Snowflake Data Clean Rooms: Administrator tasks¶
This topic describes the tasks for the administrator of a Snowflake Data Clean Room. For information about implementing a clean environment for the first time, see Overview of Snowflake Data Clean Rooms.
Manage clean room users¶
Access to the UI and API is managed using application roles. Different roles grant access to the API and the UI.
The user must also be assigned a default warehouse and granted usage on it.
Manage access to the clean room UI¶
To grant access to the clean room UI, assign the appropriate clean room UI roles to a user or sub-role. The following roles are used to access or manage the clean room UI:
ACCOUNTADMIN: Used to install or uninstall the clean room environment. Grants access to the Snowflake Admin page, used to manage the service user and account features such as Cross-Cloud Auto-Fulfillment, external and Iceberg tables, and dataset registration for UI users. This role includes the privileges of all the other clean room roles.
MANAGE_CLEANROOMS: Allows one to create, update, delete, and install cleanrooms, and create, update, delete, and run analyses in the clean room UI.
MANAGE_DCR_PROFILE_AND_FEATURES: Grants access to the Profile & Features page in the
:ui:Adminsection, where you can manage the company profile and control which third-party connectors can be used in clean rooms.MANAGE_DCR_CONNECTORS: Grants access to the Connectors page, where you can configure third-party connectors.
MANAGE_DCR_COLLABORATORS: Grants access to the Collaborators page, where you can manage the list of approved collaborators for UI users. Does not control the list of collaborators available to API users, who can invite any Snowflake account to collaborate.
Example
USE ROLE ACCOUNTADMIN;
CREATE ROLE dcr_access;
-- Choose your privileges:
GRANT APPLICATION ROLE SAMOOHA_BY_SNOWFLAKE.MANAGE_CLEANROOMS TO ROLE dcr_access;
GRANT APPLICATION ROLE SAMOOHA_BY_SNOWFLAKE.MANAGE_DCR_COLLABORATORS TO ROLE dcr_access;
GRANT APPLICATION ROLE SAMOOHA_BY_SNOWFLAKE.MANAGE_DCR_PROFILE_AND_FEATURES TO ROLE dcr_access;
GRANT APPLICATION ROLE SAMOOHA_BY_SNOWFLAKE.MANAGE_DCR_CONNECTORS TO ROLE dcr_access;
GRANT USAGE ON WAREHOUSE <your_warehouse> TO ROLE dcr_access;
ALTER USER <some_user> SET DEFAULT_WAREHOUSE = <your_warehouse>;
GRANT ROLE dcr_access to USER <some_user>;
Manage API users¶
Clean rooms defines the following roles to manage access to the UI and API. All roles are application roles, within the SAMOOHA_BY_SNOWFLAKE scope.
The following Snowflake roles are used to access or manage the API:
ACCOUNTADMIN: The role used to install or uninstall the Clean Room environment.
SAMOOHA_APP_ROLE: Grants full permission to the clean room API in this account. (This role is used by the web application to communicate with the API.
Run-only developer role: Users with SAMOOHA_APP_ROLE can create a limited-access role. This role, also called a run role, grants permission to use a subset of API procedures on a subset of clean rooms. These limited roles can be granted to users to provide scoped usage in your account for specific users, such as data analysts. Create limited roles by calling
consumer.grant_run_on_cleanrooms_to_role.
Grant or revoke full API access¶
The SAMOOHA_APP_ROLE role grants full API access to all clean rooms in an account.
Grant full API access:
USE ROLE ACCOUNTADMIN;
GRANT ROLE SAMOOHA_APP_ROLE TO USER <user_name>;
Revoke full API access:
USE ROLE ACCOUNTADMIN;
REVOKE ROLE SAMOOHA_APP_ROLE FROM USER <user_name>;
Grant limited API access¶
You can grant limited API access to specified clean rooms in your account. Limited access grants the ability to run only a
subset of consumer procedures, such as consumer.run_analysis, but not the ability
to create, join, or modify clean rooms.
