User Access#

Access to the RelationalAI (RAI) Native App is managed through Snowflake’s role-based access control system. The app provides a set of application roles that can be granted to users for access to the application and its resources.

Application roles can be managed using SQL and Python.

IMPORTANT

RAI Native App ownership privileges are required to grant and revoke application roles. However, access control can be delegated to non-owners through stored procedures.

Table Of Contents#

Application Roles#

Service Roles#

Service roles provide access to the RAI Native App, its logs, and billing information. At a minimum, any user who needs access to the RAI Native App should be granted the app_user role.

Application RoleDescription
all_adminIncludes all application roles. Recommended for users who need full permissions to administer the application.
app_adminEnables management of the app and the RAI SPCS service. Includes the app_user role.
app_userEnables usage of the RAI Native App.
billing_adminEnables access to billing and consumption data tracked by the app. Includes the app_user role.
sensitive_logsEnables access to sensitive logs. Includes the app_user role.

Resource Roles#

Resource roles provide access to all of the RAI Native App’s resources.

Application RoleDescription
all_resource_adminEnables management of all app resources. Includes the cdc_admin and eng_admin roles. Recommended for users who need full permissions for application resources.
cdc_adminEnables management of the CDC Service and creating/deleting data streams. Includes the app_user role.
eng_adminEnables creating/deleting engines. Includes the app_user and eng_user roles.
eng_userEnables viewing and using RAI engines. Includes the app_user role.

Grant Application Roles#

Requires RAI Native App ownership privileges.

Use the GRANT APPLICATION ROLE command to grant an application role to a database role:

#-- Grant the `all_admin` role to the ACCOUNTADMIN database role
GRANT APPLICATION ROLE relationalai.all_admin TO ROLE ACCOUNTADMIN;

Note that application roles are not granted directly to users. Instead, application roles are granted to Snowflake database roles.

Revoke Application Roles#

Requires RAI Native App ownership privileges.

To revoke an application role from a database role, use the REVOKE APPLICATION ROLE command:

#REVOKE APPLICATION ROLE relationalai.<app_role_name> FROM ROLE <database_role_name>;

Delegate Access Control#

Requires RAI Native App ownership privileges.

App owners may delegate user access management to other users by granting them access to stored procedures that grant and revoke application roles.

For example, the following creates a stored procedure that grants a RAI application role to a Snowflake database role and grants access to the procedure to the ACCOUNTADMIN database role:

#-- Create a stored procedure for granting RAI application roles.
CREATE PROCEDURE GRANT_RAI_APP_ROLE(app_role STRING, target_role STRING)
RETURNS TABLE(STRING)
LANGUAGE SQL
EXECUTE AS OWNER
AS
BEGIN
    LET qualified_app_role STRING := 'relationalai.' || :app_role;
    LET query STRING := 'GRANT APPLICATION ROLE IDENTIFIER(?) TO ROLE IDENTIFIER(?)';
    LET rs RESULTSET := (EXECUTE IMMEDIATE :query USING (qualified_app_role, target_role));
    RETURN TABLE(rs);
END;

-- Grant access to the GRANT_RAI_APP_ROLE procedure the ACCOUNTADMIN database role.
GRANT EXECUTE ON PROCEDURE GRANT_RAI_APP_ROLE TO ROLE ACCOUNTADMIN;

Use a similar delegation pattern for revoking access to application roles.



Manage RAI
App Management