Privileges for Snowflake Data
This document explains how to create a Snowflake role for connecting Waii to your database. If you are using secure data sharing or pushing metadata to Waii via API, this guide does not apply to your setup.
Minimum-Privilege Role
At a minimum, Waii needs access to the database metadata for query generation. This includes:
- Privileges to run queries against the information schema
- Monitoring and usage privileges for your database and schema to access metadata and detect changes
- Reference privileges to analyze the definitions of tables and views
Note that these permissions do not grant access to the actual data. This allows Waii to perform basic schema and table selection as well as query generation. For most cases, we recommend additional privileges to improve query accuracy and enable more functionality.
For simplicity, the sample code below assumes you want to use all tables, views, and schemas in a specific database for query generation. You can always restrict this to a subset of tables if preferred.
To set up minimum privileges for connecting Waii to your Snowflake database, follow these steps:
-
Create a Role and User:
CREATE ROLE waii_role;
CREATE USER waii_user PASSWORD='your_password';
GRANT ROLE waii_role TO USER waii_user; -
Grant Minimum Privileges:
GRANT USAGE ON WAREHOUSE your_warehouse TO ROLE waii_role;
GRANT MONITOR ON ALL SCHEMAS IN DATABASE your_database TO ROLE waii_role;
GRANT MONITOR ON DATABASE your_database TO ROLE waii_role;
GRANT USAGE ON DATABASE your_database TO ROLE waii_role;
GRANT REFERENCES ON ALL VIEWS IN DATABASE your_database TO ROLE waii_role;
GRANT REFERENCES ON ALL TABLES IN DATABASE your_database TO ROLE waii_role;
Recommended Privileges
To use Waii's Analyst Co-pilot application or APIs, or to allow users to execute queries in the query builder, Waii needs permission to run queries against the data. In these cases you need to add the following privileges as well.
Allowing read access to the data also enables Waii to analyze data for the following benefits:
- Analyze categorical data to produce better search and filter conditions (e.g., where status = 'closed' or status = 'invalid')
- Analyze variants and string fields with additional structure (e.g., identifying field names in a JSON field or recognizing the format of date strings)
- Support detection of constraints, such as primary and foreign keys
- Generate statistics for optimized queries
Note: The below example assumes you want to give Waii access to all columns. You can restrict this to a subset or use column masking to avoid direct access to sensitive data. Furthermore, you can give query access, but stop Waii from collecting data from sensitive columns in the knowledge graph as well as using these columns in LLM calls.
- Grant Recommended Privileges:
GRANT SELECT ON ALL TABLES IN DATABASE your_database TO ROLE waii_role;
GRANT SELECT ON ALL VIEWS IN DATABASE your_database TO ROLE waii_role;
Additional Privileges
Waii can analyze query history to extract information that enhances query generation accuracy. This includes identifying common join graphs, common expressions, frequently used tables, and other patterns, which inform and improve query generation.
In snowflake users always have access to their own query history, but giving Waii access to more of the history can be very benefitial.
- Grant Additional Privileges:
GRANT MONITOR ON WAREHOUSE your_warehouse TO ROLE waii_role;
Pushing Additional Information Via API
Some of this information (curated query history, schema of variants, categorical data) can also be pushed to Waii via API without needing to grant these additional privileges. Please contact the Waii team for details.