Configure user access

Use this guide to control who can use the RAI Native App. It covers standard Snowflake role grants, custom least-privilege role bundles, and delegated grant workflows.

Before you start, make sure that:

• The RAI Native App is installed in your Snowflake account.
• You can run SQL or Python in Snowflake.

How users access the RAI Native App

The RAI Native App uses Snowflake role-based access control (RBAC). The app exposes application roles that the Native App owner can grant to Snowflake database roles. Users then get access when an admin grants them one of those database roles.

Caution

Only users with OWNERSHIP privileges on the RAI Native App can grant app roles to Snowflake database roles. If you want other admins to manage app access without giving them ownership privileges, use the delegated access control workflow described in Delegate Access Control.

Grant access

Use the table below to choose the right level of access for your use case, then follow the steps to grant it in Snowflake SQL.

What to grant	When to grant it
Admin role	When someone needs broad administration of the native app and its managed resources.
Developer role	When someone needs standard developer workflows such as PyRel, reasoners, and data streams.
Custom role	When you need narrower access control than the standard admin or developer roles provide.

Grant admin access

1. Create the RAI_ADMIN database role if needed

   The RAI_ADMIN database role is typically created during app installation. Run this only when the role is missing.

   CREATE ROLE RAI_ADMIN;
   GRANT APPLICATION ROLE RELATIONALAI.ALL_ADMIN TO ROLE RAI_ADMIN;

   Note

   Creating the RAI_ADMIN role requires OWNERSHIP privileges on the RAI Native App because you must grant an application role from the native app. See the Delegate Access Control section for how to set up a delegated workflow that does not require app ownership.

2. Grant the database role to a user

   Once the role exists, grant it to the user:

   GRANT ROLE RAI_ADMIN TO USER <user_name>;

3. Verify the role assignment

   Confirm that the database role still includes the expected application role and that the user has the database role:

   SHOW GRANTS TO ROLE RAI_ADMIN;
   SHOW GRANTS TO USER <user_name>;

Grant developer access

1. Create the RAI_DEVELOPER database role if needed

   The RAI_DEVELOPER database role is typically created during app installation. Run this only when the role is missing.

   CREATE ROLE RAI_DEVELOPER;
   GRANT APPLICATION ROLE RELATIONALAI.RAI_USER TO ROLE RAI_DEVELOPER;

   Note

   Creating the RAI_DEVELOPER role requires OWNERSHIP privileges on the RAI Native App because you must grant an application role from the native app. See the Delegate Access Control section for how to set up a delegated workflow that does not require app ownership.

2. Grant the database role to a user

   Once the role exists, grant it to the user:

   GRANT ROLE RAI_DEVELOPER TO USER <user_name>;

3. Verify the role assignment

   Confirm that the database role still includes the expected application role and that the user has the database role:

   SHOW GRANTS TO ROLE RAI_DEVELOPER;
   SHOW GRANTS TO USER <user_name>;

Build a custom user role

Use this workflow when RAI_ADMIN is too broad and RAI_DEVELOPER does not match the workflow. This lets you create a database role that bundles only the application roles the user needs.

1. Create a new database role

   Create the Snowflake database role that you want users to receive:

   CREATE ROLE MY_CUSTOM_ROLE;

2. Grant application roles to the database role

   Choose the application roles that match the user’s workflow from the reference in All available application roles, then grant them to the new database role:

   GRANT APPLICATION ROLE RELATIONALAI.<application_role_name> TO ROLE MY_CUSTOM_ROLE;

3. Grant the database role to a user

   Once the custom role contains the right application roles, grant it to the target user:

   GRANT ROLE MY_CUSTOM_ROLE TO USER <user_name>;

4. Verify the role assignment

   Inspect the role grants to confirm that the custom role includes the expected application roles and that the user now has the database role:

   SHOW GRANTS TO ROLE MY_CUSTOM_ROLE;
   SHOW GRANTS TO USER <user_name>;

Revoke access

Use the table below to choose the workflow you need for revoking access, then follow the steps to revoke it in Snowflake SQL.

What to use	When to use it
Revoke access for a user	Use this when a specific user should no longer receive access through a Snowflake database role such as RAI_ADMIN, RAI_DEVELOPER, or a custom role.
Revoke access for a database role	Use this when a database role should no longer include one or more RAI application roles.

Revoke access for a user

Use this workflow when a user should no longer receive access through a specific Snowflake database role. This follows standard Snowflake role management and removes the user’s access path through that role.

1. Choose the database role to remove

   Identify the Snowflake database role that currently gives the user access, such as RAI_ADMIN, RAI_DEVELOPER, or a custom role.

2. Revoke the database role from the user

   Remove the Snowflake database role from the user:

   REVOKE ROLE <role_name> FROM USER <user_name>;

3. Verify the role assignment was removed

   Inspect the user’s grants in Snowflake to confirm that the database role is no longer present:

   SHOW GRANTS TO USER <user_name>;

Revoke access for a database role

Requires RAI Native App ownership privileges.

Use this workflow when a custom Snowflake database role should no longer include one of its RAI application roles. This changes what that database role can do in the native app without deleting the Snowflake role itself.

