What Snowflake services do we need to run Sema4.ai Team Edition (SPCS + Cortex), and what permissions are required?

Most Snowflake teams can get Sema4.ai Team Edition live in days—not months—if they know exactly which Snowflake services to enable and which permissions to grant up front. This guide walks through the minimum services, roles, and grants required to run Team Edition with Snowpark Container Services (SPCS) and Snowflake Cortex AI inside your own Snowflake account, with zero data movement.

The goal: AI agents that run natively in your Snowflake environment, use Cortex for reasoning, act over your governed data, and respect your existing security boundary and RBAC model.

---

At a Glance: Required Snowflake Services and Permissions

Core services you’ll need:

• Snowpark Container Services (SPCS)
  To run the Sema4.ai Team Edition application natively in your Snowflake account.
• Snowflake Cortex AI
  To power LLM reasoning adjacent to your governed data, including direct integration with Claude in Cortex.
• Standard Snowflake compute & storage
  Warehouses and databases where your data lives and where agents execute SQL and DataFrames.

High-level permission requirements:

• A platform-level role to create and manage:
  • SPCS compute pools
  • SPCS image repositories
  • SPCS services (Sema4.ai Team Edition app)
• A data-access role (or set of roles) for:
  • Read access to source databases/schemas/tables/views used by agents
  • Usage on the warehouses agents will use
• An AI/ML role to:
  • Enable and use Snowflake Cortex AI
  • Call Cortex models (e.g., Claude in Cortex) from within the Sema4.ai agent runtime

Most enterprises implement this as a combination of (1) an “infrastructure” role that sets up Sema4.ai Team Edition in SPCS and (2) one or more “data roles” that govern what the agents are allowed to see and do.

---

Why SPCS + Cortex Matter for Sema4.ai Team Edition

Sema4.ai Team Edition is built for teams that want AI agents close to their data—not in somebody else’s cloud. Running natively in Snowflake via Snowpark Container Services means:

• Zero data movement. Data never leaves your Snowflake account. Agents run where your data already lives.
• Unified security boundary. You inherit Snowflake’s governance model (RBAC, masking, policies) instead of standing up a separate AI stack.
• Cortex-adjacent LLMs. You can use Claude and other models in Snowflake Cortex AI so queries and document understanding stay inside your Snowflake environment.

That’s why the two non‑negotiable dependencies for Team Edition in Snowflake are:

1. Snowpark Container Services – to run the Sema4.ai control plane and agents as a native Snowflake application.
2. Snowflake Cortex AI – to power agent reasoning over documents, tables, and complex workflows without pushing data out to an external LLM.

---

Snowflake Services Needed to Run Sema4.ai Team Edition

1. Snowpark Container Services (SPCS)

Purpose: Host the Sema4.ai Team Edition application and agent runtime directly inside Snowflake.

Sema4.ai ships as a native application running in Snowpark Container Services, which allows you to:

• Run agents within your Snowflake security boundary.
• Execute Actions (workflows) against Snowflake data and connected systems.
• Maintain full auditability through Snowflake’s logging and Sema4.ai’s Transparent Reasoning.

What you need enabled:

• Snowpark Container Services feature enabled for your Snowflake account.
• Ability to create and manage:
  • Compute pools
  • Image repositories
  • Services (to deploy the Sema4.ai Team Edition application)

Most often, this is handled by a platform/Cloud CoE team with ACCOUNTADMIN-level or delegated admin capabilities.

---

2. Snowflake Cortex AI

Purpose: Provide enterprise-grade LLM capabilities adjacent to your governed data for reasoning, classification, extraction, and generative steps inside agent workflows.

With Team Edition plus Snowflake Cortex AI, you can:

• Run agents powered by LLMs running adjacent to your governed data.
• Use a direct integration with Claude in Snowflake Cortex AI, so your data never leaves your Snowflake account.
• Scale from agent concept to production in days, leveraging Snowflake’s serverless LLM infrastructure.
• Rely on Snowflake’s unified governance for consistent security across data and AI operations.

What you need enabled:

• Snowflake Cortex AI enabled in your account/region.
• Permissions for the Sema4.ai runtime role(s) to:
  • Call Cortex models (e.g., CALL SNOWFLAKE.CORTEX.COMPLETE(...) patterns).
  • Use Cortex for document understanding and unstructured/structured fusion inside agents.

