Skip to main content
Get your CloudLink connection up and running with our comprehensive setup guide. This document covers security architecture, IP whitelisting, automated scripts, and configuration steps.

Secure Direct Access

Elementum provides secure, in-place data access to your Snowflake instance:
Credentials are provided by Snowflake to permit Elementum access to defined tables. You retain full control over the data and can terminate access at any time.

How It Works

A specific table and defined set of attributes with permissions (e.g., read/write, read-only) are created to enable business processes.

Direct Connect Architecture

This connection allows for read/write access and the ability to execute workflows on your data:
Your Snowflake Account:
  • Contains your data (databases, tables, views)
  • Grants access to Elementum Reader/Writer Account with read/write permissions
  • Can restrict access to known Elementum Platform IP addresses

Security Architecture

At Rest:
  • Account data encrypted using industry-standard algorithms
  • Credentials encrypted and never returned outside internal system
In Transit:
  • All traffic encrypted using TLS
  • Secure connection methods (Internet or VPN)
Both Internet and VPN traffic are encrypted. VPN provides additional security through least privilege access controls.

Whitelist Elementum IP Addresses

Elementum IP Addresses to Whitelist

Configure your Snowflake network policies to allow connections from these IP addresses: 
44.210.166.136
44.209.114.114
52.72.254.246

-- Create network policy for US region
USE ROLE ACCOUNTADMIN;

CREATE NETWORK POLICY IF NOT EXISTS ELEMENTUM_ACCESS_POLICY
  ALLOWED_IP_LIST = (
    '44.210.166.136',
    '44.209.114.114',
    '52.72.254.246'
  )
  COMMENT = 'Network policy for Elementum platform access';

-- Apply to Elementum user
ALTER USER ELEMENTUM SET NETWORK_POLICY = ELEMENTUM_ACCESS_POLICY;

-- Verify policy is applied
DESC USER ELEMENTUM;
If you’re using multi-region access or want to allow connections from both US and Europe, use the combined policy above.

Key-Pair Authentication

Elementum uses RSA key-pair authentication to connect to your Snowflake account. This is more secure than password-based authentication and is the required method for CloudLink connections.

How It Works

Key-pair authentication uses a cryptographic key pair instead of a password:
  • Private key — Held securely by Elementum and never exposed. Used to sign authentication requests.
  • Public key — Provided to you through the Elementum UI. You assign it to the Snowflake service user so Snowflake can verify that incoming requests are from Elementum.
Because the private key never leaves Elementum’s infrastructure, there is no shared secret to manage or risk exposing.

Obtaining the Public Key from Elementum

1

Open CloudLink Settings

In Elementum, navigate to Settings > Cloud Links.
2

Start a New Connection

Click Add Connection and select Snowflake as the data platform.
3

Copy the Public Key

The RSA public key is displayed in the connection setup dialog. Click Copy Public Key to copy it to your clipboard. You will paste this value into a Snowflake SQL command in the next section.
Each Elementum environment generates its own unique key pair. If you are setting up multiple environments, copy the public key separately from each environment’s CloudLink settings.

Assigning the Public Key in Snowflake

After copying the public key from Elementum, assign it to the Snowflake service user with the following SQL command: 
USE ROLE ACCOUNTADMIN;

ALTER USER ELEMENTUM SET RSA_PUBLIC_KEY = '<PASTE_PUBLIC_KEY_FROM_ELEMENTUM_UI>';
Replace <PASTE_PUBLIC_KEY_FROM_ELEMENTUM_UI> with the key you copied. The value should be the raw key content without the -----BEGIN PUBLIC KEY----- and -----END PUBLIC KEY----- header and footer lines.

Verifying the Key-Pair Configuration

After assigning the public key, confirm it is set correctly: 
DESC USER ELEMENTUM;
Look for the RSA_PUBLIC_KEY_FP field in the output. A non-empty fingerprint value confirms the public key is assigned. You can also verify from the Elementum side by clicking Test Connection in the CloudLink setup dialog. A successful test confirms that authentication is working end-to-end.

