Getting Started Overview

Start with the setup path

Getting started moves in order: install the Native App, grant the right app roles, enable Cortex permissions, assign the first admin seat, grant caller rights, verify diagnostics, and create your first project.

EntryLayer runs as a Snowflake Native App inside your customer Snowflake account. This section helps the first administrator get from Marketplace install to a working project without mixing up runtime privileges, product seats, project access, or Snowflake source privileges.

When to use this section

Use Getting Started when you are:

• evaluating the Marketplace install flow
• bootstrapping the first EntryLayer administrator
• validating Snowflake source discovery
• creating the first project from Snowflake, CSV/XLSX, or a blank form
• preparing handoff from Snowflake administration to builders and business users

Launch paths

Role	Start here	Goal
Snowflake admin	Installation	Install the Native App runtime and approve required privileges.
EntryLayer admin	Initial Setup	Grant app access, assign seats, enable Cortex, and configure caller rights.
Builder	Your First Project	Create a project and confirm generated form structure.
Business user	User Guide	Learn how to work records after a project is shared.
Cortex user	Cortex SQL API Skill	Use Cortex to discover and call the admin SQL API safely.

First-run sequence

1. Install EntryLayer from the Snowflake Marketplace listing.
2. Grant ENTRYLAYER_USER to the Snowflake roles that should open the app.
3. Grant ENTRYLAYER_ADMIN only to the small role that will run bootstrap SQL.
4. Enable SNOWFLAKE.CORTEX_USER from the installed app Permissions tab.
5. Assign at least one admin seat with API.SET_USER_SEAT.
6. Grant Restricted Caller Rights on the databases EntryLayer should browse.
7. Verify Org Settings and Snowflake Access Diagnostics.
8. Create the first project and confirm record access behaves as expected.

What access means

Access layer	What it controls	What it does not control
ENTRYLAYER_USER application role	Lets a Snowflake role open the installed app.	Does not assign an EntryLayer seat or source data access.
ENTRYLAYER_ADMIN application role	Allows controlled bootstrap and admin SQL API calls.	Does not automatically grant project can_read.
EntryLayer seat type	Controls product capabilities such as view, act, build, and admin.	Does not bypass project permissions.
Project access	Controls whether a user can read, act, manage, or administer a project.	Does not create new Snowflake source privileges.
Restricted Caller Rights	Lets EntryLayer use the signed-in user’s existing Snowflake source access.	Does not grant users access they do not already have.

Zero-access posture

EntryLayer source discovery is metadata-oriented during setup and uses Snowflake governance in the customer account. The app does not require provider-owned egress, does not sample source rows for setup documentation flows, and does not send submission values to provider-owned services.

Verification checklist

• The installed app opens from Snowsight.
• The first admin can open Org Settings.
• Members & Licenses shows the expected seat.
• Snowflake Access Diagnostics can see at least one intended database.
• A first project can be created from a governed source or starter form.

Related docs

• Installation
• Initial Setup
• Your First Project
• Native App Security Model
• Permission Model