Snowflake Data Clean Rooms: Administrator tasks¶

This topic describes the tasks for the administrator of a Snowflake Data Clean Room. For information about implementing a clean environment for the first time, see Overview of Snowflake Data Clean Rooms.

Manage clean room users¶

Access to the UI and API is managed using application roles. Different roles grant access to the API and the UI.

The user must also be assigned a default warehouse and granted usage on it.

Manage access to the clean room UI¶

To grant access to the clean room UI, assign the appropriate clean room UI roles to a user or sub-role. The following roles are used to access or manage the clean room UI:

  • ACCOUNTADMIN: Used to install or uninstall the clean room environment. Grants access to the Snowflake Admin page, used to manage the service user and account features such as Cross-Cloud Auto-Fulfillment, external and Iceberg tables, and dataset registration for UI users. This role includes the privileges of all the other clean room roles.

  • MANAGE_CLEANROOMS: Allows one to create, update, delete, and install cleanrooms, and create, update, delete, and run analyses in the clean room UI.

  • MANAGE_DCR_PROFILE_AND_FEATURES: Grants access to the Profile & Features page in the :ui:Admin section, where you can manage the company profile and control which third-party connectors can be used in clean rooms.

  • MANAGE_DCR_CONNECTORS: Grants access to the Connectors page, where you can configure third-party connectors.

  • MANAGE_DCR_COLLABORATORS: Grants access to the Collaborators page, where you can manage the list of approved collaborators for UI users. Does not control the list of collaborators available to API users, who can invite any Snowflake account to collaborate.

Example

USE ROLE ACCOUNTADMIN;
CREATE ROLE dcr_access;

-- Choose your privileges:
GRANT APPLICATION ROLE SAMOOHA_BY_SNOWFLAKE.MANAGE_CLEANROOMS TO ROLE dcr_access;
GRANT APPLICATION ROLE SAMOOHA_BY_SNOWFLAKE.MANAGE_DCR_COLLABORATORS TO ROLE dcr_access;
GRANT APPLICATION ROLE SAMOOHA_BY_SNOWFLAKE.MANAGE_DCR_PROFILE_AND_FEATURES TO ROLE dcr_access;
GRANT APPLICATION ROLE SAMOOHA_BY_SNOWFLAKE.MANAGE_DCR_CONNECTORS TO ROLE dcr_access;

GRANT USAGE ON WAREHOUSE <your_warehouse> TO ROLE dcr_access;
ALTER USER <some_user> SET DEFAULT_WAREHOUSE  =  <your_warehouse>;
GRANT ROLE dcr_access to USER <some_user>;
Copy

Manage API users¶

Clean rooms defines the following roles to manage access to the UI and API. All roles are application roles, within the SAMOOHA_BY_SNOWFLAKE scope.

The following Snowflake roles are used to access or manage the API:

  • ACCOUNTADMIN: The role used to install or uninstall the Clean Room environment.

  • SAMOOHA_APP_ROLE: Grants full permission to the clean room API in this account. (This role is used by the web application to communicate with the API.

  • Run-only developer role: Users with SAMOOHA_APP_ROLE can create a limited-access role. This role, also called a run role, grants permission to use a subset of API procedures on a subset of clean rooms. These limited roles can be granted to users to provide scoped usage in your account for specific users, such as data analysts. Create limited roles by calling consumer.grant_run_on_cleanrooms_to_role.

Grant or revoke full API access¶

The SAMOOHA_APP_ROLE role grants full API access to all clean rooms in an account.

Grant full API access:

USE ROLE ACCOUNTADMIN;
GRANT ROLE SAMOOHA_APP_ROLE TO USER <user_name>;
Copy

Revoke full API access:

USE ROLE ACCOUNTADMIN;
REVOKE ROLE SAMOOHA_APP_ROLE FROM USER <user_name>;
Copy

Grant limited API access¶

You can grant limited API access to specified clean rooms in your account. Limited access grants the ability to run only a subset of consumer procedures, such as consumer.run_analysis, but not the ability to create, join, or modify clean rooms.