Key Rotation

Snowflake supports two simultaneous public keys per user (RSA_PUBLIC_KEY and RSA_PUBLIC_KEY_2), enabling zero-downtime key rotation. Elementum recommends rotating keys every 90 days. To rotate keys:
  1. Generate a new key pair in Elementum by clicking Rotate Key in Settings > Cloud Links for the relevant connection.
  2. Copy the new public key from the Elementum UI.
  3. Assign the new key to the secondary key slot in Snowflake: 
    ALTER USER ELEMENTUM SET RSA_PUBLIC_KEY_2 = '<NEW_PUBLIC_KEY>';
  4. Verify the new key works by testing the connection in Elementum.
  5. Remove the old key: 
    ALTER USER ELEMENTUM UNSET RSA_PUBLIC_KEY;
  6. Promote the new key to the primary slot: 
    ALTER USER ELEMENTUM SET RSA_PUBLIC_KEY = '<NEW_PUBLIC_KEY>';
ALTER USER ELEMENTUM UNSET RSA_PUBLIC_KEY_2;
Do not remove the old key before confirming the new key works. Use Snowflake’s dual-key support to avoid disrupting active connections during rotation.

Disabling Password Authentication

If the Snowflake user was previously created with a password, disable password-based login after key-pair authentication is confirmed: 
ALTER USER ELEMENTUM SET DISABLE_DIRECT_LOGIN = TRUE;
This ensures the service account can only be accessed through key-pair authentication, reducing your attack surface.

Choose Your Setup Method

Setting up the Elementum Account in Snowflake

Snowflake Setup Script

This script requires execution by a user with the ACCOUNTADMIN role in Snowflake.

Getting Started

Before running the script:
  1. Ensure you have ACCOUNTADMIN role access
  2. Obtain the RSA public key from Elementum CloudLink UI
  3. Identify which databases and tables need Elementum access
  4. Plan your warehouse sizing requirements

Setup Steps Overview

The script will perform these actions:
1

Create New User & Role

Creates a user and role for Elementum Platform access with proper security configuration.
2

Create Snowflake Warehouse

Provisions a warehouse for all Elementum Platform activity and actions. This warehouse provides processing power for workflows, queries, and data operations.
3

Create Elementum Database & Schema

Database: Dedicated space for Elementum state management (configuration, metadata, operational data)Schemas:
  • ELEMENTUM_PLATFORM - Reserved for platform operations (do not modify)
  • PUBLIC - Schema for data exchange tables
Requirements:
  • Each integrated table/view must have a primary key or unique key column
  • Domain whitelist: [your-org].elementum.io
  • Additional access policies can be applied in Elementum for team/individual restrictions
4

Grant Permissions

Grant the newly created role permissions to specific databases for relevant use cases and processes.
5

Turn on Change Tracking (Optional - only if using change-based Element automations)

Enable change tracking for each table to ensure changes made in Snowflake are reflected in Elementum in real-time.
6

Grant Cortex Access (Optional - only if using AI/ML features)

Grant the Elementum role access to Cortex to leverage ML models and LLMs for AI-powered features.

Run These Scripts in Snowflake

1

Create Role for Elementum

USE ROLE ACCOUNTADMIN;
CREATE ROLE IF NOT EXISTS ELEMENTUM;
GRANT ROLE ELEMENTUM TO ROLE SYSADMIN;
2

Create User for Elementum

USE ROLE ACCOUNTADMIN;
CREATE USER IF NOT EXISTS ELEMENTUM 
  TYPE = SERVICE 
  RSA_PUBLIC_KEY = '<PASTE_PUBLIC_KEY_FROM_ELEMENTUM_UI>';
GRANT ROLE ELEMENTUM TO USER ELEMENTUM;
Use the public key you copied in the Key-Pair Authentication section above.
3

Create Warehouse for Elementum

USE ROLE SYSADMIN;
CREATE WAREHOUSE IF NOT EXISTS ELEMENTUM
  WITH WAREHOUSE_SIZE = 'MEDIUM',
  MIN_CLUSTER_COUNT = 1,
  MAX_CLUSTER_COUNT = 10,
  AUTO_SUSPEND = 60;

GRANT USAGE ON WAREHOUSE ELEMENTUM TO ROLE ELEMENTUM;
Configuration Details:
  • Size: Medium (adjust based on workload)
  • Min Clusters: 1
  • Max Clusters: 10 (auto-scaling enabled)
  • Auto-Suspend: 60 seconds (reduces costs)
4

