Documentation

Roles & Permissions

Reseed uses a two-tier role system: Snowflake application roles for access to the app, and flexible in-app roles for fine-grained control—without bloating your Snowflake account.

Overview

Snowflake Native Apps use application roles to control access. Reseed defines only two application roles, keeping your Snowflake account clean. Inside the app, you can create as many in-app roles as you need to model your organization's structure.

Application Roles (Snowflake Level)

Reseed creates two application roles:

Role Purpose
app_admin Manages Reseed setup: in-app roles, user assignments, and system configuration
app_user Uses Reseed to upload files and (optionally) create and manage Seeds

Grant these to any existing Snowflake roles—Reseed doesn't require specific naming conventions:

-- Grant to your existing roles
GRANT APPLICATION ROLE reseed.app_admin TO ROLE data_team_lead;
GRANT APPLICATION ROLE reseed.app_user TO ROLE analyst;

-- Or create dedicated roles if you prefer
CREATE ROLE IF NOT EXISTS RESEED_ADMIN;
GRANT APPLICATION ROLE reseed.app_admin TO ROLE RESEED_ADMIN;
GRANT ROLE RESEED_ADMIN TO ROLE SYSADMIN;
Automatic Detection

Reseed automatically detects which application role is active for each session. Users with app_admin see the full Admin interface; users with only app_user see a streamlined view based on their in-app role assignments.

In-App Roles (Reseed Level)

Inside Reseed, you create in-app roles to organize users and control access to Seeds. These roles exist only within Reseed—they don't appear in your Snowflake account.

Each in-app role has:

Field Description
role_name Unique identifier (e.g., finance_director)
description Optional description of the role's purpose
managed_by_role Parent role in the hierarchy (enables delegation)
is_seed_admin Can this role create, edit, and delete Seeds?

User Assignments

Users connecting with only the app_user application role must be assigned to an in-app role. This tells Reseed which Seeds and files they can access.

An app_admin creates these assignments in the Admin page by specifying the Snowflake username and the in-app role.

Finding User Names

Run these commands in a Snowflake worksheet to find usernames:

-- List all users (look in the "name" column)
SHOW USERS;

-- Get your current username
SELECT CURRENT_USER();
Bulk Import

For complex organizations, you can import lists of in-app roles and user assignments via CSV. In the Admin page, select the table you want to update and click Import Data to upload a CSV or download sample templates.

Seed Admins

A Seed Admin (is_seed_admin = true) can create and manage Seeds—the validation rules that govern file uploads.

Visibility Rules

Seed Admins can only see and edit:

  • Seeds they created
  • Seeds owned by roles they manage (directly or indirectly)

This enables departmental autonomy:

  • An hr_director can manage HR-related Seeds without seeing Finance Seeds
  • A finance_director can manage Finance Seeds without seeing HR Seeds
  • Neither can interfere with the other's rules or data
The app_admin Exception

Users with the app_admin application role have access to a special in-app role that can see and manage all Seeds in the system. Use this role sparingly—typically for central data governance or troubleshooting.

Example Hierarchy

Here's how a typical organization might structure in-app roles:

app_admin (implicit, sees everything)
├── finance_director (is_seed_admin: true)
│   ├── budget_analyst (is_seed_admin: true, managed_by: finance_director)
│   └── accounts_payable (is_seed_admin: false, managed_by: finance_director)
│
├── hr_director (is_seed_admin: true)
│   └── hr_specialist (is_seed_admin: false, managed_by: hr_director)
│
└── operations_manager (is_seed_admin: true)

In this setup:

  • finance_director can see and manage Seeds created by budget_analyst (a subordinate)
  • budget_analyst can create Seeds but cannot see finance_director's Seeds (unless granted access)
  • finance_director and hr_director cannot see each other's Seeds
  • accounts_payable and hr_specialist can upload files but cannot create Seeds
  • app_admin can see and manage everything

Summary

Layer Where Purpose
Application Roles Snowflake account Controls who can access Reseed at all (app_admin vs app_user)
In-App Roles Inside Reseed Controls what users can do and see within Reseed

This two-tier approach gives you flexible, fine-grained access control without creating dozens of Snowflake roles. Model your organization's complexity inside Reseed, while keeping your Snowflake account simple.