Webinar: Better Agents, Easier than Ever — Thursday, June 18th at 9am PT / 12pm ET. Register Now
Version 2.5
Snowflake Native App
User access and roles

User access and roles

The Sema4.ai native app in Snowflake follows a two-layer access model:

  1. Snowflake application roles control who can access the app.
  2. Sema4.ai roles control what a user can do inside the app after they sign in.

There is no email-invitation flow in Snowflake. To add users, grant one of the Sema4.ai application roles to the appropriate Snowflake account role, then have those users open the app.

GRANT APPLICATION ROLE <app_name>.SEMA4AI_APP_MEMBER TO ROLE <snowflake_role_name>;
GRANT APPLICATION ROLE <app_name>.SEMA4AI_APP_BUILDER TO ROLE <snowflake_builder_role_name>;
GRANT APPLICATION ROLE <app_name>.SEMA4AI_APP_ADMIN TO ROLE <snowflake_admin_role_name>;

What each application role grants

  • SEMA4AI_APP_ADMIN — full platform administration access.
  • SEMA4AI_APP_BUILDER — access to build agents, configure MCP servers, and manage data connections.
  • SEMA4AI_APP_MEMBER — access to use agents.

First sign-in and role assignment

When a granted user opens the app for the first time, a local user record is created from the Snowflake user context. The first user in a new installation becomes the initial admin; later users become member by default.

After users have signed in and appear on the Users page, an admin can promote or demote their role.

A user must hold the matching Snowflake application role to access the app at all. Their in-app role then determines what they can do once inside.

Snowflake Native AppData connections