Provider-run analysis¶

Permission to run queries in a clean room are managed in the clean rooms UI using the Enable run analysis & query toggle in the Share clean room panel in the clean room’s configuration flow. To enable or disable provider-run analyses, the clean room provider enables the toggle next to their own account in that panel. This toggle cannot be changed after a clean room is created; if you want to change permission for a specific account to run queries in a published clean room, you must delete the clean room and create a new one.

Here are the steps to enable provider-run analysis in a new clean room:

1. The provider creates and configures a clean room, using one of the supported templates.

2. In the Share Clean Room step of clean room configuration, toggle on Enable run analysis & query next to your account to enable you to run templates that support provider analysis in this clean room.

3. When the consumer joins the clean room, they will be warned before joining that provider-run analysis is enabled for that clean room.

4. The consumer configures the clean room as normal for all templates in the clean room, including any templates that support provider analysis. If the consumer does not want to enable a provider to run a specific template, they can omit required details for that template. Note that templates that support provider analysis also support consumer analysis.

5. After the consumer has joined and configured the clean room, both the provider and the consumer can run templates in the clean room through the normal analysis flow.

6. Provider-run analysis permissions cannot be revoked after they’re granted. The only way to stop provider-run analyses is for the provider or consumer to delete the clean room.

The provider can enable and disable both provider- and consumer-run analysis in a clean room by making the appropriate API calls. However, any time a change is made in an existing clean room to the provider-run analysis setting, the clean room must be re-installed by all consumers for the change to take effect. Because it can be difficult to force all collaborators to re-install a clean room, it is more reliable for the provider to delete a published, shared clean room when changing the analysis permissions, then create a new clean room with the desired permissions.

Here is the general flow for creating a new clean room that allows provider-run analyses:

1. Provider

   1. Create and configure your clean room and data and policies in the standard way.

   2. Add consumers in the standard way.

   3. Enable provider-run analysis for specific consumer accounts in the clean room by calling provider.enable_provider_run_analysis. This procedure must be called after adding consumers to a clean room, but before any consumer installs the clean room. Each consumer account must approve this request separately, or their data will not be accessible for provider-run analyses in this clean room.

   4. Publish the clean room.

   5. Let your consumers know that the clean room is available, the name of the clean room, and what templates you want to run in the clean room.

2. Consumer

   1. Install the clean room, link in your data, and set join and column policies in the standard way.

   2. Allow provider analysis for specific templates in the clean room by calling consumer.enable_templates_for_provider_run. It’s important that you call this procedure after configuring your join and column policies; if you enable this feature first, the provider will be able to join and project all your columns until you set these policies. Typically, the provider will let you know that you need to approve provider-run analyses in a clean room, but you can also check whether this capability is requested by calling library.is_provider_run_enabled.

   3. Tell the provider that you have installed the clean room and approved provider-run analyses.

3. Provider

   1. Enable your analyses to access consumer data by calling provider.mount_request_logs_for_all_consumers after the consumer has installed the clean room. If a new consumer account installs the clean room later and you want to use their data in this template, you must re-run this procedure to be able to access that data.

   2. Run the analysis by calling provider.submit_analysis_request with the template name, the table names, and the template arguments. Save the response ID, which is required to check the status and results of the analysis.

   3. Check the status of the analysis by calling provider.check_analysis_status. When status is reported as COMPLETED, call provider.get_analysis_result to get the analysis results.

Tip

If you change the provider-run analysis setting for your clean room, you must uninstall and then re-install the clean room for the change to take effect.

Install and run the code example

You can download and install a complete running example of a clean room that enables and runs a provider-run analysis. To run this example, you need two Snowflake accounts in the same organization and cloud hosting region with the clean rooms environment installed.

1. Download the example notebook.

2. Install the notebook in both your provider and consumer accounts. To upload a notebook, do the following:

   1. Navigate to Projects » Notebooks in Snowsight.

   2. Select + Notebook » Import .ipynb file.

   3. Select the .ipynb file you downloaded.

   4. Name the file as desired, and choose a database and schema.

   5. Keep the default warehouse APP_WH.

   6. Select Create.

   7. Open the notebook in the provider account and complete the provider portion to create the clean room.

   8. Open the notebook in the consumer account and complete the consumer portion to install and configure the clean room and run the template.