Requesting Privileges in a Consumer Account

This topic provides general information about how providers can request privileges after a consumer installs a Snowflake Native App.

About Privileges and References in a Snowflake Native App

In a simple Snowflake Native App, all of the required objects are created inside the APPLICATION object when the setup script runs during installation. In this context, all of the objects required by a Snowflake Native App are created and accessible within the installed app. The consumer is not required to grant any privileges to the Snowflake Native App. All of the necessary privileges required managed using application roles.

However, a more complex Snowflake Native App might need to create new objects or access existing objects in the consumer account that are outside the APPLICATION object that is created in the consumer account. In these contexts, the consumer must grant the privileges required to create or access these objects.

The Snowflake Native App Framework allows providers to do the following:

  • Check for account-level privileges in the consumer account.

  • Request account-level privileges to perform tasks, for example creating a database.

  • Request object-level privileges using references.

Providers can design a Snowflake Native App to request access to a consumer account by requesting the following:

Global privileges

Include privileges that allow the Snowflake Native App to perform tasks in the consumer account. Refer to Privileges the Provider Can Request from the Consumer for details.

References

Allow the Snowflake Native App to access objects that already exist in the consumer account but are not within the APPLICATION object. A provider defines the references required by the Snowflake Native App. After the app is installed, the consumer associates an object in their account with the app by providing the name and schema of the required object.

References allow the provider to write code using a logical name for an object, which makes it easier to write code without keeping track of the name of the object and its parent schema or database.

How a Consumer Grants Access to a Snowflake Native App

For each check or request that a Snowflake Native App performs, a consumer must grant the required privileges to allow the app to perform these actions. There are two ways a consumer can grant these privileges to a Snowflake Native App:

  • The provider uses an SDK provided by the Snowflake Native App Framework to create a user interface as a Streamlit app. The Streamlit app allows the consumer to grant the required privileges in Snowsight. This approach requires the provider to perform additional work to implement the interface but it streamlines the consumer experience.

  • The provider asks the consumer to manually run the SQL commands to grant the required privileges after installing the Snowflake Native App. This approach requires the provider to notify the consumer what GRANT <privileges> statements they must run.

    The Snowflake Native App might not work until the consumer runs the SQL commands. This approach requires additional communication between the provider and consumer.