User Access#

Access to the RelationalAI (RAI) Native App is managed through Snowflake’s role-based access control system. The app provides a set of application roles that can be granted to users for access to the application’s resources.

NOTE

Ownership privileges on the RAI Native App are required to grant and revoke application roles.

Grant Application Roles#

Application roles are not granted directly to users. Instead, application roles are granted to database roles, and users are granted those database roles.

There are three types of application roles:

Use the GRANT APPLICATION ROLE command to grant an application role to a database role:

-- Example: User with full admin access to the entire app.
GRANT APPLICATION ROLE relationalai.all_admin TO ROLE <db_role>;

-- Example: User with limited service and resource access,
-- but full access to the RAI schema named <schema>.
GRANT APPLICATION ROLE relationalai.app_user TO ROLE <db_role>;
GRANT APPLICATION ROLE relationalai.eng_user TO ROLE <db_role>;
GRANT APPLICATION ROLE relationalai.<schema>_all TO ROLE <db_role>;

Refer to the List of Application Roles for the full list of available roles.

Revoke Application Roles#

Use REVOKE APPLICATION ROLE to revoke an application role from a database role:

REVOKE APPLICATION ROLE relationalai.<role_name> FROM ROLE <database_role_name>;

Delegate User Access Management#

App owners may delegate user access management to other users by granting them access to stored procedures that grant and revoke application roles.

For example, to create a stored procedure that grants the all_admin application role to a user:

CREATE PROCEDURE <snowflake_db_name>.GRANT_APP_ADMIN(target_role STRING)
RETURNS STRING
LANGUAGE SQL
EXECUTE AS OWNER
AS
BEGIN
    LET q STRING := 'GRANT APPLICATION ROLE relationalai.app_admin TO ROLE ' || :TARGET_ROLE;
    EXECUTE IMMEDIATE :q;
    RETURN 'ok';
END;

Use a similar delegation pattern to revoke access to application roles.

List of Application Roles#

Service Application Roles#

Service roles provide access to the RAI Native App itself, billing information, and logs.

Application RoleDescription
all_adminIncludes all application roles. Recommended for users who need full permissions to administer the application.
app_adminEnables management of the app and its underlying service. Allows assignment of warehouse, compute pool, and privileges to the app.
app_userGrants universal privileges necessary for any app user. Allows observation of the app’s state and usage of the RAI service.
billing_adminProvides access to billing information and consumption data tracked by the app.
sensitive_logsPermits viewing of logs that span multiple engines and RAI schemas.

Resource Application Roles#

Resource roles provide access to all of the RAI Native App’s resources.

Application RoleDescription
all_resource_adminIncludes cdc_admin, eng_admin, schema_admin, and all_schema_all roles. Recommended for users who need full permissions for application resources.
schema_adminCreates, clones, and deletes schemas. Includes all permissions of schema_viewer.
schema_viewerLists and retrieves details for all schemas.
all_schema_roGrants read-only usage on all RAI schemas. Includes all permissions of eng_user, schema_viewer, app_user, and <schema>_ro.
all_schema_rwAllows read/write queries on all RAI schemas. Includes all permissions of all_schema_ro and <schema>_rw.
all_schema_cdcManages data streams on all RAI schemas. Includes all permissions of <schema>_cdc.
all_schema_allCombines all permissions of all_schema_rw and all_schema_cdc.
eng_adminCreates and deletes engines. Includes all permissions of eng_user.
eng_userAllows engine use and viewing engine details.
cdc_adminManages Change Data Capture (CDC) processes. Assigns engines as CDC ingest engines.

RAI Schema-Specific Application Roles#

Schema-specific roles provide access to specific RAI schemas and their resources and are prefixed with the schema name.

Application RoleDescription
<schema>_allCombines all permissions of <schema>_rw and <schema>_cdc. Recommended for users who need full permissions for a specific RAI Schema.
<schema>_roGrants read-only usage to the specified schema. Includes all permissions of eng_user, schema_viewer, and app_user.
<schema>_rwAllows read/write access to the specified schema. Includes all permissions of <schema>_ro.
<schema>_viewerLists and retrieves details for the specified schema.
<schema>_cdcManages data streams for the specified schema.