Skip to main content
Get your CloudLink connection up and running with our comprehensive setup guide. This document covers security architecture, IP whitelisting, automated scripts, and configuration steps.

Secure Direct Access

Elementum provides secure, in-place data access to your Snowflake instance:

Authentication

Credentials are provided by Snowflake to permit Elementum access to defined tables. You retain full control over the data and can terminate access at any time.

In-Place Access

Data stays in your Snowflake instance. No data is copied or moved to external systems.

How It Works

1

Snowflake Side

A specific table and defined set of attributes with permissions (e.g., read/write, read-only) are created to enable business processes.
2

Elementum Side

Further access to view the data within Elementum is restricted at the user level through access policies.

Direct Connect Architecture

This connection allows for read/write access and the ability to execute workflows on your data:
  • Your Organization
  • Elementum Platform
Your Snowflake Account:
  • Contains your data (databases, tables, views)
  • Grants access to Elementum Reader/Writer Account with read/write permissions
  • Can restrict access to known Elementum Platform IP addresses

Security Architecture

Data Encryption

At Rest:
  • Account data encrypted using industry-standard algorithms
  • Credentials encrypted and never returned outside internal system
In Transit:
  • All traffic encrypted using TLS
  • Secure connection methods (Internet or VPN)

Access Control

Network Security:
  • Application Firewall for ingress
  • IP whitelisting available
  • VPN support with least privilege access
Authentication:
  • RSA key-based authentication
  • Role-based access control
Both Internet and VPN traffic are encrypted. VPN provides additional security through least privilege access controls.

Whitelist Elementum IP Addresses

Elementum IP Addresses to Whitelist

Configure your Snowflake network policies to allow connections from these IP addresses:
  • US Region
  • Europe Region
44.210.166.136
44.209.114.114
52.72.254.246

-- Create network policy for US region
USE ROLE ACCOUNTADMIN;

CREATE NETWORK POLICY IF NOT EXISTS ELEMENTUM_ACCESS_POLICY
  ALLOWED_IP_LIST = (
    '44.210.166.136',
    '44.209.114.114',
    '52.72.254.246'
  )
  COMMENT = 'Network policy for Elementum platform access';

-- Apply to Elementum user
ALTER USER ELEMENTUM SET NETWORK_POLICY = ELEMENTUM_ACCESS_POLICY;

-- Verify policy is applied
DESC USER ELEMENTUM;
Important: If you’re using multi-region access or want to allow connections from both US and Europe, use the combined policy above.

Choose Your Setup Method

Run Script (Recommended)

Copy and paste the provided script steps for automated setup.Best for: Quick setup, reduced errors

Manual Setup

Manually create the Elementum account and configure permissions.Best for: Custom configurations, existing infrastructure

Setting up the Elementum Account in Snowflake

Snowflake Setup Script

Important: This script requires execution by a user with the ACCOUNTADMIN role in Snowflake.

Getting Started

Before running the script:
  1. Ensure you have ACCOUNTADMIN role access
  2. Obtain the RSA public key from Elementum CloudLink UI
  3. Identify which databases and tables need Elementum access
  4. Plan your warehouse sizing requirements

Setup Steps Overview

The script will perform these actions:
1

Create New User & Role

Creates a user and role for Elementum Platform access with proper security configuration.
2

Create Snowflake Warehouse

Provisions a warehouse for all Elementum Platform activity and actions. This warehouse provides processing power for workflows, queries, and data operations.
3

Create Elementum Database & Schema

Database: Dedicated space for Elementum state managementSchemas:
  • ELEMENTUM_PLATFORM - Private schema for platform operations (do not modify)
  • PUBLIC - Schema for data exchange tables
Requirements:
  • Each integrated table/view must have a primary key or unique key column
  • Domain whitelist: [your-org].elementum.io
  • Additional access policies can be applied in Elementum for team/individual restrictions
4

Grant Permissions

Grant the newly created role permissions to specific databases for relevant use cases and processes.
5

Turn on Change Tracking (Optional - only if using change-based Element automations)

Enable change tracking for each table to ensure changes made in Snowflake are reflected in Elementum in real-time.
6

Grant Cortex Access (Optional - only if using AI/ML features)

Grant the Elementum role access to Cortex to leverage ML models and LLMs for AI-powered features.