Create Database for Elementum

USE ROLE SYSADMIN;
CREATE DATABASE IF NOT EXISTS ELEMENTUM;
GRANT OWNERSHIP ON DATABASE ELEMENTUM TO ROLE ELEMENTUM;
5

Create Schema for Platform Operations

USE ROLE ELEMENTUM;
USE DATABASE ELEMENTUM;
CREATE SCHEMA IF NOT EXISTS ELEMENTUM_PLATFORM;
Do not modify or add tables to the ELEMENTUM_PLATFORM schema. This is reserved for internal platform operations.
6

Grant Usage to Other Databases/Tables

USE ROLE SYSADMIN;

-- First, grant database usage
GRANT USAGE ON DATABASE <INSERT_DATABASE_NAME_HERE> TO ROLE ELEMENTUM;

-- Then grant schema usage
GRANT USAGE ON SCHEMA <INSERT_DATABASE_NAME_HERE>.<INSERT_SCHEMA_NAME_HERE> TO ROLE ELEMENTUM;

-- Finally, grant table permissions (fully qualified)
GRANT INSERT, UPDATE, DELETE, SELECT ON TABLE <INSERT_DATABASE_NAME_HERE>.<INSERT_SCHEMA_NAME_HERE>.<INSERT_TABLE_NAME_HERE> TO ROLE ELEMENTUM;
Examples:
-- For transactional tables
USE ROLE SYSADMIN;

-- Grant database and schema usage
GRANT USAGE ON DATABASE SALES_DB TO ROLE ELEMENTUM;
GRANT USAGE ON SCHEMA SALES_DB.PUBLIC TO ROLE ELEMENTUM;

-- Grant full permissions on specific tables
GRANT INSERT, UPDATE, DELETE, SELECT ON TABLE SALES_DB.PUBLIC.CUSTOMERS TO ROLE ELEMENTUM;
GRANT INSERT, UPDATE, DELETE, SELECT ON TABLE SALES_DB.PUBLIC.ORDERS TO ROLE ELEMENTUM;
7

Enable Change Tracking (Optional - only if using change-based Element automations)

-- Enable change tracking for each table (use fully qualified table names)
ALTER TABLE <INSERT_DATABASE>.<INSERT_SCHEMA>.<INSERT_TABLE_NAME> 
  SET CHANGE_TRACKING = TRUE;
Example:
-- Enable change tracking on specific tables
ALTER TABLE SALES_DB.PUBLIC.CUSTOMERS SET CHANGE_TRACKING = TRUE;
ALTER TABLE SALES_DB.PUBLIC.ORDERS SET CHANGE_TRACKING = TRUE;

-- Verify change tracking is enabled
SHOW TABLES LIKE 'CUSTOMERS' IN SCHEMA SALES_DB.PUBLIC;
Skip this step if: You don’t plan to use automations triggered by data changes on Elements in Snowflake. Change tracking allows you to start workflows when data is added or updated in Snowflake.
8

Create Schema for Customer Data

USE ROLE ELEMENTUM;
USE DATABASE ELEMENTUM;
CREATE SCHEMA IF NOT EXISTS PUBLIC;
Put any tables specifically created for use in Elementum (such as “Data_Exchange” tables) in the PUBLIC schema or another customer schema. Do not put them in the ELEMENTUM_PLATFORM schema.
9

Grant Cortex LLM and ML Access (Optional - only if using AI/ML features)

USE ROLE ACCOUNTADMIN;

-- Enable cross-region Cortex access
ALTER ACCOUNT SET CORTEX_ENABLED_CROSS_REGION = 'ANY_REGION';

-- Grant Cortex user role
GRANT DATABASE ROLE SNOWFLAKE.CORTEX_USER TO ROLE ELEMENTUM;

-- Grant Cortex Search Service creation
GRANT CREATE CORTEX SEARCH SERVICE ON SCHEMA ELEMENTUM_PLATFORM TO ROLE ELEMENTUM;

