Admin Guide
This guide is for Snowflake account administrators and 42Forms organization admins. It covers license management, user provisioning, data access governance, compute resources, and operational monitoring.
License Management
Section titled “License Management”42Forms uses a seat-based licensing model with four tiers. Every user who logs in is automatically provisioned with the free view tier. Paid tiers are assigned by an administrator using SQL procedures or the web UI. See Seat Types & Licensing for the full tier hierarchy.
Managing Licenses via SQL
Section titled “Managing Licenses via SQL”License commands are executed in Snowsight as stored procedures. They insert rows into a staging table that the API polls every 30 seconds.
-- Assign or change a tierCALL FORTY_TWO_FORMS_APP.CORE.SET_LICENSE('JSMITH', 'build');
-- Grant full admin accessCALL FORTY_TWO_FORMS_APP.CORE.SET_LICENSE('MJONES', 'admin');
-- Revoke paid access (drops to view)CALL FORTY_TWO_FORMS_APP.CORE.REVOKE_LICENSE('CONTRACTOR_1');
-- Convenience shortcutsCALL FORTY_TWO_FORMS_APP.CORE.ADD_ACT_LICENSE('JSMITH');CALL FORTY_TWO_FORMS_APP.CORE.ADD_BUILD_LICENSE('MJONES');CALL FORTY_TWO_FORMS_APP.CORE.ADD_ADMIN_LICENSE('BWILSON');
-- View current assignmentsCALL FORTY_TWO_FORMS_APP.CORE.LIST_USERS();If the user does not yet have an account, SET_LICENSE creates one automatically. Changes apply within 30 seconds.
Managing Licenses via Web UI
Section titled “Managing Licenses via Web UI”Admin-tier users can manage licenses from Org Settings > Members in the web interface. Use the seat type dropdown to change a tier - changes take effect immediately (no polling delay).
Billing Events
Section titled “Billing Events”Seat type changes fire a billing event via SYSTEM$CREATE_BILLING_EVENT. These events contain only the tier name and username - no PII, PHI, or query metadata.
Organization Management
Section titled “Organization Management”In Snowflake Marketplace mode, a single team organization is permitted per installation.
| Type | Description |
|---|---|
| Personal | Auto-created for each user. Cannot be deleted or renamed. |
| Team | Created by an admin. Scopes shared projects, members, and connections. One per install. |
Safeguards
Section titled “Safeguards”- The last admin of an organization cannot be demoted, deactivated, or removed (prevents lockout)
- Personal organizations cannot be archived or deleted
User Management
Section titled “User Management”Auto-Provisioning
Section titled “Auto-Provisioning”42Forms uses Snowflake’s native identity layer - no separate registration. When a user accesses 42Forms for the first time:
- The
Sf-Context-Current-Userheader identifies them (set by SPCS) - An account is created with
viewtier andactivestatus - If a pending invitation exists, it’s activated with the pre-assigned tier
Granting App Access
Section titled “Granting App Access”Before users can reach 42Forms, grant the service endpoint role:
GRANT SERVICE ROLE FORTY_TWO_FORMS_APP.CORE.FORTY_TWO_FORMS_SERVICE!ALL_ENDPOINTS_USAGE TO ROLE <your_role>;Pre-Provisioning via Invitation
Section titled “Pre-Provisioning via Invitation”Admins can invite users before first login from Org Settings > Members: invited users inherit the pre-assigned tier instead of defaulting to view.
