Note: Any Genbot with the Database Tools will be able to access this data, and when such a Genbot is deployed to Slack, any user of Slack will be able to run analyses of this data using the Genbot. So grant data in this manner only to non-sensitive data that is ok for any Slack user to view.

In order to take full advantage of the Genesis Genbots, you must allow them access to specific objects in your Snowflake account. Click on the “Grant Data Access” page in the Streamlit side menu to open up a set of helper scripts.

The scripts will create a stored procedure that accepts a database name and Genesis Bots application name as arguments and will grant SELECT access to all tables and views in all schemas of that database.

The procedure will be created in the GENESIS_LOCAL_DB.SETTINGS schema, which was created as a part of the installation and configuration process.

Copy the code below & run it in a Snowflake Snowsight worksheet.

    -- select role to use, generally ACCOUNTADMIN.  See documentation for required permissions if not using ACCOUNTADMIN.
    use role ACCOUNTADMIN;

    -- set the name of the installed application
    set APP_DATABASE = 'GENESIS_BOTS';

    USE SCHEMA GENESIS_LOCAL_DB.SETTINGS;
    USE WAREHOUSE XSMALL; -- or use your warehouse if not XSMALL


    CREATE OR REPLACE PROCEDURE GENESIS_LOCAL_DB.SETTINGS.grant_schema_usage_and_select_to_app(database_name STRING, APP_NAME STRING)
    RETURNS STRING LANGUAGE JAVASCRIPT EXECUTE AS CALLER
    AS $$
        var connection = snowflake.createStatement({
            sqlText: `SELECT SCHEMA_NAME FROM ${DATABASE_NAME}.INFORMATION_SCHEMA.SCHEMATA`
        });
        var result = connection.execute();

        while (result.next()) {
            var schemaName = result.getColumnValue(1);
            if (schemaName === 'INFORMATION_SCHEMA') {
                continue;
            }
            var sqlCommands = [
                `GRANT USAGE ON DATABASE ${DATABASE_NAME} TO APPLICATION ${APP_NAME}`,
                `GRANT USAGE ON SCHEMA ${DATABASE_NAME}.${schemaName} TO APPLICATION ${APP_NAME}`,
                `GRANT SELECT ON ALL TABLES IN SCHEMA ${DATABASE_NAME}.${schemaName} TO APPLICATION ${APP_NAME}`,
                `GRANT SELECT ON ALL VIEWS IN SCHEMA ${DATABASE_NAME}.${schemaName} TO APPLICATION ${APP_NAME}`,
            ];

            for (var i = 0; i < sqlCommands.length; i++) {
                try {
                    var stmt = snowflake.createStatement({sqlText: sqlCommands[i]});
                    stmt.execute();
                } catch(err) {
                    // Return error message if any command fails
                    return `Error executing command: ${sqlCommands[i]} - ${err.message}`;
                }
            }
        }
        return "Successfully granted USAGE and SELECT on all schemas, tables, and views to role " + APP_NAME;
    $$;

    -- see your databases
    show databases;
    -- To use on a local database in your account, call with the name of the database to grant
    --
    -- Note! any bot with the Database Tools will be able to access this data, and when such a bot is deployed to Slack,
    -- some bots may be accessible by all Slack users, unless they are configured by Eve to only be usable by select Slack
    -- users. So grant data in this manner only to non-sensitive data that is ok for any Slack user to view, or first have
    -- Eve limit the access to the Database Tools-enabled bots to only select users on Slack.
    -- Replace <your app name> with the name of your database you want to grant
    call GENESIS_LOCAL_DB.SETTINGS.grant_schema_usage_and_select_to_app('<your db name>',$APP_DATABASE);
    -- If you want to grant data that has been shared to you via Snowflake data sharing, use this process below instead
    -- the above:
    -- see inbound shares
    show shares;
    -- to grant an inbound shared database to the Genesis application
    -- (uncomment this by removing the // and put the right shared DB name in first)
    // grant imported privileges on database <inbound_share_db_name> to application IDENTIFIER($APP_DATABASE);
    -- If you want to to grant access to the SNOWFLAKE share (Account Usage, etc.) to the Genesis application
    -- uncomment this by removing the // and run it:
    // grant imported privileges on database SNOWFLAKE to application IDENTIFIER($APP_DATABASE);
    --- once granted, Genesis will automatically start to catalog this data so you can use it with Genesis bots

In the worksheet, ensure that the APP_DATABASE parameter is set to the correct Genesis Bots application name. Set the role, context, and warehouse before creating the stored procedure. The procedure accepts the application name (APP_NAME) and database name (database_name) as parameters. It will find all of the schemas that exist in the database, excluding the INFORMATION_SCHEMA schema, and loop through each, granting the following privileges to the Genesis Bots application:

  • USAGE on the database

  • USAGE on each schema

  • SELECT on all tables in each schema

  • SELECT on all views in each schema

Note: Granting privileges to the Genesis Bots application does not provide the Genesis provider access to your data or metadata. Only the Genesis Bots application will be able to take advantage of the privileges granted.

The stored procedure is meant to help grant the Genesis Bots application access to appropriate data in your Snowflake account. However, it can be modified, as necessary, to include or exclude specific schemas, objects, etc.

Next, run the “show databases” command to view the available databases in your account.

Call the “grant_schema_usage_and_select_to_app()” procedure, passing in the database name that you’d like to grant privileges on and the application name.

To verify that the database and its objects were granted successfully, browse to the “Harvester Status” page in the Genesis Bots Streamlit application. Here you can see all databases and schemas that have been granted to the application.

The harvest status shows how many Snowflake objects have been crawled by the Genesis Harvest Service, meaning their metadata was gathered and stored to inform the Genbots which objects are available for query, and which schemas are either included or excluded from the metadata harvesting service.

As you can see below, the recently added WEATHER_DB has 1 schema, PUBLIC, which contains 3 harvestable objects.

Install & ConfigurationGenesis Bots Architecture & Security FAQ