Skip to content
EntryLayer Operational data entry for Snowflake

Admin Guide

This guide is for Snowflake admins, implementation leads, and EntryLayer org admins who keep the installed Native App operating safely.

When to use this guide

Section titled “When to use this guide”

Use this guide when you need to:

  • grant app access roles
  • assign or revoke seats
  • configure source caller rights
  • use diagnostics
  • run controlled operational SQL
  • suspend, resume, or troubleshoot the app

Control planes

Section titled “Control planes”

EntryLayer administration has separate control planes:

Control planeWhat it does
Snowflake application rolesLet Snowflake roles open or administer the installed app.
EntryLayer seat typeControls product capability: view, act, build, admin.
Project permissionsControl actual record access such as can_read and can_edit.
Snowflake source grantsControl source metadata, rows, and values.

Keep these separate when troubleshooting access.

Bootstrap checklist

Section titled “Bootstrap checklist”
  1. Grant ENTRYLAYER_USER to the Snowflake roles that should open the app.
  2. Grant ENTRYLAYER_ADMIN only to a small bootstrap/recovery role.
  3. Assign the first admin seat.
  4. Grant caller rights on the source databases EntryLayer should browse.
  5. Open Org Settings and use Data Access Setup diagnostics.
  6. Create a test source-connected project and verify access with a real user.

User access roles

Section titled “User access roles”

Grant app access to a Snowflake role:

GRANT APPLICATION ROLE ENTRYLAYER.ENTRYLAYER_USER
  TO ROLE MY_APP_USER_ROLE;

Grant SQL administration only to controlled roles:

GRANT APPLICATION ROLE ENTRYLAYER.ENTRYLAYER_ADMIN
  TO ROLE MY_ENTRYLAYER_ADMIN_ROLE;

Replace ENTRYLAYER with the installed app name if it differs.

Seat management

Section titled “Seat management”

Use the UI for normal membership operations: Org Settings -> Members & Licenses.

Use SQL for bootstrap, recovery, or controlled admin automation:

CALL ENTRYLAYER.API.SET_USER_SEAT('JSMITH', 'build');
CALL ENTRYLAYER.API.REVOKE_USER_SEAT('CONTRACTOR_1');
CALL ENTRYLAYER.API.LIST_USERS();

Seat type controls product capability, not record visibility.

Org Settings members and diagnostics

Project access governance

Section titled “Project access governance”

Project permissions, not seat type alone, control submission data access.

Important reminders:

  • admin seat does not automatically grant submission visibility
  • can_manage does not automatically grant can_read
  • can_read_all and can_edit_all widen scope from own records to all records
  • field-group permissions can further restrict visible/editable fields

Snowflake source access

Section titled “Snowflake source access”

EntryLayer uses Restricted Caller Rights for consumer-owned data where Snowflake supports it.

Common grants:

GRANT CALLER USAGE ON DATABASE MY_DATABASE TO APPLICATION ENTRYLAYER;
GRANT INHERITED CALLER USAGE ON ALL SCHEMAS IN DATABASE MY_DATABASE TO APPLICATION ENTRYLAYER;
GRANT INHERITED CALLER REFERENCES, SELECT ON ALL TABLES IN DATABASE MY_DATABASE TO APPLICATION ENTRYLAYER;
GRANT INHERITED CALLER REFERENCES, SELECT ON ALL VIEWS IN DATABASE MY_DATABASE TO APPLICATION ENTRYLAYER;
GRANT INHERITED CALLER REFERENCES, SELECT ON ALL SEMANTIC VIEWS IN DATABASE MY_DATABASE TO APPLICATION ENTRYLAYER;

The Object Explorer and source-connected queues reflect the signed-in user’s Snowflake visibility on supported sources.

Day-2 operations checklist

Section titled “Day-2 operations checklist”

Use this checklist after initial setup:

  • review seat assignments periodically
  • keep ENTRYLAYER_ADMIN limited to admin/operator roles
  • use diagnostics before changing source grants
  • verify source visibility with real user roles after grant changes
  • monitor app service health when users report availability issues
  • use App Public Views and documented SQL API calls for inspection

Monitoring and operations

Section titled “Monitoring and operations”

Check service health:

SELECT SYSTEM$GET_SERVICE_STATUS('ENTRYLAYER.CORE.ENTRYLAYER_SERVICE');
CALL SYSTEM$GET_SERVICE_LOGS('ENTRYLAYER.CORE.ENTRYLAYER_SERVICE', 0, 'api', 100);
CALL SYSTEM$GET_SERVICE_LOGS('ENTRYLAYER.CORE.ENTRYLAYER_SERVICE', 0, 'web', 100);

Suspend or resume the app:

CALL ENTRYLAYER.API.SUSPEND_APP();
CALL ENTRYLAYER.API.RESUME_APP();

These operations should be limited to roles with ENTRYLAYER_ADMIN.

Diagnostics and inspection

Section titled “Diagnostics and inspection”

Prefer documented diagnostics and inspection surfaces:

  • Org Settings -> Data Access Setup
  • ENTRYLAYER.APP_PUBLIC views
  • CALL ENTRYLAYER.API.HELP()
  • CALL ENTRYLAYER.API.AGENT_MANIFEST()
  • SQL API read-only procedures such as LIST_USERS, LIST_PROJECTS, and LIST_ACCESS

Build customer workflows on documented UI diagnostics, APP_PUBLIC views, and API procedures.

Practical admin flow

Section titled “Practical admin flow”
  1. Grant app roles.
  2. Assign seats.
  3. Grant caller rights.
  4. Validate sources through UI diagnostics or documented SQL API calls.
  5. Grant project permissions intentionally.
  6. Use App Public Views and billing/operations references for inspection.
Section titled “Related docs”