代理的用户访问和设置

This topic provides information about the permissions required for users to interact with agents in Snowflake Intelligence and about the settings available for the Snowflake Intelligence interface and advanced access control features.

If you don’t have an agent for use with Snowflake Intelligence, create one using the Build agents guide.

Customize the Snowflake Intelligence interface

To customize the Snowflake Intelligence interface that users interact with Cortex Agents through, follow these steps:

  1. Sign in to Snowsight.
  2. In the navigation menu, select AI & ML » Agents.
  3. Select Open settings.
  4. Under Snowflake Intelligence, modify the following settings:
    • Display name: The name of the Snowflake Intelligence interface that is displayed to users.
    • Welcome message: The message that is displayed when users first open the Snowflake Intelligence interface.
    • Color theme: The color theme of the Snowflake Intelligence interface.

您可以提供十六进制格式的自定义原色。

  • Full-length logo and Compact logo: The logos that are displayed when the navigation pane is expanded or collapsed, respectively.
  • Compact logo: The icon that is displayed in the browser tab.
  1. Select Save.

用户权限和访问控制

Users must have the following privileges to view agents in Snowflake Intelligence:

权限对象备注
USAGE数据库、架构查看代理所必需。
USAGE代理查询 Cortex Agent 以生成响应所必需。

要访问附加到代理的工具,用户必须具有以下权限:

权限对象备注
USAGE数据库、架构访问与要附加到代理的任何工具相关联的对象所必需。
USAGECortex Search Service需要在 Cortex Agents 请求中运行 Cortex Search Service。
SELECT访问代理的语义视图/模型中引用的对象时需要。
USAGE工具访问代理可用来生成响应的所有自定义工具所必需。例如,如果自定义工具是存储过程,则用户必须对该过程具有 USAGE 权限。
USAGE语义视图/模型访问代理引用的语义视图/模型所必需。

限制特定角色的访问权限

The CORTEX_USER role gives users access to all Cortex features, including agents. By default, this role is granted to the PUBLIC role, which is automatically granted to all users and roles. If you don’t want all users to have this privilege, you can revoke it from the PUBLIC role and grant access to specific roles only. For more information, see Cortex LLM privileges.

After the CORTEX_USER role is revoked from the PUBLIC role, you can grant the CORTEX_AGENT_USER role. This role gives users access to only the Cortex Agents API, which allows them to use Snowflake Intelligence, but not the other Cortex features.

  • 要提供对 Cortex Agent 的选择性访问权限,以便只有一部分用户可以访问该功能,请先撤销对 PUBLIC 角色的访问权限,然后将 CORTEX_AGENT_USER 角色授予特定用户: 
    GRANT DATABASE ROLE SNOWFLAKE.CORTEX_AGENT_USER TO ROLE <role_name>;

For more information, see Access control requirements.

Configure Snowflake Intelligence with private connectivity

Snowflake Intelligence supports integration with AWS Privatelink and Azure Private Link to establish a private connection between your virtual private cloud (VPC) or virtual network (VNet) and Snowflake Intelligence. Configuring private connectivity requires setting up the correct DNS resolution to direct traffic to the Snowflake Intelligence service through this private connection.

请注意,AWS PrivateLink 和 Azure 专用链接不是 Snowflake 提供的服务。它们分别是 AWS 服务和 Microsoft 服务,Snowflake 支持与您的 Snowflake 账户一起使用。

先决条件

Complete the following prerequisites before connecting to Snowflake Intelligence with private connectivity.

Important

Snowflake Intelligence exclusively uses the regionless URL format for private connectivity access. Unlike with other private connectivity URLs used for Snowflake, you should not include a region identifier, such as us-west-2, in the hostname. Any attempts to connect using a region-specific URL will fail.

Connect to Snowflake Intelligence

Connect to Snowflake Intelligence by configuring the DNS for Snowflake Intelligence to use the subdomain.

