Configure Snowflake permissions for Zero Copy segmentation
Configure and validate Snowflake permissions to enable Zero Copy segmentation to execute securely within your environment.
Segmentation tasks on Zero Copy integrations runs directly inside the Snowflake instance, requiring a specific set of permissions to control how the system accesses and processes data. You must configure these permissions to allow the segmentation role to read source data, create execution objects, and write results to the target table. This topic explains the required permissions and how they enable secure, controlled execution of segmentation tasks within the boundaries of the Snowflake instance.
Prerequisites
Before you begin, make sure you have:
- Access to a Snowflake account with privileges to grant roles and permissions.
- A warehouse, database, and schema created or identified
- A dedicated role for segmentation.
- Completed Zero Copy Integration configuration.
Grant access to Snowflake resources
Grant access to the warehouse, database, and schema so that the segmentation role can operate within the defined environment.
GRANT USAGE ON WAREHOUSE <warehouse> TO ROLE <role>;
GRANT USAGE ON DATABASE <db> TO ROLE <role>;
GRANT USAGE ON SCHEMA <db>.<schema> TO ROLE <role>;
These permissions allow the role to use compute resources, access the database, and work within the schema.
Grant object creation permissions in the schema
Allow the segmentation role to create Snowflake objects required for execution.
GRANT CREATE TASK ON SCHEMA <db>.<schema> TO ROLE <role>;
GRANT CREATE TABLE ON SCHEMA <db>.<schema> TO ROLE <role>;
GRANT CREATE PROCEDURE ON SCHEMA <db>.<schema> TO ROLE <role>;
These permissions allow the system to create tasks, procedures, and the segment_results table.
Grant data access for segment evaluation
Allow the segmentation role to read source data required for segment evaluation.
GRANT SELECT ON TABLE <db>.<schema>."entities" TO ROLE <role>;
GRANT SELECT ON TABLE <db>.<schema>."interactions" TO ROLE <role>;
These permissions allow the system to read entity data and interaction data when segment logic requires it.
Grant write and cleanup permissions
Allow the segmentation role to write results and remove outdated data during execution.
GRANT INSERT ON FUTURE TABLES IN SCHEMA <db>.<schema> TO ROLE <role>;
GRANT DELETE ON FUTURE TABLES IN SCHEMA <db>.<schema> TO ROLE <role>;
GRANT DELETE ON ALL TABLES IN SCHEMA <db>.<schema> TO ROLE <role>;
These permissions allow the system to insert new results and delete stale data before each execution.
Grant task execution capability
Allow Snowflake to execute tasks created by the segmentation role.
GRANT EXECUTE TASK ON ACCOUNT TO ROLE <role>;
This permission allows task execution without granting additional data access.
Enable tagging for segmentation tasks
This step is optional. Grant tagging permissions if you want to track and filter segmentation tasks.
GRANT CREATE TAG ON SCHEMA <db>.<schema> TO ROLE <role>;
If you do not grant this permission, the system skips tagging and continues execution.
Transfer ownership of the segment_results table
This step is required only if another role owns the segment_results table.
GRANT OWNERSHIP ON TABLE <db>.<schema>.segment_results
TO ROLE <role> COPY CURRENT GRANTS;
This ensures that the segmentation role can manage the table without removing existing access.
Validation
Run the following commands to verify permissions and execution readiness.
SHOW GRANTS TO ROLE <role>;
SHOW GRANTS ON SCHEMA <db>.<schema>;
SHOW GRANTS ON TABLE <db>.<schema>.segment_results;
SHOW GRANTS ON ACCOUNT;
Confirm that all required permissions exist and that segmentation tasks execute successfully.