Implement application_roles parameter for BUSINESS_ROLE object type

littleK0i · littleK0i · commit 27ea12ae392c · 2026-01-13T14:10:42.000Z
diff --git a/CHANGELOG.md b/CHANGELOG.md
@@ -1,6 +1,10 @@
 # Changelog
 
-## [0.61.0]
+## [0.62.0] - 2026-01-13
+
+- Added `application_roles` parameter form `BUSINESS_ROLE` object type. It is now possible to grant application roles directly to business roles. Env prefix is currently not supported, applications are supposed to be managed via different means for now.
+
+## [0.61.0] - 2025-12-29
 
 - Added `DECFLOAT` data type. You should never find yourself using it, but it exists nonetheless.
 - Renamed `SNAPSHOT_POLICY`, `SNAPSHOT_SET` object types to `BACKUP_POLICY`, `BACKUP_SET`. Config paths should be updated from `snapshot_*` to `backup_*`.
diff --git a/snowddl/blueprint/__init__.py b/snowddl/blueprint/__init__.py
@@ -70,6 +70,7 @@
     Ident,
     AccountIdent,
     AccountObjectIdent,
+    ApplicationRoleIdent,
     DatabaseIdent,
     DatabaseRoleIdent,
     OutboundShareIdent,
@@ -86,6 +87,7 @@
     build_grant_name_ident,
     build_future_grant_name_ident,
     build_default_namespace_ident,
+    build_application_role_ident,
     build_share_read_ident,
 )
 from .ident_pattern import IdentPattern
diff --git a/snowddl/blueprint/blueprint.py b/snowddl/blueprint/blueprint.py
@@ -20,6 +20,7 @@
     DatabaseIdent,
     DatabaseRoleIdent,
     AccountIdent,
+    ApplicationRoleIdent,
     OutboundShareIdent,
     SchemaIdent,
     SchemaObjectIdent,
@@ -118,6 +119,7 @@ class BusinessRoleBlueprint(AbstractBlueprint):
     share_read: List[Union[Ident, DatabaseRoleIdent]] = []
     warehouse_usage: List[AccountObjectIdent] = []
     warehouse_monitor: List[AccountObjectIdent] = []
+    application_roles: List[ApplicationRoleIdent] = []
     technical_roles: List[AccountObjectIdent] = []
     global_roles: List[Ident] = []
 
diff --git a/snowddl/blueprint/ident.py b/snowddl/blueprint/ident.py
@@ -106,6 +106,17 @@ def parts_for_format(self):
         return [f"{self.env_prefix}{self.name}"], None
 
 
+class ApplicationRoleIdent(AbstractIdentWithPrefix):
+    def __init__(self, env_prefix, application, name):
+        super().__init__(env_prefix)
+
+        self.application = self._validate_part(application)
+        self.name = self._validate_part(name)
+
+    def parts_for_format(self):
+        return [f"{self.env_prefix}{self.application}", self.name], None
+
+
 class DatabaseIdent(AbstractIdentWithPrefix):
     def __init__(self, env_prefix, database):
         super().__init__(env_prefix)
diff --git a/snowddl/blueprint/ident_builder.py b/snowddl/blueprint/ident_builder.py
@@ -4,6 +4,7 @@
 from .ident import (
     AbstractIdent,
     AccountObjectIdent,
+    ApplicationRoleIdent,
     DatabaseIdent,
     DatabaseRoleIdent,
     Ident,
@@ -112,6 +113,10 @@ def build_default_namespace_ident(env_prefix, default_namespace):
     return DatabaseIdent(env_prefix, default_namespace)
 
 
+def build_application_role_ident(application_role_name: str) -> ApplicationRoleIdent:
+    return ApplicationRoleIdent("", *application_role_name.split(".", 2))
+
+
 def build_share_read_ident(share_name: str) -> Union[Ident, DatabaseRoleIdent]:
     if "." in share_name:
         # Shares are global, so database roles inside shares are global as well
diff --git a/snowddl/blueprint/object_type.py b/snowddl/blueprint/object_type.py
@@ -28,6 +28,13 @@ class ObjectType(Enum):
         "blueprint_cls": "AlertBlueprint",
     }
 
+    # Technical object type, used for GRANTs only
+    # There is no blueprint
+    APPLICATION_ROLE = {
+        "singular": "APPLICATION ROLE",
+        "plural": "APPLICATION ROLES",
+    }
+
     AUTHENTICATION_POLICY = {
         "singular": "AUTHENTICATION POLICY",
         "plural": "AUTHENTICATION POLICIES",
diff --git a/snowddl/parser/business_role.py b/snowddl/parser/business_role.py
@@ -4,6 +4,7 @@
     Ident,
     IdentPattern,
     build_role_ident,
+    build_application_role_ident,
     build_share_read_ident,
 )
 from snowddl.parser.abc_parser import AbstractParser
@@ -75,6 +76,12 @@
                     "type": "string"
                 }
             },
+            "application_roles": {
+                "type": "array",
+                "items": {
+                    "type": "string"
+                }
+            },
             "tech_roles": {
                 "type": "array",
                 "items": {
@@ -102,8 +109,12 @@ def load_blueprints(self):
         self.parse_multi_entity_file("business_role", business_role_json_schema, self.process_business_role)
 
     def process_business_role(self, business_role_name, business_role_params):
+        application_roles = []
         technical_roles = []
 