---

3. Standard Snowflake Compute, Storage, and Governance

Purpose: Provide the data and compute the agents will use for queries, joins, and mathematically accurate analysis via Sema4.ai DataFrames.

You’ll need:

• Databases/Schemas/Tables/Views
  Where your operational and analytical data lives (e.g., finance, AP, AR, ERP mirrors, logs).
• Virtual Warehouses or Snowflake compute resources that:
  • Agents can use to query and transform data.
  • Are sized for the workloads (e.g., invoice reconciliation, AP matching, document-heavy processes).
• Governance controls already in place:
  • RBAC roles and grants
  • Dynamic data masking (if used)
  • Row access policies
  • Logging/monitoring via your existing tools (Datadog, Splunk, Grafana, etc.)

Sema4.ai Team Edition respects all of this. Agents see only what the Snowflake role you assign allows them to see.

---

Recommended Snowflake Roles and Permission Patterns

The exact mapping will depend on your Snowflake hierarchy and naming conventions, but the following is a practical pattern that aligns with how most enterprises roll out Team Edition.

1. Platform / Infrastructure Role (for SPCS & App Setup)

Who uses it: Snowflake platform admins, Cloud CoE, or a central data platform team.

What it does: Installs and manages the Sema4.ai Team Edition application in Snowflake.

Typical capabilities:

• Account-level capabilities (granted directly or via delegated admin):
  • Create and manage compute pools for SPCS.
  • Create and manage image repositories.
  • Create and manage services in SPCS.
• Application installation permissions:
  • Ability to install and configure the Sema4.ai native app from Snowflake Marketplace (or via provided manifests).
• Security/governance duties:
  • Assign appropriate data roles and warehouses to the Sema4.ai runtime.
  • Coordinate with InfoSec to confirm data never leaves the Snowflake boundary.

This role is not used for day-to-day agent work; it’s infrastructure-only.

---

2. Agent Runtime Role(s) (Data Access + Execution)

Who uses it: Used by the Sema4.ai Team Edition runtime when executing Runbooks and Actions inside Snowflake.

What it does: Governs what agents can read, write, and compute over in your account.

Typical grants:

• Usage on databases/schemas where agents should operate:
  • USAGE on each database and schema.
• Read access for analytics and decision-making:
  • SELECT on tables/views required for workflows (e.g., invoices, payments, customer records, GL tables).
• Write/modify access where appropriate:
  • INSERT, UPDATE, DELETE, or MERGE on target tables if agents will write back results (e.g., reconciliation status).
  • CREATE TABLE / CREATE VIEW for staging or DataFrames materialization, if you choose to materialize.
• Warehouse usage:
  • USAGE on the warehouse(s) that Sema4.ai agents are allowed to use.
  • Optional: separate dedicated warehouses for AI/agent workloads for cost and performance isolation.
• Cortex usage:
  • Permission to invoke Snowflake Cortex AI models (as defined by your Snowflake account’s Cortex configuration).

You can define different runtime roles for different domains (e.g., S4A_TEAM_EDITION_AP_ROLE, S4A_TEAM_EDITION_AR_ROLE) to align with least-privilege and regulatory boundaries.

---

3. Administration & Observability Roles

Who uses them: Data platform leads, security, and operations teams.

What they do: Monitor, govern, and audit Sema4.ai Team Edition usage.

Typical needs:

• Ability to view SPCS service logs and metrics for the Sema4.ai application.
• Access to Snowflake query history for the Sema4.ai runtime role(s).
• Integration points for:
  • Datadog, Splunk, Grafana, LangSmith, or your preferred observability tools.
• Alignment with Sema4.ai’s own Control Room and Transparent Reasoning:
  • Snowflake query logs give you the infrastructure view.
  • Sema4.ai Control Room gives you the agent reasoning and action-level audit trail.

These roles don’t usually perform agent actions; they supervise, audit, and tune.

---

Permissions by Setup Phase

To make this concrete, here’s how permissions usually play out across the lifecycle.

Phase 1: Initial Installation (One-Time Setup)

Required services:

• Snowpark Container Services
• Snowflake Cortex AI

Key permissions:

• Platform role with:
  • Rights to enable and configure SPCS (if not already enabled).
  • Rights to install the Sema4.ai Team Edition app in SPCS.
  • Rights to configure compute pools and services.