Run These Scripts in Snowflake

1

Create Role for Elementum

USE ROLE ACCOUNTADMIN;
CREATE ROLE IF NOT EXISTS ELEMENTUM;
GRANT ROLE ELEMENTUM TO ROLE SYSADMIN;
2

Create User for Elementum

USE ROLE ACCOUNTADMIN;
CREATE USER IF NOT EXISTS ELEMENTUM 
  TYPE = SERVICE 
  RSA_PUBLIC_KEY = '<PASTE_PUBLIC_KEY_FROM_ELEMENTUM_UI>';
-- Get your public key from: Elementum > Settings > Cloud Links > Add Connection

GRANT ROLE ELEMENTUM TO USER ELEMENTUM;
Where to find your RSA public key: Navigate to Elementum Settings > Cloud Links > Add Connection > Copy Public Key
3

Create Warehouse for Elementum

USE ROLE SYSADMIN;
CREATE WAREHOUSE IF NOT EXISTS ELEMENTUM
  WITH WAREHOUSE_SIZE = 'MEDIUM',
  MIN_CLUSTER_COUNT = 1,
  MAX_CLUSTER_COUNT = 10,
  AUTO_SUSPEND = 60;

GRANT USAGE ON WAREHOUSE ELEMENTUM TO ROLE ELEMENTUM;
Configuration Details:
  • Size: Medium (adjust based on workload)
  • Min Clusters: 1
  • Max Clusters: 10 (auto-scaling enabled)
  • Auto-Suspend: 60 seconds (reduces costs)
4

Create Database for Elementum

USE ROLE SYSADMIN;
CREATE DATABASE IF NOT EXISTS ELEMENTUM;
GRANT OWNERSHIP ON DATABASE ELEMENTUM TO ROLE ELEMENTUM;
Tip: Elementum uses this database to store the platform’s state information, including configuration, metadata, and operational data.
5

Create Schema for Platform Operations

USE ROLE ELEMENTUM;
USE DATABASE ELEMENTUM;
CREATE SCHEMA IF NOT EXISTS ELEMENTUM_PLATFORM;
Do not modify or add tables to the ELEMENTUM_PLATFORM schema. This is reserved for internal platform operations.
6

Grant Usage to Other Databases/Tables

USE ROLE SYSADMIN;

-- First, grant database usage
GRANT USAGE ON DATABASE <INSERT_DATABASE_NAME_HERE> TO ROLE ELEMENTUM;

-- Then grant schema usage
GRANT USAGE ON SCHEMA <INSERT_DATABASE_NAME_HERE>.<INSERT_SCHEMA_NAME_HERE> TO ROLE ELEMENTUM;

-- Finally, grant table permissions (fully qualified)
GRANT INSERT, UPDATE, DELETE, SELECT ON TABLE <INSERT_DATABASE_NAME_HERE>.<INSERT_SCHEMA_NAME_HERE>.<INSERT_TABLE_NAME_HERE> TO ROLE ELEMENTUM;
Examples:
  • Full Access (Read/Write)
  • Read-Only Access
  • Schema-Level Access
-- For transactional tables
USE ROLE SYSADMIN;

-- Grant database and schema usage
GRANT USAGE ON DATABASE SALES_DB TO ROLE ELEMENTUM;
GRANT USAGE ON SCHEMA SALES_DB.PUBLIC TO ROLE ELEMENTUM;

-- Grant full permissions on specific tables
GRANT INSERT, UPDATE, DELETE, SELECT ON TABLE SALES_DB.PUBLIC.CUSTOMERS TO ROLE ELEMENTUM;
GRANT INSERT, UPDATE, DELETE, SELECT ON TABLE SALES_DB.PUBLIC.ORDERS TO ROLE ELEMENTUM;
7

Enable Change Tracking (Optional - only if using change-based Element automations)

-- Enable change tracking for each table (use fully qualified table names)
ALTER TABLE <INSERT_DATABASE>.<INSERT_SCHEMA>.<INSERT_TABLE_NAME> 
  SET CHANGE_TRACKING = TRUE;
Example:
-- Enable change tracking on specific tables
ALTER TABLE SALES_DB.PUBLIC.CUSTOMERS SET CHANGE_TRACKING = TRUE;
ALTER TABLE SALES_DB.PUBLIC.ORDERS SET CHANGE_TRACKING = TRUE;

