The correct answer is B. Database .
A database role is designed to manage access to objects within a database. Database roles are useful for grouping privileges on objects that belong to the same logical database-level domain, such as related schemas, tables, and views.
Why B is correct:
Database roles are created inside a database and can be granted privileges on objects in that database. They help organize access control for database-specific objects.
Example concept:
CREATE DATABASE ROLE sales_db.sales_reader;
GRANT USAGE ON SCHEMA sales_db.reporting TO DATABASE ROLE sales_db.sales_reader;
GRANT SELECT ON ALL TABLES IN SCHEMA sales_db.reporting TO DATABASE ROLE sales_db.sales_reader;
The database role can then be granted to an account role.
Why the other options are incorrect:
A. Account roles are account-level roles and can hold privileges across many databases and account objects. They are broader than the logical grouping described in the question.
C. Service roles are associated with service-related access, not general database object access control.
D. Application roles are used by Snowflake Native Apps to manage access inside an application, not to generally control access to a logical group of database objects.
Official Snowflake documentation reference:
Snowflake documentation describes database roles as roles scoped to a database and used to manage privileges on database objects.
[Reference: Snowflake Documentation — Database roles; Snowflake Documentation — Access control overview; SnowPro Core Study Guide — Security and Access Control., , , ]