Honeycomb Maps Docs

Appearance

Accessing Snowflake Tables with Restricted Caller's Rights

Overview

Honeycomb Maps can query Snowflake tables directly within your Snowflake account without requiring connection strings or external configuration parameters. The application uses Snowflake's Restricted Caller's Rights feature to execute queries using the permissions of the current user.

Understanding Restricted Caller's Rights

Restricted Caller's Rights is a Snowflake security feature that allows Honeycomb Maps to operate with the permissions of the logged-in user when executing queries. This approach ensures that:

  • Users can only access data they are already authorized to view
  • Existing role-based access controls remain enforced
  • No additional permissions are granted beyond the user's current privileges

Note: Restricted Caller's Rights does not grant Honeycomb Maps or users any additional access to data tables. It allows the user's existing permissions to flow through the application when they are logged in.

Configuring Restricted Caller's Rights

Before users can access tables through Honeycomb Maps, you must configure which permissions the application may utilize. This configuration defines the scope of access available to the application.

Prerequisites

  • MANAGE APPLICATION permission on the Honeycomb Maps application

Configuration Methods

You can configure permissions using either the Snowsight UI or SQL statements.

Using the Snowsight UI

  1. Navigate to the Permissions page in the Honeycomb Maps application management interface in Snowsight
  2. Configure the databases, schemas, and tables that Honeycomb Maps may access
  3. Save your changes
Screenshot the Snowflake Snowsight UI for granting RCR permissions

Note: The Permissions page is only accessible to users with the MANAGE APPLICATION permission.

Using SQL Statements

Execute the following SQL statements to grant permissions:

sql
GRANT CALLER USAGE ON SAMPLE_DATABASE TO APPLICATION HONEYCOMB_MAPS;
GRANT CALLER USAGE ON SAMPLE_SCHEMA TO APPLICATION HONEYCOMB_MAPS;
GRANT CALLER SELECT ON ALL TABLES IN SAMPLE_DATABASE.SAMPLE_SCHEMA TO APPLICATION HONEYCOMB_MAPS;
GRANT CALLER USAGE ON SAMPLE_DATABASE TO APPLICATION HONEYCOMB_MAPS;
GRANT CALLER USAGE ON SAMPLE_SCHEMA TO APPLICATION HONEYCOMB_MAPS;
GRANT CALLER SELECT ON ALL TABLES IN SAMPLE_DATABASE.SAMPLE_SCHEMA TO APPLICATION HONEYCOMB_MAPS;

Replace SAMPLE_DATABASE and SAMPLE_SCHEMA with your actual database and schema names.

Best Practices

  • Grant SELECT privilege on all databases and schemas that contain data users may want to visualize with Honeycomb Maps
  • Review and update permissions regularly to reflect changes in your data access requirements
  • Leverage existing role-based access controls to maintain consistent security policies

Benefits

Using Restricted Caller's Rights provides:

  • Seamless data access for users within Honeycomb Maps
  • Consistent security by leveraging existing roles and protections
  • No credential management since authentication uses Snowflake's native security model
  • Granular control over which data sources are available to the application

Copyright © 2025 Honeycomb Maps