Here is how to grant limited access to a user:

  1. A full-access user with who can grant the SAMOOHA_APP_ROLE role creates a new role, and assigns the role limited permissions:

    -- Create the role
    USE ROLE ACCOUNTADMIN;
    CREATE ROLE MARKETING_ANALYST_ROLE;
    GRANT USAGE ON WAREHOUSE APP_WH TO MARKETING_ANALYST_ROLE; -- Or whichever warehouse you are using
    
    -- Grant the role limited privileges on a subset of clean rooms.
    CALL samooha_by_snowflake_local_db.consumer.grant_run_on_cleanrooms_to_role(
      [$cleanroom_1, $cleanroom_2],
      'MARKETING_ANALYST_ROLE'
    );
    
    -- Grant the role to a user.
    GRANT ROLE MARKETING_ANALYST_ROLE TO USER george.washington;
    
    Copy
  2. The user then uses their limited role to perform specific actions in the clean room account:

     -- User george.washington logs in and uses the limited role.
     USE WAREHOUSE APP_WH
     USE ROLE MARKETING_ANALYST_ROLE;
    
     -- Consumer-run analyses should succeed.
     CALL samooha_by_snowflake_local_db.consumer.run_analysis(
       $cleanroom_name,
       'prod_overlap_analysis',
       ['SAMOOHA_SAMPLE_DATABASE.MYDATA.CONVERSIONS'],  -- Consumer tables
       ['SAMOOHA_SAMPLE_DATABASE.DEMO.EXPOSURES'],      -- Provider tables
       object_construct(
         'max_age', 30
       )
     );
    
    -- Clean room creation and management procedures fail.
    CALL samooha_by_snowflake_local_db.provider.cleanroom_init($cleanroom_name, 'INTERNAL');
    
    Copy

To see which users were granted a specific role:

SHOW GRANTS OF ROLE <run_role_name>;
Copy

Revoke limited API access¶

  • To revoke run privileges from this role, call consumer.revoke_run_on_cleanrooms_from_role.

  • To revoke run privileges for a single user, revoke the role from the user.

Manage clean room collaborators¶

Collaborators are users invited to join a clean room by the clean room creator.

When using the clean room UI, creators can invite collaborators from a list. This list is managed by someone with the MANAGE_DCR_COLLABORATORS role.

Clean room API users are not limited by a predefined list, and can add any clean room collaborator by Snowflake account locator.

If a Snowflake collaborator has an account in a different region than your Snowflake account, your account administrator must enable Cross-Cloud Auto-Fulfillment before you can add them as a collaborator.

If you want to invite a collaborator without a Snowflake account, you must first create a clean room managed account for them.

To curate the collaborator list used in the clean room UI, you need the MANAGE_DCR_COLLABORATORS role.

  1. /INCLUDE/cleanrooms/text/text-sign-in-page.txt

  2. In the left navigation, select Collaborators.

  3. Do one of the following:

    • If the collaborator has a Snowflake account, select Snowflake Partners » + Snowflake Partner. Respond to the prompts to enter the details of the collaborator’s Snowflake account.

    • If the collaborator is not a Snowflake customer, select the Managed Accounts tab to create a clean room managed account for them.

Add warehouse options¶

Any warehouse for which the SAMOOHA_APP_ROLE role has usage and operate privileges can be used to run analyses. To add warehouses that can be used by clean room users to execute analyses, create a warehouse and then grant privileges on it to the SAMOOHA_APP_ROLE.

