Setting up Document AI

This topic describes setting up Document AI, including granting the necessary roles and privileges.

To work with Document AI:

Document AI access control

To provide a user full access to Document AI, you must do all of the following:

  • Grant the SNOWFLAKE.DOCUMENT_INTELLIGENCE_CREATOR database role to an account role, and then grant the account role to users.

  • Grant the privileges to prepare a Document AI model build.

  • Grant the privileges to create processing pipelines and extract information using Document AI.

To learn more about the Snowflake privilege model, see Overview of Access Control and Access control privileges.

The SNOWFLAKE.DOCUMENT_INTELLIGENCE_CREATOR database role enables creating Document AI model builds, working on Document AI models, and using SQL to extract information and work on document processing pipelines.

Note

Using the ACCOUNTADMIN role is not enough to have access to Document AI. You must grant the SNOWFLAKE.DOCUMENT_INTELLIGENCE_CREATOR database role and the required privileges to your account role.

For example, you can create doc_ai_role account role and grant the SNOWFLAKE.DOCUMENT_INTELLIGENCE_CREATOR database role to the doc_ai_role role, or you can use an existing account role.

Privileges to prepare a Document AI model build

To create a Document AI build, upload the documents, and test and evaluate the model, you must use a role that has the following privileges:

Privilege

Object

USAGE

Database that you plan to use with Document AI

USAGE

Warehouse that you plan to use with Document AI

OPERATE

Warehouse that you plan to use with Document AI

GRANT CREATE SNOWFLAKE.ML.DOCUMENT_INTELLIGENCE

Schema that you plan to use with Document AI

USAGE

Schema that you plan to use with Document AI

Privileges to create processing pipelines and extract information using Document AI

To create processing pipelines and extract information using Document AI, you must use a role that has all the privileges required to prepare a Document AI build, listed above, and also the following privileges:

Privilege

Object

CREATE STAGE

Schema that you plan to use with Document AI

CREATE STREAM

Schema that you plan to use with Document AI

CREATE TABLE

Schema that you plan to use with Document AI

CREATE TASK

Schema that you plan to use with Document AI

CREATE VIEW

Schema that you plan to use with Document AI

EXECUTE TASK

Account that you plan to use to create processing pipelines using tasks

Grant the required roles and privileges to Document AI users

The following example describes granting all the roles and privileges required to work with Document AI.

Note

Before you grant the required roles and privileges, confirm that a warehouse, database, and schema for Document AI are prepared.

To create the doc_ai_role role and grant the SNOWFLAKE.DOCUMENT_INTELLIGENCE_CREATOR database role to this role, run the following commands:

USE ROLE ACCOUNTADMIN;

CREATE ROLE doc_ai_role;
GRANT DATABASE ROLE SNOWFLAKE.DOCUMENT_INTELLIGENCE_CREATOR TO ROLE doc_ai_role;
Copy

To create a database, a schema, and an X-Small warehouse to use with Document AI, run the following commands:

CREATE DATABASE doc_ai_db;
CREATE SCHEMA doc_ai_db.doc_ai_schema;
CREATE WAREHOUSE doc_ai_wh;
Copy

To grant warehouse usage and operating privileges to the doc_ai_role role, run the following commands:

GRANT USAGE, OPERATE ON WAREHOUSE doc_ai_wh TO ROLE doc_ai_role;
Copy

To ensure that the doc_ai_role role can use the database and the schema, run the following commands:

GRANT USAGE ON DATABASE doc_ai_db TO ROLE doc_ai_role;
GRANT USAGE ON SCHEMA doc_ai_db.doc_ai_schema TO ROLE doc_ai_role;
Copy

To ensure that the doc_ai_role role can create a stage to store the documents for extraction, run the following commands:

GRANT CREATE STAGE ON SCHEMA doc_ai_db.doc_ai_schema TO ROLE doc_ai_role;
Copy

To ensure that the doc_ai_role role can create model builds (instances of the DOCUMENT_INTELLIGENCE class), run the following command:

GRANT CREATE SNOWFLAKE.ML.DOCUMENT_INTELLIGENCE ON SCHEMA doc_ai_db.doc_ai_schema TO ROLE doc_ai_role;
Copy

To ensure that the doc_ai_role role can create processing pipelines, run the following commands:

GRANT CREATE STREAM, CREATE TABLE, CREATE TASK, CREATE VIEW ON SCHEMA doc_ai_db.doc_ai_schema TO ROLE doc_ai_role;
GRANT EXECUTE TASK ON ACCOUNT TO ROLE doc_ai_role;
Copy

To grant the doc_ai_role role to the doc_ai_user user, run the following command:

GRANT ROLE doc_ai_role TO USER doc_ai_user;
Copy