# GOLDILOX Insights - Permission Setup

This notebook helps you configure the permissions that **GOLDILOX Insights** needs to analyze your query patterns and generate clustering recommendations.

**Run this notebook as ACCOUNTADMIN** (or a role with sufficient privileges).

### Permissions covered in this notebook

| Permission | Purpose |
|---|---|
| **MONITOR on warehouses** | Allows the app to fetch query profiles and analyze warehouse performance |
| **Database role grants (USAGE + SELECT)** | Allows the app to read table metadata and query patterns from your monitored databases |

> These permissions **cannot** be granted from within the app itself. The app will detect missing permissions and show warnings, but an admin must run these grants manually.

### Before you begin

1. Make sure the GOLDILOX Insights app is already installed
2. Note your **app name** (check under Installed Apps in Snowsight) - the default is typically `GOLDILOX_INSIGHTS`
3. Identify which **warehouses** and **databases** you want the app to monitor

## Configuration

Update the app name below to match your installation. Run this cell first - subsequent cells reference this variable.

In [None]:
-- Update this to match your installed app name
SET APP_NAME = 'GOLDILOX_INSIGHTS';

---
## 1. Grant MONITOR Privilege on Warehouses

The app needs **MONITOR** privilege on each warehouse you want it to analyze. This allows the app to:
- Fetch query profiles for queries executed on that warehouse
- Analyze warehouse performance and partition pruning patterns
- Track query execution metrics over time

Without MONITOR, the app can still see basic query history (via `ACCOUNT_USAGE`), but **cannot** retrieve detailed query profiles needed for accurate clustering recommendations.

### Step 1a: Discover your active warehouses

Run the cell below to see all warehouses with recent query activity.

In [None]:
-- List active warehouses with query counts from the last 30 days
SELECT
    WAREHOUSE_NAME,
    COUNT(*) AS QUERY_COUNT_30D,
    SUM(PARTITIONS_SCANNED) AS TOTAL_PARTITIONS_SCANNED,
    SUM(PARTITIONS_TOTAL) AS TOTAL_PARTITIONS_TOTAL
FROM SNOWFLAKE.ACCOUNT_USAGE.QUERY_HISTORY
WHERE
    QUERY_TYPE = 'SELECT'
    AND WAREHOUSE_SIZE IS NOT NULL
    AND DATABASE_NAME != 'SNOWFLAKE'
    AND START_TIME >= DATEADD(DAY, -30, CURRENT_DATE())
GROUP BY WAREHOUSE_NAME
ORDER BY QUERY_COUNT_30D DESC;

### Step 1b: Check existing MONITOR grants

Run this to see which warehouses already have MONITOR granted to the app.

In [None]:
-- Check which warehouses already have MONITOR granted to the app
SELECT
    NAME AS WAREHOUSE_NAME,
    PRIVILEGE,
    GRANTED_ON,
    GRANTED_BY
FROM SNOWFLAKE.ACCOUNT_USAGE.GRANTS_TO_ROLES
WHERE
    GRANTEE_NAME = $APP_NAME
    AND GRANTED_ON = 'WAREHOUSE'
    AND DELETED_ON IS NULL
ORDER BY NAME;

### Step 1c: Grant MONITOR on warehouses

Update the cell below with the warehouses you want to monitor. Add or remove lines as needed.

> **Tip:** You can grant MONITOR on all warehouses you want analyzed, or start with your most active ones and add more later.

In [None]:
-- Grant MONITOR on each warehouse you want the app to analyze.
-- Update the warehouse names below to match your environment.

GRANT MONITOR ON WAREHOUSE COMPUTE_WH    TO APPLICATION IDENTIFIER($APP_NAME);
-- GRANT MONITOR ON WAREHOUSE ANALYTICS_WH  TO APPLICATION IDENTIFIER($APP_NAME);
-- GRANT MONITOR ON WAREHOUSE ETL_WH         TO APPLICATION IDENTIFIER($APP_NAME);

---
## 2. Grant Database Access for Monitored Tables

The app needs **USAGE** and **SELECT** access on databases containing tables you want to monitor. This is done by creating a database role (`GOLDILOX_APP_VIEWER`) in each target database and granting it to the app.