-- Verify change tracking is enabled
SHOW TABLES LIKE 'CUSTOMERS' IN SCHEMA SALES_DB.PUBLIC;
Skip this step if: You don’t plan to use automations triggered by data changes on Elements in Snowflake. Change tracking allows you to start workflows when data is added or updated in Snowflake.
8

Create Schema for Customer Data

USE ROLE ELEMENTUM;
USE DATABASE ELEMENTUM;
CREATE SCHEMA IF NOT EXISTS PUBLIC;
Note: Put any tables specifically created for use in Elementum (such as “Data_Exchange” tables) in the PUBLIC schema or another customer schema. Do not put them in the ELEMENTUM_PLATFORM schema.
9

Grant Cortex LLM and ML Access (Optional - only if using AI/ML features)

USE ROLE ACCOUNTADMIN;

-- Enable cross-region Cortex access
ALTER ACCOUNT SET CORTEX_ENABLED_CROSS_REGION = 'ANY_REGION';

-- Grant Cortex user role
GRANT DATABASE ROLE SNOWFLAKE.CORTEX_USER TO ROLE ELEMENTUM;

-- Grant Cortex Search Service creation
GRANT CREATE CORTEX SEARCH SERVICE ON SCHEMA ELEMENTUM_PLATFORM TO ROLE ELEMENTUM;

-- Grant ML model creation capabilities
GRANT CREATE SNOWFLAKE.ML.ANOMALY_DETECTION ON SCHEMA ELEMENTUM.ELEMENTUM_PLATFORM TO ROLE ELEMENTUM;
GRANT CREATE SNOWFLAKE.ML.CLASSIFICATION ON SCHEMA ELEMENTUM.ELEMENTUM_PLATFORM TO ROLE ELEMENTUM;
GRANT CREATE SNOWFLAKE.ML.FORECAST ON SCHEMA ELEMENTUM.ELEMENTUM_PLATFORM TO ROLE ELEMENTUM;
Skip this step if: You don’t plan to use AI Search, AI Automations, or ML forecasting features in Elementum.
Cortex Capabilities Enabled:
  • Anomaly Detection: Identify unusual patterns in your data
  • Classification: Categorize and label data automatically
  • Forecasting: Predict future trends and values
  • LLM Access: Use large language models for natural language processing
  • Cortex Search: Semantic search across your data

For License Patrol Customers

If you’re using License Patrol, follow these additional setup steps:
1

Install Native App from Snowflake Marketplace

  1. Navigate to the License Patrol listing in the Snowflake Marketplace
  2. Select the app and click “Get” to install it
  3. Using the ACCOUNTADMIN role, select “Manage Access”
  4. Add the ELEMENTUM role to the app’s access list
2

Setup Permissions for License Patrol Application

USE ROLE ACCOUNTADMIN;

-- Grant database and schema access
GRANT USAGE ON DATABASE <YOUR_DATABASE> TO APPLICATION LICENSE_PATROL;
GRANT USAGE ON SCHEMA <YOUR_DATABASE>.<YOUR_SCHEMA> TO APPLICATION LICENSE_PATROL;

-- Grant access to relevant tables
GRANT SELECT ON TABLE <YOUR_DATABASE>.<YOUR_SCHEMA>.APPLICATION_LOGINS TO APPLICATION LICENSE_PATROL;
GRANT SELECT ON TABLE <YOUR_DATABASE>.<YOUR_SCHEMA>.EMPLOYEE_DATA TO APPLICATION LICENSE_PATROL;
GRANT SELECT ON TABLE <YOUR_DATABASE>.<YOUR_SCHEMA>.SOFTWARE_CONTRACTS TO APPLICATION LICENSE_PATROL;

-- Grant Elementum access to License Patrol data
GRANT SELECT ON TABLE LICENSEPATROL.APP_DATA.REVOCATION_EXCLUDE TO ROLE ELEMENTUM;
Example:
-- Example with actual values
USE ROLE ACCOUNTADMIN;