Here is how to grant limited access to a user:
A full-access user with who can grant the SAMOOHA_APP_ROLE role creates a new role, and assigns the role limited permissions:
-- Create the role USE ROLE ACCOUNTADMIN; CREATE ROLE MARKETING_ANALYST_ROLE; GRANT USAGE ON WAREHOUSE APP_WH TO MARKETING_ANALYST_ROLE; -- Or whichever warehouse you are using -- Grant the role limited privileges on a subset of clean rooms. CALL samooha_by_snowflake_local_db.consumer.grant_run_on_cleanrooms_to_role( [$cleanroom_1, $cleanroom_2], 'MARKETING_ANALYST_ROLE' ); -- Grant the role to a user. GRANT ROLE MARKETING_ANALYST_ROLE TO USER george.washington;
The user then uses their limited role to perform specific actions in the clean room account:
-- User george.washington logs in and uses the limited role. USE WAREHOUSE APP_WH USE ROLE MARKETING_ANALYST_ROLE; -- Consumer-run analyses should succeed. CALL samooha_by_snowflake_local_db.consumer.run_analysis( $cleanroom_name, 'prod_overlap_analysis', ['MY_DB.MYDATA.CONVERSIONS'], -- Consumer tables ['MY_DB.MYDATA.EXPOSURES'], -- Provider tables object_construct( 'max_age', 30 ) ); -- Clean room creation and management procedures fail. CALL samooha_by_snowflake_local_db.provider.cleanroom_init($cleanroom_name, 'INTERNAL');
To see which users were granted a specific role:
SHOW GRANTS OF ROLE <run_role_name>;
Revoke limited API access¶
To revoke run privileges from this role, call
consumer.revoke_run_on_cleanrooms_from_role.To revoke run privileges for a single user, revoke the role from the user.
Manage clean room collaborators¶
Collaborators are users invited to join a clean room by the clean room creator.
When using the clean room UI, creators can invite collaborators from a list. This list is managed by someone with the MANAGE_DCR_COLLABORATORS role.
Clean room API users are not limited by a predefined list, and can add any clean room collaborator by Snowflake account locator.
If a Snowflake collaborator has an account in a different region than your Snowflake account, your account administrator must enable Cross-Cloud Auto-Fulfillment before you can add them as a collaborator.
If you want to invite a collaborator without a Snowflake account, you must first create a clean room managed account for them.
To curate the collaborator list used in the clean room UI, you need the MANAGE_DCR_COLLABORATORS role.
/INCLUDE/cleanrooms/text/text-sign-in-page.txt
In the left navigation, select Collaborators.
Do one of the following:
If the collaborator has a Snowflake account, select Snowflake Partners » + Snowflake Partner. Respond to the prompts to enter the details of the collaborator’s Snowflake account.
If the collaborator is not a Snowflake customer, select the Managed Accounts tab to create a clean room managed account for them.
When using the clean room API, providers can add collaborators by Snowflake account locator using the provider.add_consumers
procedure.
Add warehouse options¶
Any warehouse for which the SAMOOHA_APP_ROLE role has usage and operate privileges can be used to run analyses. To add warehouses that can be used by clean room users to execute analyses, create a warehouse and then grant privileges on it to the SAMOOHA_APP_ROLE.
For example, to add a warehouse my_big_warehouse that can be used to run analyses, execute the following commands from a worksheet:
USE ROLE ACCOUNTADMIN;
CREATE WAREHOUSE my_big_warehouse WITH WAREHOUSE_SIZE = X5LARGE;
GRANT USAGE, OPERATE ON WAREHOUSE my_big_warehouse TO ROLE SAMOOHA_APP_ROLE;
Monitor web app activity¶
As an administrator, you can track what users are doing in the web app by monitoring the query history in your Snowflake account. You can
identify query history entries that correspond to activity in the web app because the value of user_name is the name of the service
user that was created when the Snowflake account was configured.
You can use the user_email query tag to identify which clean room user performed an action.
To access the query history for your clean room environment, do one of the following, depending on whether you want to use SQL or Snowsight:
- Snowsight:
Sign in the Snowflake account associated with your clean room environment as a user with the ACCOUNTADMIN role.
Select Monitoring » Query History.
Use the User filter to select the service account user associated with the clean room environment.
- SQL:
Execute queries against the QUERY_HISTORY view in the ACCOUNT_USAGE schema of the shared SNOWFLAKE database.
For example, to trace the web app activity of the user
joe@example.com, execute the following code:SELECT *, TRY_PARSE_JSON(query_tag) AS query_tag_details FROM snowflake.account_usage.query_history WHERE query_tag_details IS NOT NULL AND query_tag_details:request_type = 'DCR' AND query_tag_details:user_email = 'joe@example.com';
Monitor provider-run analyses¶
A provider-run analysis refers to the process of a provider creating and sharing a clean room, then running an analysis in the clean room after the consumer links their data. These analyses run in the consumer’s account, not the provider’s. This section describes how the consumer can track the queries executed by the provider’s analyses in the clean room.
Snowflake Data Clean Rooms assigns a query tag to each query executed for a provider-run analysis. This query tag takes the form
cleanroom_UUID_provider_account_locator. A consumer can retrieve all queries associated with provider-run analyses by searching
for the query tag in the query history of their account.
To retrieve the query, first obtain the UUID for a clean room, then search for the query tag. In the following code, replace
cleanroom_name and provider_account_locator with the appropriate values.
