Data connections

By default, the Sema4.ai native app can connect to Snowflake databases and schemas that have been granted directly to the app. To connect to external databases such as PostgreSQL, MySQL, or Snowflake accounts outside this app, you configure an External Access Integration (EAI) and bind it to the app.

Snowflake data connections

To allow the app to query a Snowflake database in your account, grant the app access to the database, schema, and tables:

GRANT USAGE ON DATABASE <database> TO APPLICATION <app_name>;
GRANT USAGE ON SCHEMA <database>.<schema> TO APPLICATION <app_name>;
GRANT SELECT ON ALL TABLES IN SCHEMA <database>.<schema> TO APPLICATION <app_name>;
GRANT USAGE ON WAREHOUSE <warehouse> TO APPLICATION <app_name>;

Then create a data connection in the app UI using the Snowflake (App Role) connection type and enter your database, schema, and warehouse.

Cortex Analyst Semantic View connections

To import a Snowflake Cortex Analyst Semantic View into the app, start with the same grants as a standard Snowflake data connection (database, schema, tables, and warehouse), then add a grant on each semantic view you want to make available:

GRANT USAGE ON DATABASE <database> TO APPLICATION <app_name>;
GRANT USAGE ON SCHEMA <database>.<schema> TO APPLICATION <app_name>;
GRANT SELECT ON ALL TABLES IN SCHEMA <database>.<schema> TO APPLICATION <app_name>;
GRANT USAGE ON WAREHOUSE <warehouse> TO APPLICATION <app_name>;
 
GRANT SELECT, REFERENCES
  ON SEMANTIC VIEW <database>.<schema>.<semantic_view_name>
  TO APPLICATION <app_name>;

Repeat the GRANT SELECT, REFERENCES ON SEMANTIC VIEW statement for each additional semantic view you want to expose to the app.

The app's service identity also needs the SNOWFLAKE.CORTEX_USER database role to call the Cortex Analyst REST API:

GRANT DATABASE ROLE SNOWFLAKE.CORTEX_USER TO APPLICATION <app_name>;

Once the grants are in place, create a Snowflake (App Role) data connection in the app UI and navigate to Import Cortex Analyst Semantic View to browse and import the view. Importing creates a read-only data model whose queries are routed through Cortex Analyst.

External data connections (PostgreSQL, MySQL, etc.)

Snowflake native apps run in a locked-down sandbox. To allow the app to reach an external database host, you configure a network rule, wrap it in an External Access Integration, bind it to the app, and then create the connection in the UI.

USE DATABASE <your_database>;
USE SCHEMA <your_schema>;
 
CREATE OR REPLACE NETWORK RULE <rule_name>
  TYPE = HOST_PORT
  MODE = EGRESS
  VALUE_LIST = ('<your-db-host>:<port>');

CREATE OR REPLACE NETWORK RULE mydb.public.my_db_network_rule
  TYPE = HOST_PORT
  MODE = EGRESS
  VALUE_LIST = ('my-instance.abc123.us-east-1.rds.amazonaws.com:5432');

VALUE_LIST = (
  'host-one.example.com:5432',
  'host-two.example.com:3306'
)

CREATE OR REPLACE EXTERNAL ACCESS INTEGRATION <eai_name>
  ALLOWED_NETWORK_RULES = (<rule_name>)
  ENABLED = TRUE;

-- View existing rules on an EAI
DESCRIBE INTEGRATION <eai_name>;
 
-- Add the new rule alongside existing ones
ALTER EXTERNAL ACCESS INTEGRATION <eai_name>
  SET ALLOWED_NETWORK_RULES = (<existing_rule_1>, <existing_rule_2>, <rule_name>);

GRANT USAGE ON INTEGRATION <eai_name> TO APPLICATION <app_name>;
 
CALL <app_name>.setup.register_data_connections_eai_reference(
  'DATA_CONNECTIONS_EAI',
  'ADD',
  SYSTEM$REFERENCE('EXTERNAL_ACCESS_INTEGRATION', '<eai_name>', 'PERSISTENT', 'USAGE')::VARCHAR
);

Adding more hosts later

To allow additional hosts after initial setup, update the network rule (use the fully qualified name):

ALTER NETWORK RULE <database>.<schema>.<rule_name>
  SET VALUE_LIST = (
    'existing-host.example.com:5432',
    'new-host.example.com:5432'
  );

The app will pick up the updated rules automatically — no need to rebind the integration.

Removing the integration

CALL <app_name>.setup.register_data_connections_eai_reference(
  'DATA_CONNECTIONS_EAI',
  'REMOVE',
  ''
);