  • Create a CNAME record in your private DNS zone, privatelink.snowflakecomputing.cn, that maps the following URL to the DNS name of your VPC or VNET endpoint: 
    si-<org-acct>.privatelink.snowflakecomputing.cn

After the configuration is complete, users within your network can access Snowflake Intelligence by navigating to the following URL:

https://si-<org-acct>.privatelink.snowflakecomputing.cn

该连接将通过专用连接进行安全路由。

使用专用连接进行用户身份验证

Users accessing Snowflake Intelligence with private connectivity use the standard Snowflake authentication process, which requires them to provide their account identifier, username, and password on the sign-in page.

将用户重定向到您的身份提供商

An account administrator can configure all user URLs to redirect to your identity provider (IdP) when an unauthenticated user accesses Snowflake Intelligence. This process eliminates a step from the user’s sign-in flow.

  • To redirect unauthenticated users from URLs to your IdP, execute the following SQL command, replacing your_security_integration with the name of the security integration that is configured for your IdP: 
    ALTER ACCOUNT SET LOGIN_IDP_REDIRECT = (SNOWFLAKE_INTELLIGENCE = <your_security_integration>);

Note

  • To use IdP redirecting when Snowflake Intelligence is accessed with private connectivity, you must configure the DNS to direct traffic to the Snowflake Intelligence service using the following URL format: 
    https://si-<org-acct>.privatelink.snowflakecomputing.cn

For more information, see Configure Snowflake Intelligence with private connectivity.

For a full overview of LOGIN_IDP_REDIRECT, including the procedure for reaching the Snowflake sign-in page when the IdP is unavailable, see Automatically redirecting users to your identity provider.

For a full overview of LOGIN_IDP_REDIRECT, including the procedure for reaching the Snowflake sign-in page when the IdP is unavailable, see Automatically redirecting users to your identity provider.

有关配置 Snowflake 账户以使用 IdP 的更多信息,请参阅以下主题:

Limit a user’s access to only Snowflake Intelligence

To restrict a user to only access Snowflake Intelligence and prevent them from accessing other parts of Snowflake, you can use either the ALTER USER SQL command or the allowedInterfaces SCIM attribute. If a value other than ALL is specified using either method, then users can only access the interface specified and cannot interact with any Snowflake data outside of the interface specified.

  • To restrict a user to only access Snowflake Intelligence, use the ALTER USER SQL command:

    ALTER USER <user_name> SET ALLOWED_INTERFACES = (SNOWFLAKE_INTELLIGENCE);

  • If you’re provisioning users with SCIM APIs, to set the same restriction, use the custom attribute allowedInterfaces.

For more information about SCIM custom attributes, see Custom attributes.

限制

Snowflake Intelligence currently has these limitations for Snowflake Intelligence-only users:

  • Custom branding logos and icons don’t work for Snowflake Intelligence-only users and default to the Snowflake logo and icon.
  • Snowflake Intelligence-only users cannot upload files.

Snowflake Intelligence object

A Snowflake Intelligence object is an account-level object used to manage all agents in Snowflake Intelligence and their settings for your account. The Snowflake Intelligence object offers the following benefits:

  • 灵活性: 在账户中的任何位置创建和管理代理,无需将它们集中在单个架构中。
  • 代理可见性管理: 使用单个对象控制向所有用户显示哪些代理。
  • Improved permission management: Separate the ability to create agents from the ability to control which agents are shown in Snowflake Intelligence.

Note

Using a Snowflake Intelligence object is an advanced configuration option and is not required to manage agents in Snowflake Intelligence. If an account has a Snowflake Intelligence object, then the agent must be added to that object to be visible. If not added, the agent can only be accessed using a direct link or the Snowsight UI.

Set up a Snowflake Intelligence object

Note

The role must have the CREATE SNOWFLAKE INTELLIGENCE ON ACCOUNT privilege to create a Snowflake Intelligence object.