-- Retrieve clean room UUID
SELECT cleanroom_id FROM samooha_by_snowflake_local_db.public.cleanroom_record
WHERE cleanroom_name = '<cleanroom_name>';
-- Retrieve queries with provider-run query tag
SELECT * FROM snowflake.account_usage.query_history
WHERE query_tag = cleanroom_id || '<provider_account_locator>;
You can also use Snowsight to filter the query history by the appropriate query tag after using SQL to retrieve the clean room UUID.
Customize available connectors¶
Connectors let you integrate your clean room environment with your ecosystem partners. As the clean room administrator for a provider, you can customize the clean room environment to limit which connectors appear as options for the clean room user. For example, if you have a single preferred activation partner, you can configure the clean room environment so that the partner is the only option when a consumer activates the results of an analysis in a clean room.
Note
Your customizations apply to new clean rooms only.
To control which connectors are available in a clean room, you need the MANAGE_DCR_CONNECTORS role.
In the left navigation, select Admin » Profile & Features.
Optional: To customize activation connectors, follow these steps:
On the Activation tile, select Edit.
Select which activation options you want to display, and then select Save.
Optional: To customize identity and data provider connectors, follow these steps:
On the Identity & Data Provider tile, select Edit.
Select which identity options you want to display, and then select Save.
Brand your clean rooms¶
You can configure a profile for your clean room environment so every clean room created is branded with your logo and company name. To define the logo and name for your company, you need the MANAGE_DCR_PROFILE_AND_FEATURES role.
In the left navigation, select Admin » Profile & Features.
In the Company profile section, do the following:
Upload a logo for your company in JPG or PNG format. This logo will appear on every clean room that is created.
Edit the Company Name to define the name that you want to appear on the clean rooms that are created in your environment.
Enable single sign-on (SSO)¶
To enable single sign-on (SSO) with Snowflake Authentication, contact Snowflake Support.
Allow key-pair authentication¶
The service account user that the clean room environment uses to communicate with your Snowflake account uses key-pair authentication to authenticate. If your Snowflake account uses authentication policies to control how users authenticate, then the authentication policy controlling the service account user must allow key-pair authentication.
To allow key-pair authentication, either remove all authentication policies, or add an authentication policy with AUTHENTICATION_METHODS = ALL
or AUTHENTICATION_METHODS = KEYPAIR. If your Snowflake account has an account-level authentication policy that does not allow key-pair
authentication, you need to create a new authentication policy with the appropriate parameter, then assign the policy to the service
account user that was created during the installation process.
You can check your authentication policies by running this command:
SHOW AUTHENTICATION POLICIES;
An empty results table indicates no policies, which means that key-pair authentication is allowed.
Enable or disable activation in the clean room UI¶
Activation when using the clean room UI is controlled globally by a clean room administrator. Activation in the clean room API is controlled at the clean room level by the provider.
This section shows how to enable or disable activation when using the clean room UI. To learn how to enable activation when using the API, read the activation instructions.
Provider and consumer activation are enabled by default in your clean room account when using the clean room UI. Third-party activation must be enabled manually.
Here is how to enable or disable activation for UI users in your account:
Sign in to the clean room environment in the web app as a DCR administrator.
Select Admin » Profile & Features.
In the Activation section, select Edit.
To manage consumer activation: Check or clear the checkbox next to Collaborator Account.
To manage provider activation: Check or clear the checkbox next to your own account name.
To manage third-party activation: Check or clear the checkbox next to the third-party activation target you wish to enable or disable. Third-party activation is enabled through connectors, and is available only in the clean room UI. See the list of available third party connectors.
Configure network policies¶
If your Snowflake account uses a network policy to control network traffic, you must explicitly allow traffic from the IP addresses that the web app uses to communicate with your Snowflake account.
Find your cloud provider account region in the table below and configure your account network policy to allow all the IP addresses listed in that row:
Snowflake account region |
Allow these IP addresses for the web app |
|---|---|
|
52.7.249.136
34.195.16.248
52.7.210.215
|
|
15.223.145.218
3.96.6.109
15.222.142.44
|
|
54.93.86.99
3.126.238.8
3.127.143.168
|
|
35.154.94.29
13.235.168.249
15.206.48.175
|
|
13.228.90.174
52.220.42.130
52.220.249.16
|
|
52.65.205.236
52.62.198.227
3.104.160.96
|
See details about the service account for this environment¶
The web application uses a service account to communicate with Snowflake. This service account was created by the account administrator when they installed the Clean Room environment for this account.
You cannot modify details about the service account user.
To see details about the service account for this Clean Room environment you need the MANAGE_DCR_PROFILE_AND_FEATURES role.
/INCLUDE/cleanrooms/text/text-sign-in-page.txt
Navigate to Admin > Snowflake Admin.
On the Snowflake Admin page you can see information such as the service user name and service user email.