GRANT USAGE ON DATABASE HR_DB TO APPLICATION LICENSE_PATROL;
GRANT USAGE ON SCHEMA HR_DB.PUBLIC TO APPLICATION LICENSE_PATROL;

GRANT SELECT ON TABLE HR_DB.PUBLIC.APPLICATION_LOGINS TO APPLICATION LICENSE_PATROL;
GRANT SELECT ON TABLE HR_DB.PUBLIC.EMPLOYEE_DATA TO APPLICATION LICENSE_PATROL;
GRANT SELECT ON TABLE HR_DB.PUBLIC.SOFTWARE_CONTRACTS TO APPLICATION LICENSE_PATROL;

GRANT SELECT ON TABLE LICENSEPATROL.APP_DATA.REVOCATION_EXCLUDE TO ROLE ELEMENTUM;
Replace <YOUR_DATABASE> and <YOUR_SCHEMA> with your actual database and schema names containing the License Patrol data.

Adding Elementum Snowflake Credentials into Elementum

After completing the Snowflake setup, configure the connection in Elementum:

Elementum Snowflake Configuration

There are four quick steps for connecting Snowflake data to Elementum:
1

Setup Snowflake Credentials

Navigate to Settings > Cloud Links > Add Connection in Elementum.Enter Connection Details:
  • Name: Descriptive name for your connection (e.g., “Production Snowflake”)
  • Account URL: Your Snowflake account URL (e.g., your-account.snowflakecomputing.com)
  • Username: ELEMENTUM
  • Authentication: RSA Key Pair (automatically configured)
  • Role: ELEMENTUM
  • Warehouse: ELEMENTUM
The RSA private key is securely stored in Elementum. You copied the public key to Snowflake during user creation.
Test the Connection: Click “Test Connection” to verify the credentials and network access are configured correctly.
2

Select Connection Details

Once connected, you can browse your Snowflake environment:
  1. Select Database: Choose the database containing your tables
  2. Select Schema: Pick the schema with your data
  3. Select Table: Choose the table(s) to integrate with Elementum
Only databases, schemas, and tables that you granted the ELEMENTUM role access to will appear in these lists.
3

Add Data Naming

Configure how this data appears in Elementum:
  • App Name: The application this data belongs to
  • Table Display Name: User-friendly name for the table
  • Description: Optional description of the data
This naming helps users understand the data’s purpose and context.
4

Complete Field Mapping

Map Snowflake columns to Elementum fields:
  1. Primary Key: Select the unique identifier column
  2. Field Mappings: Map each column to appropriate field types
  3. Field Labels: Customize display names for fields
  4. Field Visibility: Set which fields are visible to users
Field Types Available:
  • Text, Number, Date, Timestamp
  • Boolean, JSON, Array
  • Currency, Percentage
  • References (for relationships)

Resource Scheduler

Default Schedule

Every 20 minutesBalanced approach for most use cases

Customizable

Adjust as needed
  • Shorter intervals for faster updates (increases credit usage)
  • Longer intervals if data updates less frequently
Credit Consumption: More frequent synchronization intervals will consume more Snowflake credits. Balance freshness needs with cost considerations.

Verification and Testing

After completing the setup, verify everything is working correctly:
1

Test User Login

-- Switch to Elementum role
USE ROLE ELEMENTUM;
USE WAREHOUSE ELEMENTUM;
USE DATABASE ELEMENTUM;

-- Verify role and warehouse
SELECT CURRENT_ROLE(), CURRENT_WAREHOUSE(), CURRENT_DATABASE();
Expected result: Should show ELEMENTUM role, warehouse, and database.
2

Test Data Access

USE ROLE ELEMENTUM;
USE WAREHOUSE ELEMENTUM;

-- Test access to your tables
SELECT COUNT(*) FROM SALES_DB.PUBLIC.CUSTOMERS;

-- Verify change tracking is enabled
SHOW TABLES LIKE 'CUSTOMERS' IN SCHEMA SALES_DB.PUBLIC;
-- Look for "change_tracking" = "ON" in the results

