Study SnowPro COF-C02 Roles and Grants: key concepts, common traps, and exam decision cues.
This lesson is where COF-C02 stops asking whether someone can sign in and starts asking whether the active role, grant path, or ownership model actually permits the action.
| If the scenario is asking… | Strongest first object |
|---|---|
| what permission set is active | role |
| what privilege has been assigned | grant |
| who controls the object | ownership |
| how sensitive data should be governed | governance capability |
| Ask this first | Why it matters |
|---|---|
| did the user connect successfully already? | if yes, the problem moved past authentication |
| which active role is in play right now? | Snowflake access often fails here first |
| is the issue ordinary usage, or who controls the object? | ownership is not the same as read or write access |
Governance features answer questions like:
That is different from simply handing a broader role to every user. If the scenario is about sensitive-data control, a raw warehouse or performance answer is almost always off-lane.
| Trap | Better rule |
|---|---|
| “The user exists, so access should work.” | the active role and grants still decide access |
| treating ownership like a minor privilege | ownership changes the control model materially |
| answering governance questions with only warehouse settings | governance is not compute management |
| Scenario clue | Stronger answer shape |
|---|---|
| “user can log in but object access fails” | role and grant path |
| “question asks who really controls an object” | ownership |
| “question asks for least-privilege design” | narrower grants and cleaner role model |
| “question is about sensitive-data controls or policy features” | governance lane |