Exam SnowPro Core topic 1 question 329 discussion

It should be A because as both a & c answer are correct, the 'minimum' impacting option is Ownership

A managed access schema is a way to centralize the management of access permissions for objects in a schema. This is done by limiting the ability to grant privileges to only the schema owner or roles with the MANAGE GRANTS privilege.

C is correct

https://docs.snowflake.com/en/user-guide/security-access-control-configure

A is correct

AC are both correct With managed access schemas, object owners lose the ability to make grant decisions. Only the schema owner (i.e. the role with the OWNERSHIP privilege on the schema) or a role with the MANAGE GRANTS privilege can grant privileges on objects in the schema, including future grants, centralizing privilege management.

https://docs.snowflake.com/en/sql-reference/sql/create-schema CREATE SCHEMA WITH MANAGED ACCESS Specifies a managed schema. Managed access schemas centralize privilege management with the schema owner. In regular schemas, the owner of an object (i.e. the role that has the OWNERSHIP privilege on the object) can grant further privileges on their objects to other roles. In managed schemas, the schema owner manages all privilege grants, including future grants, on objects in the schema. Object owners retain the OWNERSHIP privileges on the objects; however, only the schema owner can manage privilege grants on the objects.

A correct - based on comments here

A should be the answer

Correct

With managed access schemas, object owners lose the ability to make grant decisions. Only the schema owner (i.e. the role with the OWNERSHIP privilege on the schema) or a role with the MANAGE GRANTS privilege can grant privileges on objects in the schema, including future grants, centralizing privilege management.

Question itself is wrong, privileges are always granted to role, not to users. Users are always granted with roles

In managed access schemas (i.e. schemas created using the CREATE SCHEMA … WITH MANAGED ACCESS syntax), object owners lose the ability to make grant decisions. Only the schema owner (i.e. the role with the OWNERSHIP privilege on the schema) or a role with the global MANAGE GRANTS privilege can grant privileges on objects in the schema.

Only the schema owner (i.e. the role with the OWNERSHIP privilege on the schema) or a role with the MANAGE GRANTS privilege can grant privileges on objects in the schema, including future grants, centralizing privilege management. [for a managed access schema] Here we are however talking about granting permission changes privilege for NEW objects. The schema owner would automatically be granted this privilege on all object within the schema he owns. But a MANAGE GRANTS privileged role could only assign privileges using the "future" keyword

Answer -- A With managed access schemas, object owners lose the ability to make grant decisions. Only the schema owner (i.e. the role with the OWNERSHIP privilege on the schema) or a role with the MANAGE GRANTS privilege can grant privileges on objects in the schema, including future grants, centralizing privilege management.

Confuse between A&C In managed access schemas (i.e. schemas created using the CREATE SCHEMA … WITH MANAGED ACCESS syntax), either the schema owner (i.e. the role with the OWNERSHIP privilege on the schema) or a role with the global MANAGE GRANTS privilege can grant privileges on future objects in the schema.