-- Grant ML model creation capabilities
GRANT CREATE SNOWFLAKE.ML.ANOMALY_DETECTION ON SCHEMA ELEMENTUM.ELEMENTUM_PLATFORM TO ROLE ELEMENTUM;
GRANT CREATE SNOWFLAKE.ML.CLASSIFICATION ON SCHEMA ELEMENTUM.ELEMENTUM_PLATFORM TO ROLE ELEMENTUM;
GRANT CREATE SNOWFLAKE.ML.FORECAST ON SCHEMA ELEMENTUM.ELEMENTUM_PLATFORM TO ROLE ELEMENTUM;
Skip this step if: You don’t plan to use AI Search, AI Automations, or ML forecasting features in Elementum.
Cortex Capabilities Enabled:
  • Anomaly Detection: Identify unusual patterns in your data
  • Classification: Categorize and label data automatically
  • Forecasting: Predict future trends and values
  • LLM Access: Use large language models for natural language processing
  • Cortex Search: Semantic search across your data
10

Grant BI View Permissions (Optional - only if using Business Intelligence views)

USE ROLE ACCOUNTADMIN;

-- Replace <DB_NAME> and <SCHEMA_NAME> with the database and schema 
-- where you want Elementum to create BI views

-- Grant USAGE on the database
GRANT USAGE ON DATABASE <DB_NAME> TO ROLE ELEMENTUM;

-- Grant USAGE on the schema
GRANT USAGE ON SCHEMA <DB_NAME>.<SCHEMA_NAME> TO ROLE ELEMENTUM;

-- Grant the ability to manage views in the schema
GRANT CREATE VIEW ON SCHEMA <DB_NAME>.<SCHEMA_NAME> TO ROLE ELEMENTUM;
Example:
-- Example granting permissions for BI views in a dedicated schema
USE ROLE ACCOUNTADMIN;

GRANT USAGE ON DATABASE ANALYTICS_DB TO ROLE ELEMENTUM;
GRANT USAGE ON SCHEMA ANALYTICS_DB.BI_VIEWS TO ROLE ELEMENTUM;
GRANT CREATE VIEW ON SCHEMA ANALYTICS_DB.BI_VIEWS TO ROLE ELEMENTUM;
Skip this step if: You don’t plan to use Elementum’s BI view feature to expose data to external business intelligence tools like PowerBI, Tableau, or Looker.This grants permissions for Elementum to create and manage BI views. You’ll need to separately grant SELECT permissions to users or BI tool roles that need to query these views. See the Tables documentation for complete permission details.
Critical: Maintain View Ownership: When Elementum creates BI views in your Snowflake environment, the ELEMENTUM role retains ownership of these views. Do not transfer ownership to another role, as this will break Elementum’s ability to update or manage the views. Users and BI tools only need SELECT permissions to query the views, not ownership.

For License Patrol Customers

If you’re using License Patrol, follow these additional setup steps:
1

Install Native App from Snowflake Marketplace

  1. Navigate to the License Patrol listing in the Snowflake Marketplace
  2. Select the app and click Get to install it
  3. Using the ACCOUNTADMIN role, select Manage Access
  4. Add the ELEMENTUM role to the app’s access list
2

Setup Permissions for License Patrol Application

USE ROLE ACCOUNTADMIN;

-- Grant database and schema access
GRANT USAGE ON DATABASE <YOUR_DATABASE> TO APPLICATION LICENSE_PATROL;
GRANT USAGE ON SCHEMA <YOUR_DATABASE>.<YOUR_SCHEMA> TO APPLICATION LICENSE_PATROL;

-- Grant access to relevant tables
GRANT SELECT ON TABLE <YOUR_DATABASE>.<YOUR_SCHEMA>.APPLICATION_LOGINS TO APPLICATION LICENSE_PATROL;
GRANT SELECT ON TABLE <YOUR_DATABASE>.<YOUR_SCHEMA>.EMPLOYEE_DATA TO APPLICATION LICENSE_PATROL;
GRANT SELECT ON TABLE <YOUR_DATABASE>.<YOUR_SCHEMA>.SOFTWARE_CONTRACTS TO APPLICATION LICENSE_PATROL;

-- Grant Elementum access to License Patrol data
GRANT SELECT ON TABLE LICENSEPATROL.APP_DATA.REVOCATION_EXCLUDE TO ROLE ELEMENTUM;
Example:
-- Example with actual values
USE ROLE ACCOUNTADMIN;