Bulk Provisioning via SQL
Section titled “Bulk Provisioning via SQL”CALL FORTY_TWO_FORMS_APP.CORE.SET_LICENSE('ANALYST_1', 'build');CALL FORTY_TWO_FORMS_APP.CORE.SET_LICENSE('ANALYST_2', 'build');CALL FORTY_TWO_FORMS_APP.CORE.SET_LICENSE('ANALYST_3', 'build');CALL FORTY_TWO_FORMS_APP.CORE.ADD_ADMIN_LICENSE('TEAM_LEAD');Member Statuses
Section titled “Member Statuses”| Status | Meaning |
|---|---|
| active | Normal access per seat tier |
| pending | Invited, not yet logged in |
| deactivated | Blocked (403 on login). Data preserved, reactivation restores access. |
Compute and Warehouse Management
Section titled “Compute and Warehouse Management”Compute Pool
Section titled “Compute Pool”42Forms runs on a dedicated SPCS compute pool:
| Setting | Value |
|---|---|
| Name | forty_two_forms_pool |
| Instance Family | CPU_X64_XS (1 vCPU, 6 GB RAM) |
| Min / Max Nodes | 1 / 1 |
| Auto Suspend | 1800 seconds (30 minutes) |
Warehouse
Section titled “Warehouse”A dedicated XSmall warehouse for Cortex AI calls:
| Setting | Value |
|---|---|
| Name | FORTY_TWO_FORMS_WH |
| Size | XSmall |
| Auto Suspend | 60 seconds |
Suspend / Resume
Section titled “Suspend / Resume”-- Save credits when not in useCALL FORTY_TWO_FORMS_APP.CORE.SUSPEND_APP();
-- Resume (allow 1-2 minutes for containers to start)CALL FORTY_TWO_FORMS_APP.CORE.RESUME_APP();Monitoring and Troubleshooting
Section titled “Monitoring and Troubleshooting”Service Status
Section titled “Service Status”SELECT SYSTEM$GET_SERVICE_STATUS('FORTY_TWO_FORMS_APP.CORE.FORTY_TWO_FORMS_SERVICE');Service Logs
Section titled “Service Logs”-- API logs (most useful for debugging)CALL SYSTEM$GET_SERVICE_LOGS( 'FORTY_TWO_FORMS_APP.CORE.FORTY_TWO_FORMS_SERVICE', 0, 'api', 100);Common Issues
Section titled “Common Issues”| Problem | Resolution |
|---|---|
| App does not load after install | Wait 2-3 minutes, check service status |
| ”Database does not exist or not authorized” | Re-run caller grants for the database |
| User sees 403 error | Reactivate from Org Settings |
| License change not taking effect | Wait 30s, check API logs for poll_license_commands errors |
| Semantic views not appearing | Grant INHERITED CALLER SELECT, REFERENCES ON ALL SEMANTIC VIEWS |
| RBAC not enforced on a database | Expected for shared/imported databases |
License Command Debugging
Section titled “License Command Debugging”SELECT id, username, seat_type, processed, created_atFROM FORTY_TWO_FORMS_APP.CORE.LICENSE_COMMANDSORDER BY created_at DESC LIMIT 20;Backup and Recovery
Section titled “Backup and Recovery”What Persists Across Restarts
Section titled “What Persists Across Restarts”All application data lives in Snowflake Hybrid Tables (FORTY_TWO_FORMS_DB.APP_DATA). This persists across service restarts, compute pool suspend/resume, and standard upgrades.
Your business data (the tables 42Forms reads/writes) lives in your own databases and is unaffected.
What Happens on Reinstall
Section titled “What Happens on Reinstall”If the app is dropped and recreated (DROP APPLICATION CASCADE + CREATE APPLICATION):
- The
license_commandsstaging table is recreated empty - Caller Rights grants are lost - re-run for all databases
- License assignments must be re-applied via
SET_LICENSE - Hybrid Table data persists if
FORTY_TWO_FORMS_DBis not dropped
Emergency Admin Recovery
Section titled “Emergency Admin Recovery”-- Direct Hybrid Table accessUPDATE FORTY_TWO_FORMS_DB.APP_DATA.ORGANIZATIONMEMBERSET seat_type = 'admin', is_admin = TRUEWHERE snowflake_username = 'YOUR_USERNAME';
-- Or use the SQL procedureCALL FORTY_TWO_FORMS_APP.CORE.SET_LICENSE('YOUR_USERNAME', 'admin');Recommended Practices
Section titled “Recommended Practices”- Export license assignments periodically:
CALL FORTY_TWO_FORMS_APP.CORE.LIST_USERS() - Document caller grants in a runbook for quick re-application
- Keep admin username records outside the app
Quick Reference
Section titled “Quick Reference”-- License managementCALL FORTY_TWO_FORMS_APP.CORE.SET_LICENSE('USERNAME', 'tier');CALL FORTY_TWO_FORMS_APP.CORE.REVOKE_LICENSE('USERNAME');CALL FORTY_TWO_FORMS_APP.CORE.LIST_USERS();
-- Suspend / resumeCALL FORTY_TWO_FORMS_APP.CORE.SUSPEND_APP();CALL FORTY_TWO_FORMS_APP.CORE.RESUME_APP();
-- MonitoringSELECT SYSTEM$GET_SERVICE_STATUS('FORTY_TWO_FORMS_APP.CORE.FORTY_TWO_FORMS_SERVICE');CALL SYSTEM$GET_SERVICE_LOGS('...SERVICE', 0, 'api', 100);
-- Grant data access (per database)GRANT CALLER USAGE ON DATABASE MY_DB TO APPLICATION FORTY_TWO_FORMS_APP;GRANT INHERITED CALLER USAGE ON ALL SCHEMAS IN DATABASE MY_DB TO APPLICATION FORTY_TWO_FORMS_APP;GRANT INHERITED CALLER SELECT ON ALL TABLES IN DATABASE MY_DB TO APPLICATION FORTY_TWO_FORMS_APP;GRANT INHERITED CALLER SELECT ON ALL VIEWS IN DATABASE MY_DB TO APPLICATION FORTY_TWO_FORMS_APP;GRANT CALLER USAGE ON WAREHOUSE FORTY_TWO_FORMS_WH TO APPLICATION FORTY_TWO_FORMS_APP;