Application roles established within the setup script are automatically conferred upon the role that possesses the application instance. Upon installation, the role employed to install the application assumes the ownership of that application. Nevertheless, the application owner retains the authority to extend privileges to other account roles within the consumer account.
These application roles serve as a means to impart privileges on objects within the application, thereby enabling the conferment of privileges to the consumer.
For example:
CREATE APPLICATION ROLE admin;
CREATE APPLICATION ROLE user;
GRANT APPLICATION ROLE user TO APPLICATION ROLE admin;
CREATE OR ALTER VERSIONED SCHEMA app_code;
GRANT USAGE ON SCHEMA app_code TO APPLICATION ROLE admin;
GRANT USAGE ON SCHEMA app_code TO APPLICATION ROLE user;
CREATE OR REPLACE PROCEDURE app_code.config_app(...)
GRANT USAGE ON PROCEDURE app_code.config_app(..)
TO APPLICATION ROLE admin;
CREATE OR REPLACE FUNCTION app_code.add(x INT, y INT)
GRANT USAGE ON FUNCTION app_code.add(INT, INT)
TO APPLICATION ROLE admin;
GRANT USAGE ON FUNCTION app_code.add(INT, INT)
TO APPLICATION ROLE user;
In this illustration, the setup script initiates the creation of application roles, specifically 'admin' and 'user.' Subsequently, both application roles are endowed with access to the schema housing the application code. Additionally, access to the 'add' function within the schema is granted to both roles. Furthermore, exclusive access to the 'config_app' procedure is extended to the 'admin' role.