Setup

Prerequisites

Before connecting, create a dedicated Prizm role in Snowflake and grant it the minimum required permissions. Run the script below for each database you want to include.

-- Create a role for Prizm
CREATE ROLE IF NOT EXISTS PRIZM_ROLE;
-- Grant usage on the warehouse
GRANT USAGE ON WAREHOUSE <warehouse_name> TO ROLE PRIZM_ROLE;
-- Grant access to the target database and schemas
GRANT USAGE ON DATABASE <database_name> TO ROLE PRIZM_ROLE;
GRANT USAGE ON ALL SCHEMAS IN DATABASE <database_name> TO ROLE PRIZM_ROLE;
GRANT USAGE ON FUTURE SCHEMAS IN DATABASE <database_name> TO ROLE PRIZM_ROLE;
-- Grant read-only access to tables and views
GRANT SELECT ON ALL TABLES IN DATABASE <database_name> TO ROLE PRIZM_ROLE;
GRANT SELECT ON FUTURE TABLES IN DATABASE <database_name> TO ROLE PRIZM_ROLE;
GRANT SELECT ON ALL VIEWS IN DATABASE <database_name> TO ROLE PRIZM_ROLE;
GRANT SELECT ON FUTURE VIEWS IN DATABASE <database_name> TO ROLE PRIZM_ROLE;
-- Required for: ACCOUNT_USAGE, lineage, tag sync, performance metrics
GRANT IMPORTED PRIVILEGES ON DATABASE SNOWFLAKE TO ROLE PRIZM_ROLE;
-- Grant monitor on pipes and tasks (pipeline observability)
GRANT MONITOR ON ALL PIPES IN DATABASE <database_name> TO ROLE PRIZM_ROLE;

The IMPORTED PRIVILEGES grant on the SNOWFLAKE shared database is required for tag sync, pipeline observability, performance metrics, and Enterprise lineage. Without it, those features will be unavailable.

Connector Setup

Open the connector wizard

Navigate to Settings → Connectors and click “Add”. Select Snowflake from the source type grid.

Field	Description
Connection Name	A label for this instance (e.g., snowflake-prod)
Description	Details of the connection
Account Identifier	Your Snowflake account locator (e.g., xy12345.us-east-1)
Warehouse	The virtual warehouse Prizm will use to run queries

Choose an authentication method

The admin/privileged user can select any of the following authentication types, provide the authentication details for the selected authentication type and click on Next

Auth Method	How to Configure
Username & Password	Create a dedicated Prizm service account in Snowflake with PRIZM_ROLE. Enter the username and password in the connection form.
Key Pair	Generate an RSA key pair. Assign the public key to the Snowflake user with ALTER USER SET RSA_PUBLIC_KEY. Upload the private key (.p8) in Prizm.
OAuth 2.0	Create a Snowflake OAuth security integration. Enter the Client ID and Client Secret in Prizm.

Key Pair authentication is recommended for production — it avoids password rotation issues and works with Snowflake IP-allowlist policies.

Username & PasswordSelect Username And Password from the Authentication Type dropdown, then fill in the following fields:

Field	Description
Username	The Snowflake service account username assigned `PRIZM_ROLE`
Password	The account password

No additional Snowflake-side setup is required beyond the service account created in the Prerequisites step.

Key Based AuthenticationSelect Key Based Authentication from the Authentication Type dropdown. Key pair authentication uses an RSA private key instead of a password.

Snowflake-side setup — run these commands locally and in Snowflake:

# Generate a private key (no passphrase)
openssl genrsa 2048 | openssl pkcs8 -topk8 -inform PEM -out rsa_key.p8 -nocrypt

# Extract the public key
openssl rsa -in rsa_key.p8 -pubout -out rsa_key.pub

-- Assign the public key to your Snowflake service account
ALTER USER <prizm_username> SET RSA_PUBLIC_KEY='<contents_of_rsa_key.pub>';

Then fill in the following fields in Prizm:

Field	Description
Username	The Snowflake user the public key was assigned to
Pass Phrase	The passphrase used when generating the private key (leave blank if generated with `-nocrypt`)
Private Key	Upload the `.p8` private key file via drag & drop or Browse

OAuthSelect OAuth from the Authentication Type dropdown. Prizm acts as a confidential OAuth client against Snowflake’s authorization server.

Snowflake-side setup — create a security integration:

CREATE SECURITY INTEGRATION prizm_oauth
  TYPE = OAUTH
  ENABLED = TRUE
  OAUTH_CLIENT = CUSTOM
  OAUTH_CLIENT_TYPE = 'CONFIDENTIAL'
  OAUTH_REDIRECT_URI = '<redirect_url_shown_in_prizm>'
  OAUTH_ISSUE_REFRESH_TOKENS = TRUE
  OAUTH_REFRESH_TOKEN_VALIDITY = 7776000;

-- Retrieve the Client ID and Client Secret
SELECT SYSTEM$SHOW_OAUTH_CLIENT_SECRETS('PRIZM_OAUTH');

Then fill in the following fields in Prizm:

Field	Description
Redirect URL	Copy from the Prizm connection form and use as `OAUTH_REDIRECT_URI` when creating the integration
Client ID	The OAuth client ID returned by `SYSTEM$SHOW_OAUTH_CLIENT_SECRETS`
Client Secret	The OAuth client secret returned by `SYSTEM$SHOW_OAUTH_CLIENT_SECRETS`

Configure asset scope

Once a valid authentication details are provided, the user will be taken to the asset selection page, use Include and Exclude wildcard patterns to control which objects are onboarded.

Level	Example Patterns
Database	Include: ANALYTICS_DB, PROD_DB — Exclude: DEV_, SANDBOX_
Schema	Include: PUBLIC, REPORTING — Exclude: TEMP_*, _INTERNAL
Table/View	Select the required table/view from the drop dowm

Exclude rules take precedence over include rules when both match the same object.

Job schedules

Job Type	Default	What It Does
Observability	Hourly	Volume, freshness, schema change, anomaly detection
Catalog	Daily	Databases, functions, procedures, tags, streams
Pipeline	Hourly	Task and Snowpipe run history
Performance	Daily	Query stats, warehouse compute, storage cost

You can override each schedule individually from the connector detail page after saving.

Save and verify

Click Update to save the connection details. Prizm runs an initial full scan immediately — assets appear in the catalog within a few minutes. Navigate to Settings → Connectors → Logs to monitor scan progress.

Prerequisites

Connector Setup

Next Steps

What We Collect

FAQ

​Prerequisites

​Connector Setup

​Next Steps

What We Collect

FAQ

Prerequisites

Connector Setup

Next Steps