Installing the Snowflake Data Clean Rooms environment¶

This page lists the requirements for installing Snowflake Data Clean Rooms in your account, an overview of how the product works, and the different tools for using Snowflake Data Clean Rooms. If you are a Snowflake administrator and want to install clean rooms in your account, read Installing the Snowflake Data Clean Rooms environment.

Installing clean rooms in your account¶

The Snowflake data clean rooms environment is installed once for an entire Snowflake account (not once per user or clean room) by someone with ACCOUNTADMIN privileges on the Snowflake account.

If you got an emailed invitation to join a clean room, you already have clean rooms installed in your Snowflake account. You can read the rest of this page to learn more about clean room usage, but you don’t need to install anything, only to join the clean room.
If you are an account administrator and the clean room environment is not installed in your Snowflake account, read the account requirements below. If you have all the requirements, follow these instructions for installing the clean room environment for your Snowflake account.
If you are not an account administrator, ask an account administrator whether Snowflake Data Clean Rooms is installed for your account. If not, ask them to install it and grant you access. If it is, ask them to grant you permission to access clean rooms.
If you are a developer, someone with ACCOUNTADMIN access in your account must grant you access to the SAMOOHA_APP_ROLE.

Overview of Snowflake Data Clean Rooms¶

Data clean rooms are configurable, isolated Snowflake environments where collaborators can import data, specify what queries can be run against that data, and set data protection settings such as differential privacy and limiting joinable and projectable rows. Access to a clean room is by invitation only.

Clean rooms do not support monetization features. Providers are billed for various background processes required to enable clean rooms; the account running a query is billed standard Snowflake costs for the data and compute usage. For more information about costs, see Understanding cost.

You must be invited by a clean room provider to be able to access a clean room. If you want to open up your clean room to a larger audience, you must provide a way for potential collaborators to contact you to provide their Snowflake account to be invited (or an email address for non-Snowflake users).

Here is a high-level overview of how clean rooms are used in Snowflake.

Clean rooms environment installation¶

The Snowflake data clean rooms environment is installed once for an entire Snowflake account (not once per user or per clean room) by someone with ACCOUNTADMIN privileges on the Snowflake account.

The administrator configures the environment to specify which users in that account can create clean rooms, which users have API access, which accounts can be invited to collaborate in a clean room, what data a clean room creator can import into the clean room, and which (if any) third-party services can be used to export query results from any clean room created in this account.

If a clean room environment has already been installed for your account, reach out to your clean rooms administrator for access. If a clean room environment has not been installed for your account, learn how to install the environment.

After the environment has been installed and configured, the administrator grants permission to other Snowflake users to act as clean room administrators (DCR admins), clean room creators (clean room managers), and developers.

Learn more

Learn more about the Snowflake Data Clean rooms roles..
Learn how to install and configure the clean rooms environment.
By default, you can share clean rooms only with accounts in the same web hosting region. The administrator can enable sharing with accounts in other regions.
See other tasks that clean rooms administrators perform.

Creating a clean room¶

The Snowflake account administrator grants permission to users in their account to create clean rooms. When you create a clean room, you are considered a provider for that clean room. Providers can configure and share clean rooms with users in other Snowflake accounts (or even non-Snowflake users), who are called consumers for clean rooms shared with them.

After creating a clean room, the provider imports tables or views into it, specifies what queries can be run against their data, which columns in their data can be joined or appear in the results, and what can be done with the results. (You can create variations on the standard clean room, as described later.)

The provider then invites consumers to join the clean room, import their own tables and views, and run one of the queries specified by the provider. Consumers must be pre-approved by a clean rooms administrator before they can be invited to a clean room.

Learn more

Clean rooms can be created either in code or using the web application. Permission to create a clean room is granted differently for web users and coders.
Tables can be imported from both Snowflake accounts and non-Snowflake Iceberg tables on AWS, Azure, and Google.
Before data can be imported into a clean room, it must be registered by a user with admin privileges over the source data.
You can invite Snowflake and non-Snowflake users to join a clean room.
Learn more about the provider role in Snowflake Data Clean Rooms.

Joining a clean room¶

After creating and configuring a clean room, the provider sends invitations to users in other accounts to join the clean room. These invited users are called consumers or sometimes collaborators. Consumers invited through the web application receive an emailed invitation to join the clean room. Snowflake users must have the clean rooms environment installed in order to be invited to join a clean room, but you can invite non-Snowflake users to join a clean room. A Snowflake account must be allowlisted by a clean rooms administrator before a clean room creator can invite users in that account.

(In the web application both “join” and “install” are used to describe when a consumer accepts a clean room invitation. This is because a clean room must literally be installed in the consumer’s clean room environment.)

After joining a clean room, a consumer imports any data needed for the templates in that clean room, specifies how their data can be accessed, such as which columns can be joined or projected, provides any template-specific filters or other parameters, then runs the template. Consumers can specify a repeating run of the template, if desired. Results can be viewed in the browser, or downloaded. If the provider has enabled activation and the consumer approves, the consumer can export the results to the approved locations (their own Snowflake account, or a third-party activation connector designated by the provider).

All data imported into a clean room is accessible only through a template installed in the clean room. That is, data imported cannot be directly queried by either party–the provider or consumer–but can only be accessed through a template in that clean room. Each party also sets rules on their own data: which columns can be joined and not projected, or projected but not joined, and which templates can access which tables that they own. Each party can also delete their data from the clean room at any time.