1. Choose the application role to remove

   Inspect the database role’s current grants so you can see which RAI application roles it already includes:

   SHOW GRANTS TO ROLE <role_name>;

   Use that output together with the reference in All available application roles to decide which application role to remove.

2. Revoke the application role from the database role

   Remove the application role from the Snowflake database role:

   REVOKE APPLICATION ROLE relationalai.<app_role_name> FROM ROLE <role_name>;

3. Verify the role assignment was removed

   Inspect the database role’s grants in Snowflake to confirm that the application role is no longer present:

   SHOW GRANTS TO ROLE <role_name>;

Delegate Access Control

Requires OWNERSHIP privileges on the RAI Native App.

If you are an owner of the RAI Native App but want to delegate some access control tasks to another admin, you can create stored procedures that run with EXECUTE AS OWNER privileges to manage application role grants. Then, you can grant that admin permission to execute those procedures without giving them broader ownership privileges on the native app.

Create a procedure for granting application roles

1. Create the grant procedure

   Create a stored procedure that grants an RAI application role to a Snowflake database role:

   CREATE PROCEDURE GRANT_RAI_APP_ROLE(app_role STRING, target_role STRING)
   RETURNS TABLE(STRING)
   LANGUAGE SQL
   EXECUTE AS OWNER
   AS
   BEGIN
       LET qualified_app_role STRING := 'relationalai.' || :app_role;
       LET query STRING := 'GRANT APPLICATION ROLE IDENTIFIER(?) TO ROLE IDENTIFIER(?)';
       LET rs RESULTSET := (EXECUTE IMMEDIATE :query USING (qualified_app_role, target_role));
       RETURN TABLE(rs);
   END;

2. Grant execute access to the delegated admin role

   Grant the delegated Snowflake database role permission to run the procedure:

   GRANT EXECUTE ON PROCEDURE GRANT_RAI_APP_ROLE(STRING, STRING) TO ROLE ACCOUNTADMIN;

3. Verify the delegation

   Inspect the procedure grants to confirm that the delegated role can execute it:

   SHOW GRANTS ON PROCEDURE GRANT_RAI_APP_ROLE(STRING, STRING);

Create a procedure for revoking application roles

1. Create the revoke procedure

   Create a stored procedure that revokes an RAI application role from a Snowflake database role:

   CREATE PROCEDURE REVOKE_RAI_APP_ROLE(app_role STRING, target_role STRING)
   RETURNS TABLE(STRING)
   LANGUAGE SQL
   EXECUTE AS OWNER
   AS
   BEGIN
       LET qualified_app_role STRING := 'relationalai.' || :app_role;
       LET query STRING := 'REVOKE APPLICATION ROLE IDENTIFIER(?) FROM ROLE IDENTIFIER(?)';
       LET rs RESULTSET := (EXECUTE IMMEDIATE :query USING (qualified_app_role, target_role));
       RETURN TABLE(rs);
   END;

2. Grant execute access to the delegated admin role

   Grant the delegated Snowflake database role permission to run the procedure:

   GRANT EXECUTE ON PROCEDURE REVOKE_RAI_APP_ROLE(STRING, STRING) TO ROLE ACCOUNTADMIN;

3. Verify the delegation

   Inspect the procedure grants to confirm that the delegated role can execute it:

   SHOW GRANTS ON PROCEDURE REVOKE_RAI_APP_ROLE(STRING, STRING);

All available application roles

The following application roles are available in the RAI Native App.

Integrated roles

These roles combine multiple service and resource roles into roles for common access patterns.

Application Role	Description
rai_user	The minimum set of service and resource roles required to run PyRel semantic models using the RAI Python API. Includes the app_user: Can use the RAI Native App. eng_user: Can use RAI reasoners. eng_admin: Can create and delete RAI reasoners. cdc_admin: Can create, delete, and manage data streams.
all_admin	Enables management of all app resources and the RAI SPCS service. Includes all application roles. Recommended for users who need full permissions for the RAI Native App.

Service roles

Service roles provide access to the RAI Native App, its logs, and billing information.

Application Role	Description
app_user	Enables usage of the RAI Native App.
app_admin	Enables management of the app and the RAI SPCS service. Includes the app_user role.
billing_admin	Enables access to billing and consumption data tracked by the app. Includes the app_user role.
sensitive_logs	Enables access to sensitive logs. Includes the app_user role.

Resource roles

Resource roles provide access to all of the RAI Native App’s resources.

Application Role	Description
all_resource_admin	Enables management of all app resources. Includes the cdc_admin and eng_admin roles. Recommended for users who need full permissions for application resources.
cdc_admin	Enables management of the CDC Service and creating/deleting data streams. Includes the app_user role.
eng_admin	Enables creating and deleting reasoners. Includes the app_user and eng_user roles.
eng_user	Enables viewing and using RAI reasoners. Includes the app_user role.

Observability roles

These roles provide access to the RAI Native App’s observability features.

Application Role	Description
observability_viewer	Enables read-only access to the app’s observability views for monitoring reasoner usage. Includes the app_user role.
observability_admin	Enables observability setup and management, such as registering or unregistering the events view. Includes the observability_viewer role.