Grant restricted caller’s rights to an executable in an app

This topic describes how to grant restricted caller’s rights to an executable in an app.

About owner’s rights and restricted caller’s rights in an app

Within a Snowflake Native App, executables run with either owner’s rights or restricted caller’s rights. In the context of the Snowflake Native App Framework, the following types of executables are supported:

  • Stored procedures owned by the app

  • Services available in apps with containers

Owner’s rights:

Executables that use owner’s rights run with the privileges granted to the owner of the executable. By default, executables within an app use owner’s rights. In an app, the owner of the executable is the app itself.

Restricted caller’s rights:

Restricted caller’s rights allow an executable to run with caller’s rights, but restricts which of the caller’s privileges the executable runs with. With restricted caller’s rights, an executable owned by an app cannot run with a specific privilege unless an administrator in the consumer account explicitly allows it by using the GRANT CALLER command.

Privileges required to grant restricted caller’s rights to an app

To grant caller grants to an app as a consumer, you must use the ACCOUNTADMIN role or use a role that has the MANAGE CALLER GRANTS privilege. For more information, see GRANT CALLER.

Grant caller grants to an executable in an app using Snowsight

Using Snowsight, you can grant caller grants to an app on objects in the consumer account.

Note

To perform other tasks, including revoking caller grants from an app or granting caller’s right to a specific table, you must use the appropriate SQL commands.

  1. Sign in to Snowsight.

  2. In the navigation menu, select Data Products » Apps.

  3. Select an app.

  4. Click the Settings icon in the toolbar, then select the Privileges tab.

  5. If the app supports restricted caller’s rights, the Restricted caller’s rights section is displayed in the Privileges tab.

    Note

    You can only grant caller grants from Snowsight if the provider has configured the app to display the restricted caller’s rights UI.

  6. Click Add grants.

  7. Select an Access scope.

    This determines whether the caller’s rights apply to a schema, a database, or at the account level. You should select the option with the least amount of scope possible to avoid granting unnecessary rights to the app.

    Caution

    Use caution when selecting account level scope, which can grant caller’s rights to the app on all supported object types.

  8. If you selected schema or database scope, select the schema or database as required.

Note

You can select multiple schemas or databases. You can also select schemas in different databases.

  1. Click Next.

  2. Select the type of objects to which caller’s rights will be granted.

    Use search to find an object type. The list of object types depends on the scope you chose above.

    When you select an object type, the object’s entry in the list expands to available privileges for each object type.

  3. Select the privileges you want to grant.

    You can select multiple privileges for each object type. You can also select privileges for other object types.

    Note

    Snowflake automatically grants the USAGE privilege on any objects you select.

  4. Click Next.

  5. Select Grant summary to verify the scope, object types, and privileges that you select.

    Note

    Any objects of the selected type that are created in the future will be created with the same privileges using the scope and object types selected.

  6. Select SQL to view the GRANT CALLER commands the Snowsight will run.

    Note

    If required, you can copy these commands and run them manually in a worksheet.

  7. Click Save

The scope, objects, and privileges you selected are displayed in the Restricted caller’s rights section.

To modify the privileges you selected, click Edit and select or deselect privileges as required.

Grant caller grants to an executable in an app using SQL

When configuring an app that requests restricted caller’s rights, perform the following tasks to grant caller grants to the app:

  1. Check the listing of the app to verify if the provider has communicated that the app has RCR executables.

  2. Grant the caller grants as mentioned in the listing. The following example shows how to use the GRANT CALLER command to grant the SELECT privilege on all tables in a specific database and schema:

    GRANT CALLER USAGE ON DATABASE db1
  TO APPLICATION hello_snowflake_app;
GRANT CALLER USAGE ON SCHEMA db1.sch1
  TO APPLICATION hello_snowflake_app;
GRANT INHERITED CALLER SELECT ON ALL TABLES IN SCHEMA db.sch1
  TO APPLICATION hello_snowflake_app;
    Copy

    This command allows an executable with restricted caller’s rights to access run queries on all tables with the db.sch1 database and schema. In addition to granting the SELECT privilege on all tables, you must also grant USAGE on the database and schema.

Language: English