For example, to add a warehouse my_big_warehouse that can be used to run analyses, execute the following commands from a worksheet:

USE ROLE ACCOUNTADMIN;

CREATE WAREHOUSE my_big_warehouse WITH WAREHOUSE_SIZE = X5LARGE;
GRANT USAGE, OPERATE ON WAREHOUSE my_big_warehouse TO ROLE SAMOOHA_APP_ROLE;
Copy

Monitor web app activity¶

As an administrator, you can track what users are doing in the web app by monitoring the query history in your Snowflake account. You can identify query history entries that correspond to activity in the web app because the value of user_name is the name of the service user that was created when the Snowflake account was configured.

You can use the user_email query tag to identify which clean room user performed an action.

To access the query history for your clean room environment, do one of the following, depending on whether you want to use SQL or Snowsight:

Snowsight:
  1. Sign in the Snowflake account associated with your clean room environment as a user with the ACCOUNTADMIN role.

  2. Select Monitoring » Query History.

  3. Use the User filter to select the service account user associated with the clean room environment.

SQL:
  • Execute queries against the QUERY_HISTORY view in the ACCOUNT_USAGE schema of the shared SNOWFLAKE database.

    For example, to trace the web app activity of the user joe@example.com, execute the following code:

    SELECT *,
      TRY_PARSE_JSON(query_tag) AS query_tag_details
      FROM snowflake.account_usage.query_history
      WHERE query_tag_details IS NOT NULL
        AND query_tag_details:request_type = 'DCR'
        AND query_tag_details:user_email = 'joe@example.com';
    
    Copy

Monitor provider-run analyses¶

A provider-run analysis refers to the process of a provider creating and sharing a clean room, then running an analysis in the clean room after the consumer links their data. These analyses run in the consumer’s account, not the provider’s. This section describes how the consumer can track the queries executed by the provider’s analyses in the clean room.

Snowflake Data Clean Rooms assigns a query tag to each query executed for a provider-run analysis. This query tag takes the form cleanroom_UUID_provider_account_locator. A consumer can retrieve all queries associated with provider-run analyses by searching for the query tag in the query history of their account.

To retrieve the query, first obtain the UUID for a clean room, then search for the query tag. In the following code, replace cleanroom_name and provider_account_locator with the appropriate values.

-- Retrieve clean room UUID
SELECT cleanroom_id FROM samooha_by_snowflake_local_db.public.cleanroom_record
  WHERE cleanroom_name = '<cleanroom_name>';

-- Retrieve queries with provider-run query tag
SELECT * FROM snowflake.account_usage.query_history
  WHERE query_tag = cleanroom_id || '<provider_account_locator>;
Copy

You can also use Snowsight to filter the query history by the appropriate query tag after using SQL to retrieve the clean room UUID.

Customize available connectors¶

Connectors let you integrate your clean room environment with your ecosystem partners. As the clean room administrator for a provider, you can customize the clean room environment to limit which connectors appear as options for the clean room user. For example, if you have a single preferred activation partner, you can configure the clean room environment so that the partner is the only option when a consumer activates the results of an analysis in a clean room.

Note

Your customizations apply to new clean rooms only.

To control which connectors are available in a clean room, you need the MANAGE_DCR_CONNECTORS role.

  1. Sign in to the web app.

  2. In the left navigation, select Admin » Profile & Features.

  3. Optional: To customize activation connectors, follow these steps:

    1. On the Activation tile, select Edit.

    2. Select which activation options you want to display, and then select Save.

  4. Optional: To customize identity and data provider connectors, follow these steps:

    1. On the Identity & Data Provider tile, select Edit.

    2. Select which identity options you want to display, and then select Save.

Brand your clean rooms¶

You can configure a profile for your clean room environment so every clean room created is branded with your logo and company name. To define the logo and name for your company, you need the MANAGE_DCR_PROFILE_AND_FEATURES role.

  1. Sign in to the web app.

  2. In the left navigation, select Admin » Profile & Features.

  3. In the Company profile section, do the following:

    1. Upload a logo for your company in JPG or PNG format. This logo will appear on every clean room that is created.

    2. Edit the Company Name to define the name that you want to appear on the clean rooms that are created in your environment.

