Grant Snowflake permissions Private Preview

Once you've enabled Context Engineering Studio, you need to grant the Atlan service account the Snowflake permissions required to connect, deploy semantic views, and execute queries on your behalf. You only need to complete this step once per Snowflake account. Subsequent context repositories on the same account don't require additional grants.

Prerequisites

Before you begin, make sure:

• You have ACCOUNTADMIN access in Snowflake. Most grants on this page require it.
• You have the Atlan service role name. Contact your Atlan representative if you are unsure, applying grants to the wrong role is the most common setup mistake.
• You have identified the target database and schema where semantic views are deployed, and the source schemas where your data tables live. These are often different.
• Permissions may already be applied. Run SHOW GRANTS TO ROLE <atlan_role>; in Snowflake, if CREATE SEMANTIC VIEW, CORTEX_USER, USAGE ON WAREHOUSE, and REFERENCES on semantic views are listed, skip this guide and go to Build.

Apply grants

Step by step

Run these as a user with ACCOUNTADMIN access in Snowflake.

1. Grant Create semantic views to let CES deploy your context repository as a Snowflake Semantic View.

   GRANT USAGE ON DATABASE <target_database> TO ROLE <atlan_role>;
   GRANT USAGE ON SCHEMA <target_database>.<target_schema> TO ROLE <atlan_role>;
   GRANT CREATE SEMANTIC VIEW ON SCHEMA <target_database>.<target_schema> TO ROLE <atlan_role>;

2. Grant Cortex Analyst access to let CES invoke Cortex Analyst for natural language to SQL during Chat & build and simulations.

   All Cortex features

   Grants access to all Cortex features including Cortex Analyst, Cortex Search, and others.

   USE ROLE ACCOUNTADMIN;
   GRANT DATABASE ROLE SNOWFLAKE.CORTEX_USER TO ROLE <atlan_role>;

   Cortex Analyst only

   Grants access to Cortex Analyst only. Use this option if you prefer least-privilege access, CES only requires Cortex Analyst.

   USE ROLE ACCOUNTADMIN;
   GRANT DATABASE ROLE SNOWFLAKE.CORTEX_ANALYST_USER TO ROLE <atlan_role>;

3. Grant warehouse access to let CES execute SQL for Chat & build, simulations, and evaluations.

   GRANT USAGE ON WAREHOUSE <warehouse_name> TO ROLE <atlan_role>;

   tip

   Chat & build and Simulate run complex, multi-step SQL queries. For best results, use a Large or larger warehouse. If the warehouse is too small, queries may time out during simulation. Warehouse selection is set at the connector level, you can't change it per session in CES.

4. Grant Read access to semantic view metadata to let CES crawl and index deployed semantic views into the Atlan catalog.

   INFORMATION_SCHEMA (recommended)

   Captures semantic view DDL, which is required for full catalog visibility in Atlan.

   GRANT USAGE ON ALL SCHEMAS IN DATABASE <target_database> TO ROLE <atlan_role>;
   GRANT REFERENCES ON ALL SEMANTIC VIEWS IN DATABASE <target_database> TO ROLE <atlan_role>;
   
   -- Future grants
   GRANT USAGE ON FUTURE SCHEMAS IN DATABASE <target_database> TO ROLE <atlan_role>;
   GRANT REFERENCES ON FUTURE SEMANTIC VIEWS IN DATABASE <target_database> TO ROLE IDENTIFIER(<atlan_role>);

   ACCOUNT_USAGE

   USE ROLE ACCOUNTADMIN;
   GRANT IMPORTED PRIVILEGES ON DATABASE SNOWFLAKE TO ROLE <atlan_role>;

   warning

   This option alone is not sufficient to capture semantic view DDL. Use INFORMATION_SCHEMA if you need DDL visibility in the Atlan catalog.

5. Grant SELECT on source tables and views (optional). This lets CES pull sample values and run simulations on live data. Without this, CES can build and score semantic models but can't validate results on live data.

   Apply these grants on the schemas where your source data tables live, not the deployment schema from step 1, which typically contains no data tables.

   -- Existing objects
   GRANT SELECT ON ALL TABLES IN SCHEMA <source_database>.<source_schema> TO ROLE <atlan_role>;
   GRANT SELECT ON ALL VIEWS IN SCHEMA <source_database>.<source_schema> TO ROLE <atlan_role>;
   
   -- Future objects
   GRANT SELECT ON FUTURE TABLES IN SCHEMA <source_database>.<source_schema> TO ROLE <atlan_role>;
   GRANT SELECT ON FUTURE VIEWS IN SCHEMA <source_database>.<source_schema> TO ROLE <atlan_role>;

   Repeat for each source schema you want CES to query. If your context repository spans multiple schemas, apply these grants to each one.