GRANT USAGE ON DATABASE HR_DB TO APPLICATION LICENSE_PATROL;
GRANT USAGE ON SCHEMA HR_DB.PUBLIC TO APPLICATION LICENSE_PATROL;

GRANT SELECT ON TABLE HR_DB.PUBLIC.APPLICATION_LOGINS TO APPLICATION LICENSE_PATROL;
GRANT SELECT ON TABLE HR_DB.PUBLIC.EMPLOYEE_DATA TO APPLICATION LICENSE_PATROL;
GRANT SELECT ON TABLE HR_DB.PUBLIC.SOFTWARE_CONTRACTS TO APPLICATION LICENSE_PATROL;

GRANT SELECT ON TABLE LICENSEPATROL.APP_DATA.REVOCATION_EXCLUDE TO ROLE ELEMENTUM;
Replace <YOUR_DATABASE> and <YOUR_SCHEMA> with your actual database and schema names containing the License Patrol data.

Adding Elementum Snowflake Credentials into Elementum

After completing the Snowflake setup, configure the connection in Elementum:

Elementum Snowflake Configuration

There are four quick steps for connecting Snowflake data to Elementum:
1

Setup Snowflake Credentials

Navigate to Settings > Cloud Links > Add Connection in Elementum.Enter Connection Details:
  • Name: Descriptive name for your connection (e.g., “Production Snowflake”)
  • Account URL: Your Snowflake account URL (e.g., your-account.snowflakecomputing.com)
  • Username: ELEMENTUM
  • Authentication: RSA Key Pair (automatically configured)
  • Role: ELEMENTUM
  • Warehouse: ELEMENTUM
See Key-Pair Authentication for how the key pair is used and where you copied the public key.
Test the Connection: Click Test Connection to verify the credentials and network access are configured correctly.
2

Select Connection Details

Once connected, you can browse your Snowflake environment:
  1. Select Database: Choose the database containing your tables
  2. Select Schema: Pick the schema with your data
  3. Select Table: Choose the table(s) to integrate with Elementum
Only databases, schemas, and tables that you granted the ELEMENTUM role access to will appear in these lists.
Performance Validation:When you select a table, Elementum automatically tests query performance. If the table responds slower than optimal (3-5 seconds), you’ll see a performance warning. This early detection helps ensure your workflows and automations run efficiently.
Performance Warning? If you see a moderate or slow performance warning, consider optimizing the table before connecting. Options include adding clustering keys, creating materialized views, or increasing warehouse size. You can acknowledge and proceed, but slow tables will impact your solution’s responsiveness.
3

Add Data Naming

Configure how this data appears in Elementum:
  • App Name: The application this data belongs to
  • Table Display Name: User-friendly name for the table
  • Description: Optional description of the data
This naming helps users understand the data’s purpose and context.
4

Complete Field Mapping

Map Snowflake columns to Elementum fields:
  1. Primary Key: Select the unique identifier column
  2. Field Mappings: Map each column to appropriate field types
  3. Field Labels: Customize display names for fields
  4. Field Visibility: Set which fields are visible to users
Field Types Available:
  • Text, Number, Date, Timestamp
  • Boolean, JSON, Array
  • Currency, Percentage
  • References (for relationships)

Resource Scheduler

Every 20 minutesBalanced approach for most use cases
More frequent synchronization intervals will consume more Snowflake credits. Balance freshness needs with cost considerations.

Verification and Testing

After completing the setup, verify everything is working correctly:
1

Test User Login

-- Switch to Elementum role
USE ROLE ELEMENTUM;
USE WAREHOUSE ELEMENTUM;
USE DATABASE ELEMENTUM;

-- Verify role and warehouse
SELECT CURRENT_ROLE(), CURRENT_WAREHOUSE(), CURRENT_DATABASE();
Expected result: Should show ELEMENTUM role, warehouse, and database.
2

Test Data Access

USE ROLE ELEMENTUM;
USE WAREHOUSE ELEMENTUM;

-- Test access to your tables
SELECT COUNT(*) FROM SALES_DB.PUBLIC.CUSTOMERS;

