Granting Privileges Required by an Application¶
This topic describes how a consumer can grant privileges requested by an application that allow the application to perform tasks and access objects outside of the application.
About the Privileges and References Requested by an Application¶
In a simple application, all of the objects required by the application are created inside the application when the setup script runs when an application is installed. Given that all of the objects required by the application are created in and accessed within the installed application, you do not need to grant any privileges to the application.
Some applications created using the Native Apps Framework might need to create objects or access existing objects in your account outside the context of the installed application.
Those applications request access to create or access objects outside the application context, and if you want to allow the application to do so, you can approve the application’s request.
There are two types of access that an application can request:
Privileges that allow the application to perform some task. An application can request the following global privileges:
EXECUTE TASK
EXECUTE MANAGED TASK
CREATE WAREHOUSE
MANAGE WAREHOUSES
CREATE DATABASE
Some applications may also request the IMPORTED PRIVILEGES privilege on the SNOWFLAKE database. Refer to Granting the IMPORTED PRIVILEGES Privilege on the SNOWFLAKE Database for details.
References that allow the application to access objects that already exist in the consumer account and are outside the application. The provider defines the references required by the application. After installing the application, you associate an object and grant the corresponding privileges to the application.
An application can request access to the following types of objects and their corresponding privileges:
Object Type
Privileges Allowed
TABLE
SELECT, INSERT, UPDATE, DELETE, TRUNCATE, REFERENCES
VIEW
SELECT, REFERENCES
EXTERNAL TABLE
SELECT, REFERENCES
FUNCTION
USAGE
PROCEDURE
USAGE
WAREHOUSE
MODIFY, MONITOR, USAGE, OPERATE
API INTEGRATION
USAGE
You can approve these requests using Snowsight or by running SQL commands as described in the following sections.
Note
If you do not grant the requested privileges or associate references to the application, the application may not work.
Managing Access Requests using Snowsight¶
For some applications, you can view and grant account-level privileges and manage access to specific application objects using Snowsight.
Granting Global Privileges¶
To grant privileges or create references after installing an application, do the following:
Sign in to Snowsight.
In the left navigation bar, select Apps.
Select the application.
Select the Security icon in the toolbar.
The account level permissions requested by the application appear under Account level privileges
In the Account-level privileges section, select Review, and then toggle the slider for each privilege that you want to grant.
Select Save.
Manage Access to Specific Objects¶
If your application provider has implemented a user interface, you can use Snowsight to associate specific objects in your account and their required privileges to the application.
To grant privileges to specific objects:
Sign in to Snowsight.
In the left navigation bar, select Apps.
Select the application.
Select the Security icon in the toolbar.
In the Privileges to objects section, select Add next to the object you want to approve.
Select Select Data and choose the data product to which you want to provide access.
Select Done.
Revoking Privileges and Access to Objects¶
To revoke privileges or remove access to objects for the application, do the following:
Sign in to Snowsight.
In the left navigation bar, select Apps.
Select the application.
Select the Security icon in the toolbar.
To revoke an account level privilege, select the Edit button, then toggle the slider for the privilege you want to revoke.
To revoke access to a specific object, select the Delete button, then select Revoke Privilege.
Note
Revoking privileges or removing access to objects can cause the application to become unstable or stop working.
Managing Access Requests using SQL Commands¶
If your application developer does not implement a interface for granting privileges, you must manage access requests for the application using SQL commands.
Viewing the Privileges Requested by an Application¶
When a provider specifies the privileges required by the application, the privilege request is included as part of the installed application. You can view these privileges after installing the application.
To view the privileges required by an application, run the SHOW PRIVILEGES command as shown in the following example:
SHOW PRIVILEGES IN APPLICATION hello_snowflake_app;
Granting Privileges on an Application¶
After you determine the privileges required by an application, you must grant those privileges for the application to work.
For example, to grant the EXECUTE TASK privilege to an example application, run the GRANT PRIVILEGE command as shown in the following example:
GRANT EXECUTE TASK ON APPLICATION hello_snowflake_app;
Granting the MANAGE WAREHOUSES Privilege to an Application¶
The MANAGE WAREHOUSES privilege allows an application to create, modify, and use warehouses within a consumer account. To grant the MANAGE WAREHOUSES privilege to an application, use the GRANT as shown in the following example:
GRANT MANAGE WAREHOUSES ON ACCOUNT TO APPLICATION hello_snowflake_app;
Granting the IMPORTED PRIVILEGES Privilege on the SNOWFLAKE Database¶
Some applications may request that you grant the IMPORTED PRIVILEGES privilege on the SNOWFLAKE database in your account. This privilege can only be granted using SQL commands. It cannot be granted using Snowsight. If an application requires this privilege, the provider should communicate this in the readme file of the application.
To grant the IMPORT privilege on the SNOWFLAKE database, run the following command:
GRANT IMPORTED PRIVILEGES ON DATABASE SNOWFLAKE TO APPLICATION hello_snowflake_app;
Note
Granting IMPORTED PRIVILEGES allows the application to access information about usage and costs associated with your account. You should ensure that you want to share this information with the application before granting this privilege.
Viewing the References Defined in an Application¶
When a provider defines the references to objects required by the application, the references are included as part of the installed application. You can view the references after installing the application.
To view the references defined for an application, run the SHOW REFERENCES command as shown in the following example:
SHOW REFERENCES IN APPLICATION hello_snowflake_app;
Getting the Reference Identifier¶
After reviewing the references requested by the application, you can obtain the identifier of the reference by running the SYSTEM$REFERENCE system function and passing the returned value to a stored procedure to handle references that the provider includes in the application.
To get the reference identifer run the SYSTEM$REFERENCE system function as shown in the following example:
SYSTEM$REFERENCE('table', 'db1.schema1.tab1', 'persistent', 'select', 'insert');
This command returns an identifier for the reference that you must use to associate the reference to the application.
Associating the Reference to the Application¶
To associate a reference to an application, you must pass the identifier returned by calling
the SYSTEM$REFERENCE
to a callback stored procedure. A callback procedure is a stored procedure
that handles associating an object in your account, specified by the identifier, to the application.
The application must include a callback stored procedure for each reference requested.
Note
A provider may include different functions or stored procedures to handle associating the references required by an application. These should be specified in the readme file of the application.
To use a callback procedure run the following command:
CALL app.config.register_callback('enrichment_table',
SYSTEM$REFERENCE('table', 'db1.schema1.tab1', 'persistent', ‘select’, ‘insert’),
'SET', null);
In this example, the SYSTEM$REFERENCE
system function creates returns the identifier
of the reference and passes that value to the register_callback
function.