Grant access to a Snowflake Native App¶
This topic describes how a consumer can allow a Snowflake Native App to create and access objects in their account. This includes granting the privileges requested by an app or enabling access to existing objects by using references.
About the privileges and references requested by an application¶
In a simple Snowflake Native App, all of the objects required by the app are created inside the APPLICATION object when the setup script runs during installation. All of the objects required by the application are created in and accessed within the installed application. The consumer does not need to perform any actions in their account.
However, some apps might ask the consumer to perform the following types of actions in their account:
Create a database or warehouse.
Execute tasks.
Access existing objects, for example a table.
There are two types of access that a Snowflake Native App can request:
Privileges that allow the app to perform some account-level operations. An app can request the following global privileges:
EXECUTE TASK
EXECUTE MANAGED TASK
CREATE WAREHOUSE
MANAGE WAREHOUSES
CREATE DATABASE
Some apps might also request the IMPORTED PRIVILEGES privilege on the SNOWFLAKE database. Refer to Grant the IMPORTED PRIVILEGES privilege on the SNOWFLAKE database for details.
References that allow the app to access objects that already exist in the consumer account and are outside the APPLICATION object. A provider defines the references required by the app in the
manifest.ymlfile.After installing the app, the consumer can authorize access on an object by creating a reference that associates the object to the app.
An app can request access to the following types of objects and their corresponding privileges:
Object Type
Privileges Allowed
TABLE
SELECT, INSERT, UPDATE, DELETE, TRUNCATE, REFERENCES
VIEW
SELECT, REFERENCES
EXTERNAL TABLE
SELECT, REFERENCES
FUNCTION
USAGE
PROCEDURE
USAGE
WAREHOUSE
MODIFY, MONITOR, USAGE, OPERATE
API INTEGRATION
USAGE
A consumer can approve these requests using Snowsight or by running SQL commands as described in the following sections.
Note
If you do not grant the requested privileges or associate references on the requested object to the app, parts of the app may not function correctly.
Manage access requests using Snowsight¶
If a provider implements a user interface in a Snowflake Native App, a consumer may perform the following using Snowsight.
View and grant global privileges.
Authorize access to existing objects in the consumer account.
Grant global privileges¶
To grant privileges or create references after installing an application, do the following:
Sign in to Snowsight.
In the navigation menu, select Data Products » Apps.
Select the application.
Select the Security icon in the toolbar.
Select the Privileges tab.
The account level permissions requested by the application appear under Account level privileges
In the Account-level privileges section, select Review, and then toggle the slider for each privilege that you want to grant.
Select Save.
Revoke privileges and access to objects¶
To revoke privileges or remove access to objects, do the following:
Sign in to Snowsight.
In the navigation menu, select Data Products » Apps.
Select the application.
Select the Security icon in the toolbar.
Select the Privileges tab.
To revoke a global privilege, select the Edit button, then toggle the slider for the privilege you want to revoke.
To revoke access from a specific object, select the Delete button, then select Revoke Privilege.
Note
Revoking privileges or removing access from objects can cause the application to become unstable or stop working.
Manage privileges for an app by using SQL commands¶
If your application developer does not implement an interface for granting privileges, you must manage access requests for the application using SQL commands.
View the privileges requested by an application¶
When a provider specifies the privileges required by the application, the privilege request is included as part of the installed application. You can view these privileges after installing the application.
To view the privileges required by an application, run the SHOW PRIVILEGES command as shown in the following example:
SHOW PRIVILEGES IN APPLICATION hello_snowflake_app;
Grant privileges to a Snowflake Native App¶
After a consumer determines the privileges requested by an app, they can grant those privileges to the app.
For example, to grant the EXECUTE TASK privilege to an app, run the GRANT PRIVILEGE command as shown in the following example:
GRANT EXECUTE TASK ON ACCOUNT TO APPLICATION hello_snowflake_app;
Grant the MANAGE WAREHOUSES privilege to a Snowflake Native App¶
The MANAGE WAREHOUSES privilege allows an application to create, modify, and use warehouses within the consumer account. To grant the MANAGE WAREHOUSES privilege to an app, use the GRANT as shown in the following example:
GRANT MANAGE WAREHOUSES ON ACCOUNT TO APPLICATION hello_snowflake_app;
Grant the IMPORTED PRIVILEGES privilege on the SNOWFLAKE database¶
Some applications might request that a consumer grants the IMPORTED PRIVILEGES privilege on the SNOWFLAKE database in their account. This privilege can only be granted using SQL commands. It cannot be granted using Snowsight. If an application requires this privilege, the provider should communicate this requirement to the consumer, for example, in the README file of the application.
To grant the IMPORT privilege on the SNOWFLAKE database, run the following command:
GRANT IMPORTED PRIVILEGES ON DATABASE SNOWFLAKE TO APPLICATION hello_snowflake_app;
Note
The IMPORTED PRIVILEGES privilege allows the app to access information about usage and costs associated with the consumer account. A consumer should ensure that they want to share this information with the app before granting this privilege.