Granting Privileges Required by an Application

This topic describes how a consumer can grant privileges requested by an application that allow the application to perform tasks and access objects outside of the application.

About the Privileges and References Requested by an Application

In a simple application, all of the objects required by the application are created inside the application when the setup script runs when an application is installed. Given that all of the objects required by the application are created in and accessed within the installed application, you do not need to grant any privileges to the application.

Some applications created using the Native Apps Framework might need to create objects or access existing objects in your account outside the context of the installed application.

Those applications request access to create or access objects outside the application context, and if you want to allow the application to do so, you can approve the application’s request.

There are two types of access that an application can request:

  • Privileges that allow the application to perform some task. An application can request the following global privileges:

    • EXECUTE TASK

    • EXECUTE MANAGED TASK

    • CREATE WAREHOUSE

    • MANAGE WAREHOUSES

    • CREATE DATABASE

    Some applications may also request the IMPORTED PRIVILEGES privilege on the SNOWFLAKE database. Refer to Granting the IMPORTED PRIVILEGES Privilege on the SNOWFLAKE Database for details.

  • References that allow the application to access objects that already exist in the consumer account and are outside the application. The provider defines the references required by the application. After installing the application, you associate an object and grant the corresponding privileges to the application.

    An application can request access to the following types of objects and their corresponding privileges:

    Object Type

    Privileges Allowed

    TABLE

    SELECT, INSERT, UPDATE, DELETE, TRUNCATE, REFERENCES

    VIEW

    SELECT, REFERENCES

    EXTERNAL TABLE

    SELECT, REFERENCES

    FUNCTION

    USAGE

    PROCEDURE

    USAGE

    WAREHOUSE

    MODIFY, MONITOR, USAGE, OPERATE

    API INTEGRATION

    USAGE

You can approve these requests using Snowsight or by running SQL commands as described in the following sections.

Note

If you do not grant the requested privileges or associate references to the application, the application may not work.

Managing Access Requests using Snowsight

For some applications, you can view and grant account-level privileges and manage access to specific application objects using Snowsight.

Granting Global Privileges

To grant privileges or create references after installing an application, do the following:

  1. Sign in to Snowsight.

  2. In the left navigation bar, select Apps.

  3. Select the application.

  4. Select the Security icon in the toolbar.

    The account level permissions requested by the application appear under Account level privileges

  5. In the Account-level privileges section, select Review, and then toggle the slider for each privilege that you want to grant.

  6. Select Save.

Manage Access to Specific Objects

If your application provider has implemented a user interface, you can use Snowsight to associate specific objects in your account and their required privileges to the application.

To grant privileges to specific objects:

  1. Sign in to Snowsight.

  2. In the left navigation bar, select Apps.

  3. Select the application.

  4. Select the Security icon in the toolbar.

  5. In the Privileges to objects section, select Add next to the object you want to approve.

  6. Select Select Data and choose the data product to which you want to provide access.

  7. Select Done.

Revoking Privileges and Access to Objects

To revoke privileges or remove access to objects for the application, do the following:

  1. Sign in to Snowsight.

  2. In the left navigation bar, select Apps.

  3. Select the application.

  4. Select the Security icon in the toolbar.

    • To revoke an account level privilege, select the Edit button, then toggle the slider for the privilege you want to revoke.

    • To revoke access to a specific object, select the Delete button, then select Revoke Privilege.

Note

Revoking privileges or removing access to objects can cause the application to become unstable or stop working.

Managing Access Requests using SQL Commands

If your application developer does not implement a interface for granting privileges, you must manage access requests for the application using SQL commands.

Viewing the Privileges Requested by an Application

When a provider specifies the privileges required by the application, the privilege request is included as part of the installed application. You can view these privileges after installing the application.

To view the privileges required by an application, run the SHOW PRIVILEGES command as shown in the following example:

SHOW PRIVILEGES IN APPLICATION hello_snowflake_app;
Copy

Granting Privileges on an Application

After you determine the privileges required by an application, you must grant those privileges for the application to work.

For example, to grant the EXECUTE TASK privilege to an example application, run the GRANT PRIVILEGE command as shown in the following example:

GRANT EXECUTE TASK ON APPLICATION hello_snowflake_app;
Copy

Granting the MANAGE WAREHOUSES Privilege to an Application

The MANAGE WAREHOUSES privilege allows an application to create, modify, and use warehouses within a consumer account. To grant the MANAGE WAREHOUSES privilege to an application, use the GRANT as shown in the following example:

GRANT MANAGE WAREHOUSES ON ACCOUNT TO APPLICATION hello_snowflake_app;
Copy

Granting the IMPORTED PRIVILEGES Privilege on the SNOWFLAKE Database

Some applications may request that you grant the IMPORTED PRIVILEGES privilege on the SNOWFLAKE database in your account. This privilege can only be granted using SQL commands. It cannot be granted using Snowsight. If an application requires this privilege, the provider should communicate this in the readme file of the application.

To grant the IMPORT privilege on the SNOWFLAKE database, run the following command:

GRANT IMPORTED PRIVILEGES ON DATABASE SNOWFLAKE TO APPLICATION hello_snowflake_app;
Copy

Note

Granting IMPORTED PRIVILEGES allows the application to access information about usage and costs associated with your account. You should ensure that you want to share this information with the application before granting this privilege.

Viewing the References Defined in an Application

When a provider defines the references to objects required by the application, the references are included as part of the installed application. You can view the references after installing the application.

To view the references defined for an application, run the SHOW REFERENCES command as shown in the following example:

SHOW REFERENCES IN APPLICATION hello_snowflake_app;
Copy

Getting the Reference Identifier

After reviewing the references requested by the application, you can obtain the identifier of the reference by running the SYSTEM$REFERENCE system function and passing the returned value to a stored procedure to handle references that the provider includes in the application.

To get the reference identifer run the SYSTEM$REFERENCE system function as shown in the following example:

SYSTEM$REFERENCE('table', 'db1.schema1.tab1', 'persistent', 'select', 'insert');
Copy

This command returns an identifier for the reference that you must use to associate the reference to the application.

Associating the Reference to the Application

To associate a reference to an application, you must pass the identifier returned by calling the SYSTEM$REFERENCE to a callback stored procedure. A callback procedure is a stored procedure that handles associating an object in your account, specified by the identifier, to the application. The application must include a callback stored procedure for each reference requested.

Note

A provider may include different functions or stored procedures to handle associating the references required by an application. These should be specified in the readme file of the application.

To use a callback procedure run the following command:

CALL app.config.register_callback('enrichment_table',
  SYSTEM$REFERENCE('table', 'db1.schema1.tab1', 'persistent', select’, insert’),
  'SET', null);
Copy

In this example, the SYSTEM$REFERENCE system function creates returns the identifier of the reference and passes that value to the register_callback function.