-- Verify change tracking is enabled
SHOW TABLES LIKE 'CUSTOMERS' IN SCHEMA SALES_DB.PUBLIC;
-- Look for "change_tracking" = "ON" in the results

-- Test change tracking (if enabled)
SELECT *
FROM SALES_DB.PUBLIC.CUSTOMERS
CHANGES(INFORMATION => DEFAULT)
AT(TIMESTAMP => DATEADD(HOUR, -1, CURRENT_TIMESTAMP()))
LIMIT 5;
Replace SALES_DB.PUBLIC.CUSTOMERS with your actual database, schema, and table names.
3

Test Cortex Access (Optional - only if you configured AI/ML features)

USE ROLE ELEMENTUM;
USE DATABASE ELEMENTUM;
USE SCHEMA ELEMENTUM_PLATFORM;

-- Test Cortex LLM access
SELECT SNOWFLAKE.CORTEX.COMPLETE(
  'mistral-large',
  'What is machine learning?'
) AS response;

-- Test Cortex Sentiment Analysis
SELECT SNOWFLAKE.CORTEX.SENTIMENT(
  'Elementum is an amazing data platform!'
) AS sentiment_score;
If these queries execute successfully, Cortex access is properly configured.
4

Test in Elementum

  1. Verify the connection shows as Connected in CloudLink settings
  2. Browse to the integrated table in Elementum
  3. Verify data loads correctly
  4. Test creating/updating a record (if write access was granted)
  5. Verify changes sync back to Snowflake

Troubleshooting

Cannot Connect from Elementum:
  • Verify IP addresses are whitelisted in Snowflake network policy
  • Confirm RSA public key was added correctly to Snowflake user
  • Check that ELEMENTUM user has ELEMENTUM role granted
  • Verify warehouse is not suspended or has available compute resources
“User does not exist” Error:
  • Ensure user was created with TYPE = SERVICE
  • Verify user creation script ran successfully
  • Check that ACCOUNTADMIN role was used
“JWT token is invalid” or authentication failures:
  • Verify the public key was copied completely from the Elementum UI without extra whitespace or line breaks
  • Confirm the key was assigned to the correct Snowflake user (run DESC USER ELEMENTUM and check for RSA_PUBLIC_KEY_FP)
  • Ensure the key was pasted without the -----BEGIN PUBLIC KEY----- and -----END PUBLIC KEY----- header/footer lines
“Public key fingerprint mismatch” Error:
  • The public key in Snowflake does not match the private key held by Elementum
  • Re-copy the public key from Elementum and re-assign it using ALTER USER ELEMENTUM SET RSA_PUBLIC_KEY = '...'
Key was rotated and connection stopped working:
  • Use DESC USER ELEMENTUM to verify which key slots have values
  • Ensure the current Elementum public key is assigned to either RSA_PUBLIC_KEY or RSA_PUBLIC_KEY_2
  • Follow the key rotation procedure to safely rotate keys without downtime
“Insufficient privileges” Errors:
  • Verify GRANT statements were executed for all required tables
  • Check that role has warehouse usage permission
  • Confirm database and schema access is granted
  • For schema-level grants, ensure USAGE permission is granted on schema
Cannot Access Change Tracking:
  • Verify change tracking is enabled on source tables
  • Confirm ELEMENTUM role has SELECT permission on tables
  • Check that table has been modified since enabling tracking
Slow Query Performance:
  • Consider increasing warehouse size (MEDIUM → LARGE)
  • Review query patterns and add appropriate indexes
  • Check if warehouse is auto-suspending during queries
  • Monitor concurrent usage and adjust cluster count
High Credit Consumption:
  • Review synchronization frequency settings
  • Check for inefficient queries or large data scans
  • Consider using incremental refresh instead of full loads
  • Review warehouse auto-suspend settings
Cannot Use Cortex Features:
  • Verify CORTEX_ENABLED_CROSS_REGION is set to ‘ANY_REGION’
  • Check that SNOWFLAKE.CORTEX_USER role is granted
  • Confirm Cortex is available in your Snowflake region
  • Verify ACCOUNTADMIN role was used to grant Cortex permissions

Multi-Environment Setup

If you’re using organization environments for development, staging, and production workflows, you must create separate Snowflake resources for each environment.