This allows the app to:
- Read table metadata (row counts, clustering keys, storage sizes)
- Analyze column usage patterns for clustering recommendations
- Validate access status for monitored targets

### Step 2a: Identify databases to monitor

Run this to see databases with the most query activity and partition scanning.

In [None]:
-- List databases with significant query activity in the last 30 days
SELECT
    DATABASE_NAME,
    COUNT(*) AS QUERY_COUNT_30D,
    SUM(PARTITIONS_SCANNED) AS TOTAL_PARTITIONS_SCANNED,
    SUM(PARTITIONS_TOTAL) AS TOTAL_PARTITIONS_TOTAL,
    CASE
        WHEN SUM(PARTITIONS_TOTAL) = 0 THEN 0
        ELSE ROUND((SUM(PARTITIONS_SCANNED) / SUM(PARTITIONS_TOTAL)) * 100, 2)
    END AS SCAN_PERCENTAGE
FROM SNOWFLAKE.ACCOUNT_USAGE.QUERY_HISTORY
WHERE
    QUERY_TYPE = 'SELECT'
    AND WAREHOUSE_SIZE IS NOT NULL
    AND DATABASE_NAME IS NOT NULL
    AND DATABASE_NAME != 'SNOWFLAKE'
    AND START_TIME >= DATEADD(DAY, -30, CURRENT_DATE())
GROUP BY DATABASE_NAME
ORDER BY TOTAL_PARTITIONS_SCANNED DESC;

### Step 2b: Check existing database grants

Run this to see which databases already have the `GOLDILOX_APP_VIEWER` role granted.

In [None]:
-- Check which databases already have GOLDILOX_APP_VIEWER role granted to the app
SELECT
    NAME,
    PRIVILEGE,
    GRANTED_ON,
    GRANTED_BY
FROM SNOWFLAKE.ACCOUNT_USAGE.GRANTS_TO_ROLES
WHERE
    GRANTEE_NAME LIKE '%GOLDILOX_APP_VIEWER%'
    AND DELETED_ON IS NULL
ORDER BY NAME;

### Step 2c: Grant access for each database

For each database you want to monitor, run a grant block like the one below. This creates a `GOLDILOX_APP_VIEWER` database role, grants it to the app, and gives it USAGE and SELECT access.

**Copy and modify this block for each database.** Replace `MY_DATABASE` with your actual database name.

> **Note on quoting:** If your database name contains mixed case or special characters, keep the double quotes (e.g., `"My_Database"`). For all-uppercase names, quotes are optional but harmless.

In [None]:
-- ================================================
-- Grant access for database: MY_DATABASE
-- Replace MY_DATABASE with your actual database name
-- ================================================

-- Create the database role
CREATE DATABASE ROLE IF NOT EXISTS "MY_DATABASE".GOLDILOX_APP_VIEWER;

-- Grant the role to the app
GRANT DATABASE ROLE "MY_DATABASE".GOLDILOX_APP_VIEWER TO APPLICATION IDENTIFIER($APP_NAME);

-- Grant USAGE on the database and all schemas
GRANT USAGE ON DATABASE "MY_DATABASE" TO DATABASE ROLE "MY_DATABASE".GOLDILOX_APP_VIEWER;
GRANT USAGE ON ALL SCHEMAS IN DATABASE "MY_DATABASE" TO DATABASE ROLE "MY_DATABASE".GOLDILOX_APP_VIEWER;
GRANT USAGE ON FUTURE SCHEMAS IN DATABASE "MY_DATABASE" TO DATABASE ROLE "MY_DATABASE".GOLDILOX_APP_VIEWER;

-- Grant SELECT on all current and future tables
GRANT SELECT ON ALL TABLES IN DATABASE "MY_DATABASE" TO DATABASE ROLE "MY_DATABASE".GOLDILOX_APP_VIEWER;
GRANT SELECT ON FUTURE TABLES IN DATABASE "MY_DATABASE" TO DATABASE ROLE "MY_DATABASE".GOLDILOX_APP_VIEWER;

Duplicate the cell above for additional databases. Uncomment and update the example below, or add new SQL cells as needed.