All grants at once

Run the following as ACCOUNTADMIN in your Snowflake account. Before running, replace:

• ATLAN_USER_ROLE with your Atlan service role name
• MY_WAREHOUSE with your Atlan connector warehouse name
• MY_DATABASE with your target database
• MY_SCHEMA with your target schema
• MY_SOURCE_DATABASE and MY_SOURCE_SCHEMA with the database and schema where your source data tables live (often different from the deployment target)

-- ============================================================
-- Context Engineering Studio: Snowflake Permissions Setup
-- Run as ACCOUNTADMIN
-- ============================================================

-- Set your values here
SET atlan_role = 'ATLAN_USER_ROLE';
SET warehouse = 'MY_WAREHOUSE';
SET target_db = 'MY_DATABASE';
SET target_schema = 'MY_SCHEMA';
SET full_schema = $target_db || '.' || $target_schema;
SET source_db = 'MY_SOURCE_DATABASE';
SET source_schema = 'MY_SOURCE_SCHEMA';
SET full_source_schema = $source_db || '.' || $source_schema;

-- 1. USAGE on deployment database and schema
GRANT USAGE ON DATABASE IDENTIFIER($target_db) TO ROLE IDENTIFIER($atlan_role);
GRANT USAGE ON SCHEMA IDENTIFIER($full_schema) TO ROLE IDENTIFIER($atlan_role);

-- 2. CREATE SEMANTIC VIEW
GRANT CREATE SEMANTIC VIEW ON SCHEMA IDENTIFIER($full_schema) TO ROLE IDENTIFIER($atlan_role);

-- 3. Cortex Analyst access
USE ROLE ACCOUNTADMIN;
GRANT DATABASE ROLE SNOWFLAKE.CORTEX_ANALYST_USER TO ROLE IDENTIFIER($atlan_role);

-- 4. Warehouse access (required for Chat & build, simulations, and evaluations)
GRANT USAGE ON WAREHOUSE IDENTIFIER($warehouse) TO ROLE IDENTIFIER($atlan_role);

-- 5. Semantic view crawling (INFORMATION_SCHEMA method, recommended)
GRANT USAGE ON ALL SCHEMAS IN DATABASE IDENTIFIER($target_db) TO ROLE IDENTIFIER($atlan_role);
GRANT REFERENCES ON ALL SEMANTIC VIEWS IN DATABASE IDENTIFIER($target_db) TO ROLE IDENTIFIER($atlan_role);
GRANT USAGE ON FUTURE SCHEMAS IN DATABASE IDENTIFIER($target_db) TO ROLE IDENTIFIER($atlan_role);
GRANT REFERENCES ON FUTURE SEMANTIC VIEWS IN DATABASE IDENTIFIER($target_db) TO ROLE IDENTIFIER($atlan_role);

-- 6. SELECT on source tables and views (optional, required for simulations)
-- Repeat for each source schema in your context repository
GRANT SELECT ON ALL TABLES IN SCHEMA IDENTIFIER($full_source_schema) TO ROLE IDENTIFIER($atlan_role);
GRANT SELECT ON ALL VIEWS IN SCHEMA IDENTIFIER($full_source_schema) TO ROLE IDENTIFIER($atlan_role);
GRANT SELECT ON FUTURE TABLES IN SCHEMA IDENTIFIER($full_source_schema) TO ROLE IDENTIFIER($atlan_role);
GRANT SELECT ON FUTURE VIEWS IN SCHEMA IDENTIFIER($full_source_schema) TO ROLE IDENTIFIER($atlan_role);

Verify permissions with preflight check

Once you have applied grants, CES includes a preflight check in the UI that validates whether the Atlan service role has the required permissions before you start building. The preflight check verifies:

• Authentication: the service account can connect to Snowflake with the configured credentials
• Warehouse access: the role has USAGE on the configured warehouse
• Schema access: the role has USAGE on the target database and schema
• Create permission: the role can create semantic views in the target schema
• Cortex access: the role has the CORTEX_USER or CORTEX_ANALYST_USER database role

If any check fails, the preflight reports exactly which permission is missing. Fix the grant and re-run the check before proceeding.

Next steps

• Build your context repository: describe a domain, select assets, and generate a semantic model.