Required Isolation

EnvironmentUserRoleDatabaseSchema
ProductionELEMENTUM_PRODELEMENTUM_PRODELEMENTUM_PRODELEMENTUM_PLATFORM
DevelopmentELEMENTUM_DEVELEMENTUM_DEVELEMENTUM_DEVELEMENTUM_PLATFORM
StagingELEMENTUM_STAGINGELEMENTUM_STAGINGELEMENTUM_STAGINGELEMENTUM_PLATFORM

Setup Script for Additional Environments

Run the following for each additional environment (replace DEV with your environment name): 
USE ROLE ACCOUNTADMIN;

-- Create environment-specific role
CREATE ROLE IF NOT EXISTS ELEMENTUM_DEV;
GRANT ROLE ELEMENTUM_DEV TO ROLE SYSADMIN;

-- Create environment-specific user
CREATE USER IF NOT EXISTS ELEMENTUM_DEV 
  TYPE = SERVICE 
  RSA_PUBLIC_KEY = '<PASTE_PUBLIC_KEY_FROM_ELEMENTUM_UI>';
GRANT ROLE ELEMENTUM_DEV TO USER ELEMENTUM_DEV;

-- Create environment-specific warehouse
USE ROLE SYSADMIN;
CREATE WAREHOUSE IF NOT EXISTS ELEMENTUM_DEV
  WITH WAREHOUSE_SIZE = 'MEDIUM',
  MIN_CLUSTER_COUNT = 1,
  MAX_CLUSTER_COUNT = 10,
  AUTO_SUSPEND = 60;
GRANT USAGE ON WAREHOUSE ELEMENTUM_DEV TO ROLE ELEMENTUM_DEV;

-- Create environment-specific database
CREATE DATABASE IF NOT EXISTS ELEMENTUM_DEV;
GRANT OWNERSHIP ON DATABASE ELEMENTUM_DEV TO ROLE ELEMENTUM_DEV;

-- Create platform schema
USE ROLE ELEMENTUM_DEV;
USE DATABASE ELEMENTUM_DEV;
CREATE SCHEMA IF NOT EXISTS ELEMENTUM_PLATFORM;

Shared External Data (Optional)

You can grant multiple environment users access to the same external business data tables if needed for testing with realistic data: 
-- Example: Grant both DEV and PROD access to the same business data
USE ROLE SYSADMIN;

-- Grant to production
GRANT USAGE ON DATABASE BUSINESS_DATA TO ROLE ELEMENTUM_PROD;
GRANT USAGE ON SCHEMA BUSINESS_DATA.PUBLIC TO ROLE ELEMENTUM_PROD;
GRANT SELECT ON ALL TABLES IN SCHEMA BUSINESS_DATA.PUBLIC TO ROLE ELEMENTUM_PROD;

-- Grant to development (same data)
GRANT USAGE ON DATABASE BUSINESS_DATA TO ROLE ELEMENTUM_DEV;
GRANT USAGE ON SCHEMA BUSINESS_DATA.PUBLIC TO ROLE ELEMENTUM_DEV;
GRANT SELECT ON ALL TABLES IN SCHEMA BUSINESS_DATA.PUBLIC TO ROLE ELEMENTUM_DEV;
Understand the implications: When environments share access to external data, any changes made in one environment are visible in all environments. This is often acceptable for read-only reference data, but be cautious with shared write access.

Security Best Practices

  • Grant only necessary permissions to ELEMENTUM role
  • Use read-only access where write access isn’t required
  • Regularly audit granted permissions
  • Remove access to tables no longer in use

Next Steps

Configure Apps

Set up your first app in Elementum using your connected data

Create Automations

Build workflows that act on your Snowflake data

Setup AI Features

Enable AI-powered search, automations, and insights

Performance Tuning

Optimize your warehouse configuration for best performance

Additional Resources

Manual Setup Guide

Alternative manual configuration steps

CloudLink Overview

Learn more about CloudLink architecture

Data Best Practices

Optimize your data models for Elementum

Get Support

Contact our team for setup assistance
This guide reflects the latest Snowflake and Elementum best practices. For additional assistance, contact support@elementum.io.