In [None]:
-- ================================================
-- Grant access for database: SECOND_DATABASE
-- Uncomment and update the database name
-- ================================================

-- CREATE DATABASE ROLE IF NOT EXISTS "SECOND_DATABASE".GOLDILOX_APP_VIEWER;
-- GRANT DATABASE ROLE "SECOND_DATABASE".GOLDILOX_APP_VIEWER TO APPLICATION IDENTIFIER($APP_NAME);
-- GRANT USAGE ON DATABASE "SECOND_DATABASE" TO DATABASE ROLE "SECOND_DATABASE".GOLDILOX_APP_VIEWER;
-- GRANT USAGE ON ALL SCHEMAS IN DATABASE "SECOND_DATABASE" TO DATABASE ROLE "SECOND_DATABASE".GOLDILOX_APP_VIEWER;
-- GRANT USAGE ON FUTURE SCHEMAS IN DATABASE "SECOND_DATABASE" TO DATABASE ROLE "SECOND_DATABASE".GOLDILOX_APP_VIEWER;
-- GRANT SELECT ON ALL TABLES IN DATABASE "SECOND_DATABASE" TO DATABASE ROLE "SECOND_DATABASE".GOLDILOX_APP_VIEWER;
-- GRANT SELECT ON FUTURE TABLES IN DATABASE "SECOND_DATABASE" TO DATABASE ROLE "SECOND_DATABASE".GOLDILOX_APP_VIEWER;

---
## 3. Verify Permissions

After granting permissions, run the cells below to confirm everything is in place.

### Verify warehouse MONITOR grants

In [None]:
-- Verify MONITOR grants on warehouses for the app
SELECT
    NAME AS WAREHOUSE_NAME,
    PRIVILEGE
FROM SNOWFLAKE.ACCOUNT_USAGE.GRANTS_TO_ROLES
WHERE
    GRANTEE_NAME = $APP_NAME
    AND GRANTED_ON = 'WAREHOUSE'
    AND PRIVILEGE = 'MONITOR'
    AND DELETED_ON IS NULL
ORDER BY NAME;

### Verify database access grants

In [None]:
-- Verify database role grants for GOLDILOX_APP_VIEWER
SELECT
    NAME,
    PRIVILEGE,
    GRANTED_ON,
    TABLE_CATALOG AS DATABASE_NAME
FROM SNOWFLAKE.ACCOUNT_USAGE.GRANTS_TO_ROLES
WHERE
    GRANTEE_NAME LIKE '%GOLDILOX_APP_VIEWER%'
    AND DELETED_ON IS NULL
ORDER BY TABLE_CATALOG, GRANTED_ON, NAME;

---
## Next Steps

After running this notebook:

1. Go back to the **GOLDILOX Insights** app
2. Navigate to the **Recommendations** tab
3. Click **Refresh Access Status** to confirm the app detects the new permissions
4. Add your target databases/tables in the **Monitored Targets** section

### Adding more databases later

You can re-run this notebook anytime to grant access to additional databases or warehouses. Just add new grant blocks in Sections 1c and 2c above.

### Revoking access

To revoke the app's access to a database:
```sql
REVOKE DATABASE ROLE "MY_DATABASE".GOLDILOX_APP_VIEWER FROM APPLICATION <app_name>;
DROP DATABASE ROLE IF EXISTS "MY_DATABASE".GOLDILOX_APP_VIEWER;
```

To revoke warehouse monitoring:
```sql
REVOKE MONITOR ON WAREHOUSE <warehouse_name> FROM APPLICATION <app_name>;
```