To set up a Snowflake Intelligence object for your users, follow this process, which is expanded in the following sections:

  • Create a Snowflake Intelligence object. The Snowflake Intelligence object is a single object meant to manage all agents used with Snowflake Intelligence in your account. You can only have one Snowflake Intelligence object in your account.
  • Add agents to the Snowflake Intelligence object.
  • GRANT the USAGE privilege on the Snowflake Intelligence object.

Create a Snowflake Intelligence object

You can use either Snowsight or SQL to create a Snowflake Intelligence object.

Snowflake automatically creates the Snowflake Intelligence object when you modify the Snowflake Intelligence settings for the first time. When created using the UI, the Snowflake Intelligence object is named SNOWFLAKE_INTELLIGENCE_OBJECT_DEFAULT. You can’t specify a different name.

  1. Sign in to Snowsight.
  2. In the navigation menu, select AI & ML » Agents.
  3. On the Snowflake Intelligence tab, select Open settings. The Snowflake Intelligence object is created automatically if it doesn’t already exist. You can then add agents to the object.

添加代理

The Snowflake Intelligence object is an account-level object that contains a list of agents. You can add or remove agents from this object to create a curated list of agents for your users. For more information about adding or removing agents, see Configure the visibility of agents in Snowflake Intelligence.

Grant Snowflake Intelligence privileges

The following privileges control access to Snowflake Intelligence objects:

  • CREATE SNOWFLAKE INTELLIGENCE on the account: Privilege that allows creating a Snowflake Intelligence object. This privilege is granted to ACCOUNTADMIN by default.

要将此权限授予其他角色,请运行以下命令:

GRANT CREATE SNOWFLAKE INTELLIGENCE ON ACCOUNT TO ROLE <role_name>;
  • USAGE on the Snowflake Intelligence object: Privilege that allows users to view the list of agents added to the Snowflake Intelligence object and see configuration values.

要授予此权限,请运行以下命令:

GRANT USAGE ON SNOWFLAKE INTELLIGENCE SNOWFLAKE_INTELLIGENCE_OBJECT_DEFAULT TO ROLE <role_name>;
  • MODIFY on the Snowflake Intelligence object: Privilege that allows users to add or remove agents from the Snowflake Intelligence object and change configuration values. Account administrators have this privilege by default.

要授予此权限,请运行以下命令:

GRANT MODIFY ON SNOWFLAKE INTELLIGENCE SNOWFLAKE_INTELLIGENCE_OBJECT_DEFAULT TO ROLE <role_name>;
  • To make the Snowflake Intelligence object visible to all of your users, grant the USAGE privilege on the object to the PUBLIC role: 
    GRANT USAGE ON SNOWFLAKE INTELLIGENCE SNOWFLAKE_INTELLIGENCE_OBJECT_DEFAULT TO ROLE PUBLIC;

If you are using the ACCOUNTADMIN role, you also have the MODIFY privilege on the Snowflake Intelligence object. This allows you to add or remove agents from the object to create a curated list of agents for your users.

To set up Snowflake Intelligence for your users, you must configure agent privileges. For information about the privileges required for agents, see Access control requirements.

Important

By default, Snowflake Intelligence uses the default role and the default warehouse of the user. When you invite others to use Snowflake Intelligence, ensure that they have a default role and warehouse.

Note

All of the queries from Snowflake Intelligence use the user’s credentials. All role-based access control and data-masking policies associated with the user automatically apply to all interactions and conversations with the agent.

Configure the visibility of agents in Snowflake Intelligence

In some cases, you might want to limit the agents that users can see in Snowflake Intelligence. For example, you might want to only show agents that are relevant to a specific user or group of users.

If you haven’t created a Snowflake Intelligence object and added agents to it, users automatically see all agents they have access to in your account.

  • To control which agents appear in the Snowflake Intelligence interface for all users, create a curated list of agents by adding them to the Snowflake Intelligence object.

Verify the Snowflake Intelligence object

  • To see whether the Snowflake Intelligence object has been created in your account, use the following command: 
    SHOW SNOWFLAKE INTELLIGENCES;

Note

Only one Snowflake Intelligence object can exist in an account.

