Need

The goal of this article is to detail how Snowflake roles and application roles must be configured so that non-admin users can access the Semarchy xDM Native App.


Indeed, when not addressed correctly it can lead to a situation where:

  • Non-admin tries to access the Semarchy URL from xdm_server_url.
  • Snowflake asks them to re-register/authenticate (SSO or username/password).
  • After successful Snowflake login, user immediately receives:
{"responseType":"ERROR","detail":"Could not find the service associated with endpoint <endpoint>. Check that your service is created, active, and you have correct permissions."}
  • Admin accounts can reach xDM without issue.

This is due to missing application role grants for those non-admin users.


Summarized Solution

Role management is outside Semarchy's responsibility and needs to be handled within your Snowflake account.


So, before deploying the Semarchy xDM Native App, we strongly recommend that Snowflake administrators review Snowflake’s documentation for Native App consumers, particularly the sections on application roles and role management:

https://docs.snowflake.com/en/sql-reference/sql/grant-application-role

https://docs.snowflake.com/en/developer-guide/native-apps/ui-consumer-about


This article will provide somewhat of a frame to guide you on how to grant the application role to non-admin users for them to access the app.


Detailed Solution

Semarchy xDM is deployed as a Snowflake Native App. To allow non-admin users to access the application UI, you must grant the appropriate application role(s) exposed by the app (for example XDM_APP) to your account roles or directly to users.


Typical steps in Snowflake include:


Option 1: grant the application role to a dedicated account role assigned to users

1. List the installed app:

SHOW APPLICATIONS;

> Copy your app name (<your_app>).


2. List your app's roles:

SHOW APPLICATION ROLES IN APPLICATION <your_app>;

> Copy your app roles (<your_app_role>)


3. Create an account role dedicated to xDM access:

CREATE OR REPLACE ROLE <your_own_role>;


4. Grant the xDM application role to that account role:

GRANT APPLICATION ROLE <your_app_role> TO ROLE <your_own_role>;


5. Grant the account role to a user:

GRANT ROLE <your_own_role> TO USER <user_name>;


6. Verify grants:

SHOW GRANTS TO USER <user_name>;


Option 2: grant the application role directly to specific users

GRANT APPLICATION ROLE XDM_APP TO USER <username>;


> Only users who have been granted a role that inherits the xDM app role will be able to access the xDM UI through the xdm_server_url endpoint.