User Access#
Access to the RelationalAI (RAI) Native App is managed through Snowflake’s role-based access control system. Two database roles that encompass the most common access patterns are created when you install the RAI Native App: one for administrators and one for developers. The app also provides a set of application roles that can be used to create custom database roles for more granular access control.
Table Of Contents#
The rai_admin Database Role#
When you install the RAI Native App using the installation notebook, a rai_admin database role is created with full admin access to the app.
This role can be granted to any user who needs to manage the app and its resources:
-- Grant the rai_admin role to a user.
GRANT ROLE rai_admin TO USER <user_name>;
import relationalai as rai
# Get a Provider instance.
app = rai.Provider()
# Grant the rai_admin role to a user.
app.sql("GRANT ROLE rai_admin TO USER <user_name>")
If the rai_admin role is missing or needs to be recreated, you can run the following SQL or Python to create it:
-- Create the rai_admin role.
CREATE ROLE rai_admin;
-- Grant the `all_admin` application role to the rai_admin role.
GRANT APPLICATION ROLE relationalai.all_admin TO ROLE rai_admin;
import relationalai as rai
# Get a Provider instance.
app = rai.Provider()
# Create the rai_admin role.
app.sql("""
BEGIN
-- Create the rai_admin role.
CREATE ROLE rai_admin;
-- Grant the `all_admin` application role to the rai_admin role.
GRANT APPLICATION ROLE relationalai.all_admin TO ROLE rai_admin;
END;
""")
Only the RAI Native App owner can directly grant application roles to database roles. However, access control can be delegated to non-owners through stored procedures. See Delegate Access Control for more information.
The rai_developer Database Role#
The rai_developer database role is created when you install the RAI Native App using the installation notebook.
This role is intended for users who need to develop and test RAI models and applications using the RAI Python API.
A user with this role can:
- Use the RAI Native App.
- Create, use, and delete RAI engines.
- Create, manage, and delete data streams.
- Enable and disable the CDC Service.
To grant the rai_developer role to a user, use the following SQL or Python:
-- Grant the rai_developer role to a user.
GRANT ROLE rai_developer TO USER <user_name>;
import relationalai as rai
# Get a Provider instance.
app = rai.Provider()
# Grant the rai_developer role to a user.
app.sql("GRANT ROLE rai_developer TO USER <user_name>")
If the rai_developer role is missing or needs to be recreated, you can run the following SQL or Python to create it:
-- Create the rai_developer role.
CREATE ROLE rai_developer;
-- Grant the `rai_user` application role to the rai_developer role.
GRANT APPLICATION ROLE relationalai.rai_user TO ROLE rai_developer;
import relationalai as rai
# Get a Provider instance.
app = rai.Provider()
# Create the rai_developer role.
app.sql("""
BEGIN
-- Create the rai_developer role.
CREATE ROLE rai_developer;
-- Grant the `rai_user` application role to the rai_developer role.
GRANT APPLICATION ROLE relationalai.rai_user TO ROLE rai_developer;
END;
""")
Only the RAI Native App owner can directly grant application roles to database roles. However, access control can be delegated to non-owners through stored procedures. See Delegate Access Control for more information.
Application Roles#
Application roles can be used to create custom database roles for granular access control to the RAI Native App.
List of Application Roles#
The following application roles are available in the RAI Native App.
Service Roles#
Service roles provide access to the RAI Native App, its logs, and billing information.
| Application Role | Description |
|---|---|
app_user | Enables usage of the RAI Native App. |
app_admin | Enables management of the app and the RAI SPCS service. Includes the app_user role. |
billing_admin | Enables access to billing and consumption data tracked by the app. Includes the app_user role. |
sensitive_logs | Enables access to sensitive logs. Includes the app_user role. |
Resource Roles#
Resource roles provide access to all of the RAI Native App’s resources.
| Application Role | Description |
|---|---|
all_resource_admin | Enables management of all app resources. Includes the cdc_admin and eng_admin roles. Recommended for users who need full permissions for application resources. |
cdc_admin | Enables management of the CDC Service and creating/deleting data streams. Includes the app_user role. |
eng_admin | Enables creating and deleting engines. Includes the app_user and eng_user roles. |
eng_user | Enables viewing and using RAI engines. Includes the app_user role. |
Integrated Roles#
These roles combine multiple service and resource roles into roles for common access patterns.
| Application Role | Description |
|---|---|
rai_user | The minimum set of service and resource roles required to run RAI models using the RAI Python API. Includes the
|
all_admin | Enables management of all app resources and the RAI SPCS service. Includes all application roles. Recommended for users who need full permissions for the RAI Native App. |
Grant Application Roles#
Requires RAI Native App ownership privileges.
Application roles may be granted by the RAI Native App owner to Snowflake database roles using the GRANT APPLICATION ROLE SQL command.
These database roles can then be assigned to users in order to grant them access to the RAI Native App:
-- Grant a RAI application role to a Snowflake database role.
GRANT APPLICATION ROLE relationalai.<app_role_name> TO ROLE <database_role_name>;
-- Grant the database role to a user.
GRANT ROLE <database_role_name> TO USER <user_name>;
import relationalai as rai
# Get a Provider instance.
app = rai.Provider()
# Grant a RAI application role to a Snowflake database role.
app.sql("""
BEGIN
GRANT APPLICATION ROLE relationalai.<app_role_name> TO ROLE <database_role_name>");
GRANT ROLE <database_role_name> TO USER <user_name>");
END;
""")
Only the RAI Native App owner can directly grant application roles to database roles. However, access control can be delegated to non-owners through stored procedures. See Delegate Access Control for more information.
Revoke Application Roles#
Requires RAI Native App ownership privileges.
Application roles may be revoked from Snowflake database roles by the RAI Native App owner using the REVOKE APPLICATION ROLE SQL command.
Only the RAI Native App owner can directly revoke application roles from database roles. However, access control can be delegated to non-owners through stored procedures. See Delegate Access Control for more information.
REVOKE APPLICATION ROLE relationalai.<app_role_name> FROM ROLE <database_role_name>;
import relationalai as rai
# Get a Provider instance.
app = rai.Provider()
# Revoke the `all_admin` role from the ACCOUNTADMIN database role.
app.sql("REVOKE APPLICATION ROLE relationalai.all_admin FROM ROLE ACCOUNTADMIN")
Delegate Access Control#
Requires RAI Native App ownership privileges.
App owners may delegate user access management to other users by granting them access to stored procedures that grant and revoke application roles.
For example, the following creates a stored procedure that grants a RAI application role to a Snowflake database role and grants access to the procedure to the ACCOUNTADMIN database role:
#-- Create a stored procedure for granting RAI application roles.
CREATE PROCEDURE GRANT_RAI_APP_ROLE(app_role STRING, target_role STRING)
RETURNS TABLE(STRING)
LANGUAGE SQL
EXECUTE AS OWNER
AS
BEGIN
LET qualified_app_role STRING := 'relationalai.' || :app_role;
LET query STRING := 'GRANT APPLICATION ROLE IDENTIFIER(?) TO ROLE IDENTIFIER(?)';
LET rs RESULTSET := (EXECUTE IMMEDIATE :query USING (qualified_app_role, target_role));
RETURN TABLE(rs);
END;
-- Grant access to the GRANT_RAI_APP_ROLE procedure the ACCOUNTADMIN database role.
GRANT EXECUTE ON PROCEDURE GRANT_RAI_APP_ROLE TO ROLE ACCOUNTADMIN;
Use a similar delegation pattern for revoking access to application roles.