Manage agents with the Snowflake Intelligence object

  • To add agents to the Snowflake Intelligence object, use the following command:

    ALTER SNOWFLAKE INTELLIGENCE SNOWFLAKE_INTELLIGENCE_OBJECT_DEFAULT ADD AGENT <db.schema.agent_name>;

  • To remove agents from the Snowflake Intelligence object, use the following command:

    ALTER SNOWFLAKE INTELLIGENCE SNOWFLAKE_INTELLIGENCE_OBJECT_DEFAULT DROP AGENT <db.schema.agent_name>;

Note

Any user or admin with the correct database and schema privileges can create agents. However, agents are not automatically added to the Snowflake Intelligence object: to add an agent to the Snowflake Intelligence object, users must have the ALTER privilege on the Snowflake Intelligence object and USAGE privileges on the agent.

Administrators must have the USAGE privilege on the agent to add it to the Snowflake Intelligence object.

Migrate from managing agent visibility with the SNOWFLAKE_INTELLIGENCE.AGENTS schema to the Snowflake Intelligence object

Important

The SNOWFLAKE_INTELLIGENCE.AGENTS schema is deprecated as a mechanism for managing agent visibility. If you’re currently using this schema, we recommend migrating to the Snowflake Intelligence object.

If you’re using the SNOWFLAKE_INTELLIGENCE.AGENTS schema, your agents will continue to work, as detailed in Configure the visibility of agents in Snowflake Intelligence. However, migrating to the Snowflake Intelligence object provides the following benefits:

  • 灵活性: 在账户中的任何位置创建和管理代理,无需将它们集中在单个架构中。
  • Improved permission management: Separate the ability to create agents from the ability to make them visible in Snowflake Intelligence.
  • Fewer naming conflicts: Eliminate potential conflicts with the SNOWFLAKE_INTELLIGENCE.AGENTS schema name.
  • 更轻松的代理可见性管理: 使用单个对象来控制向所有用户显示哪些代理。

You must create a Snowflake Intelligence object before you migrate your agents. For information about creating a Snowflake Intelligence object, see Snowflake Intelligence object.

  • To add an agent to the Snowflake Intelligence object, use the following code: 
    ALTER SNOWFLAKE INTELLIGENCE SNOWFLAKE_INTELLIGENCE_OBJECT_DEFAULT ADD AGENT SNOWFLAKE_INTELLIGENCE.AGENTS.<agent_name>;

访问代理

创建代理后,您可以向其提问,以通过数据获得见解。代理可以回答以下问题:

  • 上一季度的平均销售额是多少?
  • 上个月哪种产品销量最高?
  • 能告诉我去年的销售趋势吗?

It can also provide visualizations using most Vega-Lite (https://vega.github.io/vega-lite/examples/) chart types. Geographic map charts are not supported. Notable examples include:

  • Bar, line, pie, and scatter charts
  • Area charts
  • Heatmaps
  • Box plots
  • Dual-axis and layered charts (for example, a bar chart and line chart combined)
  • Faceted charts and small multiples
  • Error bars and error bands
  • Text annotations

Note

Bar, line, pie, and scatter charts include a chart editor for manual adjustments. For all other chart types, ask Snowflake Intelligence to make changes to the chart.

要使用代理,请按照以下步骤操作:

To access Snowflake Intelligence without private connectivity, navigate to the following URL:

https://ai.snowflake.com

Note

您可以在同一对话线程中的代理之间切换,以便在代理交互过程中保留上下文。

监控代理使用情况和反馈

You can view logs for an agent to see details about the interactions that users have had with the agent. The logs include information such as the prompts that users have sent to the agent, the responses that the agent has provided, and any errors that have occurred. For more information about viewing logs for agents, see Monitor Cortex Agent requests.

When users in your organization interact with agents, they can provide feedback about the responses that the agents provide. This feedback gives high-level insights about the satisfaction of users. To view user feedback for your agents, see Monitor Cortex Agent requests.