usage_to_application
     description: This macro grants usage privileges on specific objects to a specific application role.
@@ -115,7 +135,9 @@ macros:
         description: List of schemas to grant usage privileges on
 
   - name: grant_privileges
-    description: This macro is an example of how to grant privileges across environments based on targets
+    description: |
+      Grants a bundle of privileges across environments based on target context.
+      Calls multiple grant macros for database, schema, and role management, orchestrating environment-specific grants.
     docs:
       show: true
     arguments:
@@ -124,16 +146,18 @@ macros:
         description: List of schemas which are domain specific that should be exposed
 
   - name: grant_schema_monitor
-    description: This macro grants monitor privilege inside all schemas to the specified rolename.
+    description: |
+      Grants MONITOR privilege on all objects in all schemas to the specified roles, excluding any schemas listed.
+      Uses grant_schema_monitor_specific for per-schema operations and supports dry-run mode.
     docs:
       show: true
     arguments:
       - name: exclude_schemas
         type: List[string]
         description: List of schemas to exclude
       - name: grant_roles
-        type: "List[string]"
-        description: Name of the roles to apply eg- ['READERS_PROD', 'ANALYST', 'OPS_SUPPORT']
+        type: List[string]
+        description: List of roles to apply (e.g., ['READERS_PROD', 'ANALYST', 'OPS_SUPPORT'])
 
   - name: grant_schema_monitor_specific
     description: This macro grants monitor privilege inside specific schemas to the specified rolename.
@@ -226,7 +250,10 @@ macros:
         description: Specifies if to revoke current grants or not
 
   - name: grant_share_read
-    description: This macro grants monitor privilege inside specific schemas to the specified rolename.
+    description: |
+      Grants SELECT on specified views to the provided shares, and optionally revokes unmanaged grants.
+      Handles both granting and revoking privileges for views in schemas, based on the view_names and grant_shares arguments.
+      Uses grant_share_read_specific_schema for per-schema operations.
     docs:
       show: true
     arguments:
@@ -237,8 +264,8 @@ macros:
         type: List[string]
         description: List of shares to apply
       - name: revoke_current_grants
-        type: "boolean"
-        description: Revoke current grants on the schemas
+        type: boolean
+        description: Whether to revoke unmanaged grants before applying new ones
 
   - name: grant_share_read_specific_schema
     description: This macro grants select permissions to the specified view for the shares provided.

macros/shares/create_internal_share.sql

@@ -0,0 +1,17 @@
+{% macro create_internal_share(share_name, reference_databases, environments) %}
+    {% if flags.WHICH in ['run', 'run-operation'] %}
+        {% if execute %}
+            {% if target.name in environments %}
+                {% do log("Creating or Updating Share" ~ share_name, info=True) %}
+                {% set sql %}
+                    create share if not exists {{ share_name }} secure_objects_only=false;
+                    grant usage on database {{ target.database }} to share {{ share_name }};
+                    {% for reference_database in reference_databases %}
+                        grant reference_usage on database {{ reference_database }} to share {{ share_name }};
+                    {% endfor %}
+                {% endset %}
+                {% set results = run_query(sql) %}
+            {% endif %}
+        {% endif %}
+    {% endif %}
+{% endmacro %}

macros/shares/shares.yml

@@ -2,16 +2,35 @@ version: 2
 
 macros:
   - name: create_share
-    description: This macro grants creates a share and grants usage on the associated accounts
+    description: |
+      Creates or updates a Snowflake share and grants usage to specified accounts.
+      This macro is used to provision secure data sharing between Snowflake accounts.
+      It creates the share if it does not exist, and grants usage privileges to the target database and reference usage to additional databases for the listed accounts.
+      Only runs in specified environments.
     docs:
       show: true
     arguments:
       - name: share_name
         type: string
-        description: Name of the share to be created or updated
+        description: The name of the share to be created or updated.
       - name: accounts
-        description: List of accounts to grant usage on the share
         type: List[string]
+        description: List of Snowflake accounts to grant usage on the share.
       - name: environments
+        type: List[string]
+        description: List of environments in which the macro should run.
+
+  - name: create_internal_share
+    description: Creates or updates a Snowflake share, grants usage on the target database, and reference usage on additional databases. Only runs in specified environments.
+    docs:
+      show: true
+    arguments:
+      - name: share_name
         type: string
-        description: The environments to include the share
+        description: Name of the share to be created or updated
+      - name: reference_databases
+        type: List[string]
+        description: List of databases to grant reference usage to the share
+      - name: environments
+        type: List[string]
+        description: List of environments in which the macro should run

macros/tags/tags.yml

@@ -2,14 +2,55 @@ version: 2
 
 macros:
   - name: apply_meta_as_tags
-    description: Post-hook macro to apply selected model/column meta entries as Snowflake tags.
+    description: |
+      Post-hook macro to apply selected model/column meta entries as Snowflake tags.
+      Iterates over columns in a model and applies tags based on provided tag_names, using set_column_tag_value for each match.
     docs:
       show: true
+    arguments:
+      - name: tag_names
+        type: List[string]
+        description: List of tag names to apply to columns if present in meta
+
   - name: model_contains_tag_meta
-    description: check if the model contains a compatible meta entry for a tag.
+    description: |
+      Checks if the model contains any compatible meta entry for the provided tag names.
+      Returns True if any column meta matches a tag name, otherwise False.
     docs:
       show: false
+    arguments:
+      - name: tag_names
+        type: List[string]
+        description: List of tag names to check for in column meta
+      - name: model_node
+        type: object
+        description: The model node to inspect for meta tags
+
   - name: set_column_tag_value
-    description: apply a tag to a column if a matching meta key exists.
+    description: |
+      Applies or unsets a tag on a column if a matching meta key exists and the value is not public/none.
+      Handles tag name mapping and executes the appropriate ALTER statement for the column.
     docs:
-      show: false
+      show: false
+    arguments:
+      - name: materlization
+        type: string
+        description: The materialization type (table, view, etc.)
+      - name: model_schema
+        type: string
+        description: The schema of the model
+      - name: model_name
+        type: string
+        description: The name of the model
+      - name: column_name
+        type: string
+        description: The column to apply the tag to
+      - name: tag_name
+        type: string
+        description: The tag name to apply
+      - name: desired_tag_value
+        type: string
+        description: The value to set for the tag
+      - name: existing_tags_for_table
+        type: object
+        description: Existing tags for the table, used to check current tag state

packages.yml

@@ -1,3 +1,3 @@
 packages:
   - package: dbt-labs/dbt_utils
-    version: "1.3.1"
+    version: "1.3.3"