Enable single sign-on (SSO)¶

You can enable single sign-on (SSO) to access the web UI. This enhancement simplifies user access by eliminating the need for managing additional login credentials for the clean room UI while leveraging the enhanced security controls of your Identity Provider (IDP). Supported SSO providers include Okta, Azure AD, and PingFederate.

To enable SSO, contact Snowflake Support.

Allow key-pair authentication¶

The service account user that the clean room environment uses to communicate with your Snowflake account uses key-pair authentication to authenticate. If your Snowflake account uses authentication policies to control how users authenticate, then the authentication policy controlling the service account user must allow key-pair authentication.

To allow key-pair authentication, either remove all authentication policies, or add an authentication policy with AUTHENTICATION_METHODS = ALL or AUTHENTICATION_METHODS = KEYPAIR. If your Snowflake account has an account-level authentication policy that does not allow key-pair authentication, you need to create a new authentication policy with the appropriate parameter, then assign the policy to the service account user that was created during the installation process.

You can check your authentication policies by running this command:

SHOW AUTHENTICATION POLICIES;
Copy

An empty results table indicates no policies, which means that key-pair authentication is allowed.

Configure network policies¶

If your Snowflake account uses a network policy to control network traffic, you must explicitly allow traffic from the IP addresses that the web app uses to communicate with your Snowflake account.

Find your cloud provider account region in the table below and configure your account network policy to allow all the IP addresses listed in that row:

Snowflake account region

Allow these IP addresses for the web app

  • AWS US West (Oregon)

  • AWS US East (Ohio)

  • AWS US East (N. Virginia)

  • AWS South America (Sao Paulo)

  • Azure West US 2 (Washington)

  • Azure Central US (Iowa)

  • Azure South Central US (Texas)

  • Azure East US 2 (Virginia)

  • GCP US Central1 (Iowa)

  • GCP US East4 (N. Virginia)

52.7.249.136
34.195.16.248
52.7.210.215
  • AWS Canada (Central)

  • Azure Canada Central (Toronto)

15.223.145.218
3.96.6.109
15.222.142.44
  • AWS EU (Ireland)

  • AWS Europe (London)

  • AWS EU (Paris)

  • AWS EU (Frankfurt)

  • AWS EU (Stockholm)

  • AWS EU (Zurich)

  • Azure UK South (London)

  • Azure North Europe (Ireland)

  • Azure West Europe (Netherlands)

  • Azure Switzerland North (Zurich)

  • Azure UAE North (Dubai)

  • GCP Europe West2 (London)

  • GCP Europe West4 (Netherlands)

54.93.86.99
3.126.238.8
3.127.143.168
  • AWS Asia Pacific (Mumbai)

  • Azure Central India (Pune)

35.154.94.29
13.235.168.249
15.206.48.175
  • AWS Asia Pacific (Singapore)

  • AWS Asia Pacific (Tokyo)

  • AWS Asia Pacific (Osaka)

  • AWS Asia Pacific (Seoul)

  • AWS Asia Pacific (Jakarta)

  • Azure Southeast Asia (Singapore)

  • Azure Japan East (Tokyo)

13.228.90.174
52.220.42.130
52.220.249.16
  • AWS Asia Pacific (Sydney)

  • Azure Australia East (New South Wales)

52.65.205.236
52.62.198.227
3.104.160.96

See details about the service account for this environment¶

The web application uses a service account to communicate with Snowflake. This service account was created by the account administrator when they installed the Clean Room environment for this account.

You cannot modify details about the service account user.

To see details about the service account for this Clean Room environment you need the MANAGE_DCR_PROFILE_AND_FEATURES role.

  1. /INCLUDE/cleanrooms/text/text-sign-in-page.txt

  2. Navigate to Admin > Snowflake Admin.

  3. On the Snowflake Admin page you can see information such as the service user name and service user email.