+        for application_role_name in business_role_params.get("application_roles", []):
+            application_roles.append(build_application_role_ident(application_role_name))
+
         for technical_role_name in business_role_params.get("technical_roles", []) + business_role_params.get("tech_roles", []):
             technical_roles.append(build_role_ident(self.env_prefix, technical_role_name, self.config.TECHNICAL_ROLE_SUFFIX))
 
@@ -119,6 +130,7 @@ def process_business_role(self, business_role_name, business_role_params):
             share_read=[build_share_read_ident(share_name) for share_name in business_role_params.get("share_read", [])],
             warehouse_usage=[AccountObjectIdent(self.env_prefix, warehouse_name) for warehouse_name in business_role_params.get("warehouse_usage", [])],
             warehouse_monitor=[AccountObjectIdent(self.env_prefix, warehouse_name) for warehouse_name in business_role_params.get("warehouse_monitor", [])],
+            application_roles=application_roles,
             technical_roles=technical_roles,
             global_roles=[Ident(global_role_name) for global_role_name in business_role_params.get("global_roles", [])],
             comment=business_role_params.get("comment"),
diff --git a/snowddl/resolver/abc_role_resolver.py b/snowddl/resolver/abc_role_resolver.py
@@ -4,6 +4,7 @@
 from snowddl.blueprint import (
     AccountGrant,
     AccountObjectIdent,
+    ApplicationRoleIdent,
     DatabaseBlueprint,
     DatabaseRoleIdent,
     FutureGrant,
@@ -256,7 +257,7 @@ def drop_object(self, row: dict):
         return ResolveResult.DROP
 
     def create_grant(self, role_name, grant: Grant):
-        if grant.privilege == "USAGE" and grant.on in (ObjectType.ROLE, ObjectType.DATABASE_ROLE):
+        if grant.privilege == "USAGE" and grant.on in (ObjectType.ROLE, ObjectType.APPLICATION_ROLE, ObjectType.DATABASE_ROLE):
             self.engine.execute_safe_ddl(
                 "GRANT {on:r} {name:i} TO ROLE {role_name:i}",
                 {
@@ -295,7 +296,7 @@ def drop_grant(self, role_name, grant: Grant):
                     "current_role": self.engine.context.current_role,
                 },
             )
-        elif grant.privilege == "USAGE" and grant.on in (ObjectType.ROLE, ObjectType.DATABASE_ROLE):
+        elif grant.privilege == "USAGE" and grant.on in (ObjectType.ROLE, ObjectType.APPLICATION_ROLE, ObjectType.DATABASE_ROLE):
             self.engine.execute_safe_ddl(
                 "REVOKE {on:r} {name:i} FROM ROLE {role_name:i}",
                 {
@@ -445,6 +446,13 @@ def build_share_read_grant(self, share_name: Union[Ident, DatabaseRoleIdent]) ->
                 name=build_role_ident(self.config.env_prefix, share_name, self.config.SHARE_ACCESS_ROLE_SUFFIX),
             )
 
+    def build_application_role_grant(self, application_role_name: ApplicationRoleIdent) -> Grant:
+        return Grant(
+            privilege="USAGE",
+            on=ObjectType.APPLICATION_ROLE,
+            name=application_role_name,
+        )
+
     def build_technical_role_grant(self, technical_role_name: AccountObjectIdent) -> Grant:
         return Grant(
             privilege="USAGE",
diff --git a/snowddl/resolver/business_role.py b/snowddl/resolver/business_role.py
@@ -46,6 +46,10 @@ def transform_blueprint(self, business_role_bp: BusinessRoleBlueprint) -> RoleBl
         for warehouse_name in business_role_bp.warehouse_monitor:
             grants.append(self.build_warehouse_role_grant(warehouse_name, self.config.MONITOR_ROLE_TYPE))
 
+        # Application roles
+        for application_role_name in business_role_bp.application_roles:
+            grants.append(self.build_application_role_grant(application_role_name))
+
         # Technical roles
         for technical_role_name in business_role_bp.technical_roles:
             grants.append(self.build_technical_role_grant(technical_role_name))
diff --git a/snowddl/version.py b/snowddl/version.py
@@ -1 +1 @@
-__version__ = "0.61.0"
+__version__ = "0.62.0"
diff --git a/test/_config/step1/business_role.yaml b/test/_config/step1/business_role.yaml
@@ -15,6 +15,8 @@ pm001_br1:
   warehouse_usage:
     - pm001_wh1
     - pm001_wh2
+  application_roles:
+    - snowflake.app_usage_viewer
   technical_roles:
     - pm001_tr1
   global_roles:

Original file line number	Diff line number	Diff line change
`@@ -1 +1 @@`
`1`		`-__version__ = "0.61.0"`
	`1`	`+__version__ = "0.62.0"`