User Access#
Access to the RelationalAI (RAI) Native App is managed through Snowflake’s role-based access control system. The app provides a set of application roles that can be granted to users for access to the application’s resources.
Ownership privileges on the RAI Native App are required to grant and revoke application roles.
Grant Application Roles#
Application roles are not granted directly to users. Instead, application roles are granted to database roles, and users are granted those database roles.
There are three types of application roles:
- Service roles are required for general app management and usage.
- Resource roles are required to view and manage all app resources.
- RAI schema-specific roles provide access to specific RAI schemas and their resources.
Use the GRANT APPLICATION ROLE command
to grant an application role to a database role:
#-- Example: User with full admin access to the entire app.
GRANT APPLICATION ROLE relationalai.all_admin TO ROLE <db_role>;
-- Example: User with limited service and resource access,
-- but full access to the RAI schema named <schema>.
GRANT APPLICATION ROLE relationalai.app_user TO ROLE <db_role>;
GRANT APPLICATION ROLE relationalai.eng_user TO ROLE <db_role>;
GRANT APPLICATION ROLE relationalai.<schema>_all TO ROLE <db_role>;
Refer to the List of Application Roles for the full list of available roles.
Revoke Application Roles#
Use REVOKE APPLICATION ROLE
to revoke an application role from a database role:
#REVOKE APPLICATION ROLE relationalai.<role_name> FROM ROLE <database_role_name>;
Delegate User Access Management#
App owners may delegate user access management to other users by granting them access to stored procedures that grant and revoke application roles.
For example, to create a stored procedure that grants the all_admin application role to a user:
#CREATE PROCEDURE <snowflake_db_name>.GRANT_APP_ADMIN(target_role STRING)
RETURNS STRING
LANGUAGE SQL
EXECUTE AS OWNER
AS
BEGIN
LET q STRING := 'GRANT APPLICATION ROLE relationalai.app_admin TO ROLE ' || :TARGET_ROLE;
EXECUTE IMMEDIATE :q;
RETURN 'ok';
END;
Use a similar delegation pattern to revoke access to application roles.
List of Application Roles#
Service Application Roles#
Service roles provide access to the RAI Native App itself, billing information, and logs.
| Application Role | Description |
|---|---|
all_admin | Includes all application roles. Recommended for users who need full permissions to administer the application. |
app_admin | Enables management of the app and its underlying service. Allows assignment of warehouse, compute pool, and privileges to the app. |
app_user | Grants universal privileges necessary for any app user. Allows observation of the app’s state and usage of the RAI service. |
billing_admin | Provides access to billing information and consumption data tracked by the app. |
sensitive_logs | Permits viewing of logs that span multiple engines and RAI schemas. |
Resource Application Roles#
Resource roles provide access to all of the RAI Native App’s resources.
| Application Role | Description |
|---|---|
all_resource_admin | Includes cdc_admin, eng_admin, schema_admin, and all_schema_all roles. Recommended for users who need full permissions for application resources. |
schema_admin | Creates, clones, and deletes schemas. Includes all permissions of schema_viewer. |
schema_viewer | Lists and retrieves details for all schemas. |
all_schema_ro | Grants read-only usage on all RAI schemas. Includes all permissions of eng_user, schema_viewer, app_user, and <schema>_ro. |
all_schema_rw | Allows read/write queries on all RAI schemas. Includes all permissions of all_schema_ro and <schema>_rw. |
all_schema_cdc | Manages data streams on all RAI schemas. Includes all permissions of <schema>_cdc. |
all_schema_all | Combines all permissions of all_schema_rw and all_schema_cdc. |
eng_admin | Creates and deletes engines. Includes all permissions of eng_user. |
eng_user | Allows engine use and viewing engine details. |
cdc_admin | Manages Change Data Capture (CDC) processes. Assigns engines as CDC ingest engines. |
RAI Schema-Specific Application Roles#
Schema-specific roles provide access to specific RAI schemas and their resources and are prefixed with the schema name.
| Application Role | Description |
|---|---|
<schema>_all | Combines all permissions of <schema>_rw and <schema>_cdc. Recommended for users who need full permissions for a specific RAI Schema. |
<schema>_ro | Grants read-only usage to the specified schema. Includes all permissions of eng_user, schema_viewer, and app_user. |
<schema>_rw | Allows read/write access to the specified schema. Includes all permissions of <schema>_ro. |
<schema>_viewer | Lists and retrieves details for the specified schema. |
<schema>_cdc | Manages data streams for the specified schema. |