SNOWFLAKE: Can't assign MASKING POLICY to TAG

Question

I'm trying to assign a masking policy to tag in snowflake but I'm having trouble with required privilege or object missing depending on the role I'm using.

How I proceed :

use database DATABASE;
use schema SCHEMA;

--CREATE TAG
create or replace tag sensitive_values; 

--CREATE MASKING POLICY 
create or replace masking policy values_mask as (val int) returns int ->
 case
   when current_role() in ('SYSADMIN') then val
   else null 
 end;

--ASSOCIATE MASKING POILCY AND TAG 
alter tag DATABASE.SCHEMA.sensitive_values set masking policy values_mask;

When I'm using the role SECURITYADMIN I have this error: SQL compilation error: Database 'DATABASE' does not exist or not authorized.

When I'm using the role SYSADMIN I have this error : SQL access control error: Insufficient privileges to operate on tag 'SENSITIVE_VALUES'

What am I missing ?

Answer 1

As suggested by @TomMeacham, I have create a specific role to manage my tag:

--CREATE ROLE
use role securityadmin;

create role tag_admin comment = "Admin role manage tag";


GRANT USAGE ON DATABASE DATABASE_NAME TO ROLE tag_admin;
GRANT USAGE ON SCHEMA DATABASE_NAME.SCHEMA_NAME TO ROLE tag_admin;

grant create masking policy on schema DATABASE_NAME.SCHEMA_NAME to role tag_admin;
grant create tag on schema DATABASE_NAME.SCHEMA_NAME to role tag_admin;

use role accountadmin;
grant apply tag on account to tag_admin;
grant apply masking policy on account to role tag_admin;

GRANT ROLE tag_admin TO USER USER_NAME; 

--ASSIGN TAG TO MASKING POLICY 
use role tag_admin;

use database DATABASE_NAME;
use schema SCHEMA_NAME;

alter tag DATABASE_NAME.SCHEMA_NAME.sensitive_values set masking policy values_mask;

Now the tag is assign to the masking policy.