Outcome:
Sema4.ai Team Edition is running as a native application inside your Snowflake account, ready to be connected to your warehouses and data.

---

Phase 2: Connect to Data & Warehouses

Required services:

• Databases/schemas containing the data you want agents to use.
• Virtual warehouses (or Snowflake compute resources) for agent workloads.

Key permissions (for agent runtime role):

• USAGE on target databases and schemas.
• SELECT on relevant tables/views.
• USAGE on designated warehouse(s).
• Optional INSERT/UPDATE/MERGE on tables where agents will write.

Outcome:
Agents can read and, where allowed, write back to your Snowflake data with mathematically accurate analysis via Sema4.ai DataFrames—no new data silos, no data extracts.

---

Phase 3: Enable LLM Reasoning with Cortex

Required services:

• Snowflake Cortex AI
• Direct integration with Claude in Cortex (for most Team Edition deployments)

Key permissions (for agent runtime role):

• Permission to call Cortex AI models from within SPCS-hosted services.
• Any additional Snowflake-level grants your organization uses to gate access to Cortex.

Outcome:
Agents can use Claude in Snowflake Cortex AI for document understanding and unstructured/structured fusion, while your data never leaves your Snowflake account.

---

Phase 4: Governance, Audit, and Scale-Out

Required services:

• Existing Snowflake governance (RBAC, masking, row policies).
• Observability tooling (Snowflake logs + your monitoring stack).

Key permissions:

• Read/monitor access for:
  • Query history and SPCS logs for the Sema4.ai service.
  • Usage metrics for warehouses and Cortex calls tied to the Sema4.ai runtime roles.
• Ability to define additional runtime roles for new domains or teams.

Outcome:
You get 24×7 agents that act over your Snowflake data with enterprise-grade governance: unified security, full auditability, and zero-copy access.

---

How This Aligns with InfoSec and Compliance

Most InfoSec teams care about three core questions:

1. Does data leave our boundary?
   With Sema4.ai Team Edition in Snowflake:

   • The app runs as a native Snowflake application in SPCS.
   • LLM calls go to Cortex AI running adjacent to your data within your Snowflake account.
   • There is no data movement from Snowflake to an external Sema4.ai cloud for core agent execution.

2. Does it align with our governance model?
   Yes. Sema4.ai:

   • Inherits Snowflake RBAC, masking, and row policies.
   • Respects the roles and warehouses you explicitly assign.
   • Supports enterprise controls like SSO, RBAC, and detailed audit trails via Control Room and Transparent Reasoning in addition to Snowflake logs.

3. Is it enterprise-grade from a security/compliance standpoint?
   Sema4.ai is:

   • SOC2 and ISO27001 certified
   • HIPAA compliant
   • GDPR adherent
     and integrates cleanly with your existing observability stack (Datadog, Splunk, Grafana, LangSmith).

Combined with in-boundary execution in Snowflake, this gives security and compliance teams a clear, governable path to production.

---

Putting It All Together: Minimal Setup Checklist

To run Sema4.ai Team Edition with Snowpark Container Services and Snowflake Cortex AI, you should be able to answer “yes” to each of the following:

1. Snowflake services

   • Snowpark Container Services enabled in the target account/region
   • Snowflake Cortex AI enabled (including access to Claude where required)
   • Databases/schemas and warehouses defined for agent workloads

2. Platform / infrastructure role

   • Can create SPCS compute pools, repositories, and services
   • Can install and configure the Sema4.ai Team Edition application in SPCS

3. Agent runtime role(s)

   • USAGE on relevant databases and schemas
   • SELECT on tables/views required by agents
   • USAGE on designated warehouses
   • (Optional) INSERT/UPDATE/MERGE on tables where agents will write results
   • Permission to call Snowflake Cortex AI models

4. Governance & observability

   • Query history and service logs accessible to your platform/security teams
   • Roles designed according to least privilege and regulatory boundaries
   • Alignment with your existing monitoring (Datadog, Splunk, Grafana, etc.)

Once these are in place, you can move from first agent to production in days—not quarters—while keeping everything inside your Snowflake boundary.

---

Next Step

Ready to see Sema4.ai Team Edition running inside your Snowflake account with SPCS and Cortex AI?

Get Started