-- Test change tracking (if enabled)
SELECT *
FROM SALES_DB.PUBLIC.CUSTOMERS
CHANGES(INFORMATION => DEFAULT)
AT(TIMESTAMP => DATEADD(HOUR, -1, CURRENT_TIMESTAMP()))
LIMIT 5;
Replace SALES_DB.PUBLIC.CUSTOMERS with your actual database, schema, and table names.
3

Test Cortex Access (Optional - only if you configured AI/ML features)

USE ROLE ELEMENTUM;
USE DATABASE ELEMENTUM;
USE SCHEMA ELEMENTUM_PLATFORM;

-- Test Cortex LLM access
SELECT SNOWFLAKE.CORTEX.COMPLETE(
  'mistral-large',
  'What is machine learning?'
) AS response;

-- Test Cortex Sentiment Analysis
SELECT SNOWFLAKE.CORTEX.SENTIMENT(
  'Elementum is an amazing data platform!'
) AS sentiment_score;
If these queries execute successfully, Cortex access is properly configured.
4

Test in Elementum

  1. Verify the connection shows as “Connected” in CloudLink settings
  2. Browse to the integrated table in Elementum
  3. Verify data loads correctly
  4. Test creating/updating a record (if write access was granted)
  5. Verify changes sync back to Snowflake

Troubleshooting

Cannot Connect from Elementum:
  • Verify IP addresses are whitelisted in Snowflake network policy
  • Confirm RSA public key was added correctly to Snowflake user
  • Check that ELEMENTUM user has ELEMENTUM role granted
  • Verify warehouse is not suspended or has available compute resources
“User does not exist” Error:
  • Ensure user was created with TYPE = SERVICE
  • Verify user creation script ran successfully
  • Check that ACCOUNTADMIN role was used
“Insufficient privileges” Errors:
  • Verify GRANT statements were executed for all required tables
  • Check that role has warehouse usage permission
  • Confirm database and schema access is granted
  • For schema-level grants, ensure USAGE permission is granted on schema
Cannot Access Change Tracking:
  • Verify change tracking is enabled on source tables
  • Confirm ELEMENTUM role has SELECT permission on tables
  • Check that table has been modified since enabling tracking
Slow Query Performance:
  • Consider increasing warehouse size (MEDIUM → LARGE)
  • Review query patterns and add appropriate indexes
  • Check if warehouse is auto-suspending during queries
  • Monitor concurrent usage and adjust cluster count
High Credit Consumption:
  • Review synchronization frequency settings
  • Check for inefficient queries or large data scans
  • Consider using incremental refresh instead of full loads
  • Review warehouse auto-suspend settings
Cannot Use Cortex Features:
  • Verify CORTEX_ENABLED_CROSS_REGION is set to ‘ANY_REGION’
  • Check that SNOWFLAKE.CORTEX_USER role is granted
  • Confirm Cortex is available in your Snowflake region
  • Verify ACCOUNTADMIN role was used to grant Cortex permissions

Security Best Practices

Principle of Least Privilege

  • Grant only necessary permissions to ELEMENTUM role
  • Use read-only access where write access isn’t required
  • Regularly audit granted permissions
  • Remove access to tables no longer in use

Network Security

  • Implement IP whitelisting for Elementum IPs
  • Use VPN for additional security layer
  • Monitor connection logs regularly
  • Set up alerts for suspicious activity

Authentication

  • Use RSA key-pair authentication (not passwords)
  • Rotate keys periodically (recommended: every 90 days)
  • Store private keys securely
  • Never share credentials outside authorized personnel

Monitoring

  • Review query history regularly
  • Monitor warehouse credit consumption
  • Set up cost alerts in Snowflake
  • Track data access patterns

Next Steps

Configure Apps

Set up your first app in Elementum using your connected data

Create Automations

Build workflows that act on your Snowflake data

Setup AI Features

Enable AI-powered search, automations, and insights

Performance Tuning

Optimize your warehouse configuration for best performance

Additional Resources

Manual Setup Guide

Alternative manual configuration steps

CloudLink Overview

Learn more about CloudLink architecture

Data Best Practices

Optimize your data models for Elementum

Get Support

Contact our team for setup assistance
This guide reflects the latest Snowflake and Elementum best practices. For additional assistance, contact [email protected].