By default, only a consumer can run queries in a clean room, but the provider can enable a clean room to support provider-run queries. If a clean room supports provider-run queries, the consumer will be alerted to this before they join the clean room.

Learn more

Clean rooms support differential privacy. Differential privacy can be enabled and configured by either the provider or consumer.
Learn more about the consumer role in Snowflake Data Clean Rooms.

Running queries¶

Every clean room has one or more templates installed. A template is a SQL query that can include run-time parameters provided by the person running the template. These parameters enable users to specify which tables in the clean room are used in the query, which columns are used in the query, and WHERE clause filters.

Snowflake provides a set of standard templates for use in the web app. These templates enable common use cases such as audience overlap, audience lookalike, inventory forecasting, and arbitrary SQL queries.

Developers can create custom templates to use in their clean rooms.

Queries can be run in the web application or in code. Query results can be viewed or downloaded, or can be shared to the provider, the consumer, or an approved third-party if activation is allowed in that clean room.

Learn more

By default, only consumers can run a template in a clean room. However, a provider can ask permission of the consumer to run a template in a clean room.
The template and clean room configuration define what can be done with the query results. If the query results are exported outside the clean room, this is called activation. Results can be activated to a Snowflake account of the provider or consumer, or to a Snowflake-approved third party.

Clean room variations¶

The most common clean room, as described above, is one where a provider imports data and specifies one or more specific queries that can be run against the data and how the results can be shared, and the consumer imports their own data and runs the permitted queries against the combined data. However, a provider can permit several variations on the standard clean room:

Allow the provider to run their own queries against consumer data.. By default, only the consumer can run queries in a clean room. If enabled for a clean room, a provider can request permission from the consumer to run a specific query in the clean room.
Allow the query results to be exported (activated) to the Snowflake account of the person running the query or to a Snowflake-approved third-party account, such as Meta Ads Manager or The Trade Desk. Exporting data outside the clean room is always subject to approval by all parties who shared the data being queried.
Allow either party to include custom Python code that can be called by the query they run. This code typically filters or manipulates the data in some way as the query is being run; it cannot take external actions such as saving a file, exporting data, or performing other actions.
Allow the query to access data in other clean rooms, subject to approval by the providers of all the clean rooms being accessed.
Chain multiple queries together.

About providers and consumers¶

Clean room collaborators are classified as either a provider or a consumer for a given clean room. The provider is the account that creates a clean room; the consumer is the account that is shared a clean room. You cannot invite someone in the same account where you created a clean room to act as a consumer for that clean room. All users in the same Snowflake account have the same clean room role (provider or consumer) for the same clean rooms in that account.

Whether you are a provider or consumer is determined solely by whether you created or were shared a clean room, not by any Snowflake roles or other permissions.

Here is more information about the provider and consumer roles.

Tip

Sometimes the word collaborator is used to mean a consumer or anyone with access to a given clean room.

Providers¶

A provider is defined as the account that created a clean room. Anyone accessing the clean room from that account is considered to be a provider for that clean room.

Providers perform the following clean room actions:

Create, share, and delete clean rooms
Specify who can use a clean room as a consumer (invites consumers)
Import data into a clean room
Define which templates can be run in a clean room
Specify whether consumers can run a custom template in a clean room
Invite consumers to share the clean room
Specify which templates are used in a clean room, and create custom templates for the clean room
Run queries on consumer data, if the consumer consents
Permit chained templates
Load python script into a clean room to use in a template
Permit provider data from this clean room to be queried with data from other specified clean rooms in a consumer query
Enable or disable differential privacy for the clean room or consumer
Manage versioning of the clean room
Set column and join policies on their own data

Consumers¶

A consumer is defined as an account that was extended an invitation by a provider to join (install) a clean room.

Consumers perform the following clean room actions (according to the clean room configuration):

Join (install) a clean room for their account
Import data into the clean room
Run any queries supported by the clean room
Export query results as enabled by the clean room
Request permission to use their own template in a clean room
Specify whether providers can run a template in the clean room (by default, only consumers can run a template)
Allow the clean room provider to run queries against the consumer’s data
Run a query that spans their data and provider data from multiple clean rooms, if the providers in all the affected clean rooms agree.
Load python script into the clean room (with the permission of the provider)
Set column and join policies on their own data
Set differential privacy settings for provider-run queries

Ways to access Snowflake data clean rooms¶

Snowflake data clean rooms provide both a no-code web application and an API to create and manage clean rooms. Currently the web application and the API are not exactly equivalent in capabilities. Here is a summary of tasks that can be performed in only one environment:

Web-app-only features	API-only features
Environment management tasks, such as clean room logo, name, and description, the list of available activation or identity connectors. Managing the list of administrator, provider, and (potential) consumer accounts. Scheduling repeating runs of a template. (You can schedule runs using other scripting tools such as cron jobs.) Using identity providers.	Creating custom templates, either provider or consumer Creating template chains Multi-provider analysis

Note that you can create a clean room in the web app and use or manage it in the API, and vice versa.

Web application¶

Snowflake data clean rooms can be managed and used in a browser. You can use the web application to create, manage, and use clean rooms as a provider or consumer, to administer the web application or the entire clean rooms environment for your Snowflake account. The web application is the only way to manage the clean rooms environment.

Permissions and access: The web app is managed by the clean rooms manager. You must be granted access to use the web app by the DCR administrator for your Snowflake account.

The web application requires an email address, name, and password to log in. The email address is not required to match your Snowflake account email address, but is designated by the clean room administrator. Your user name and password are chosen by you.

The web application is accessed at a separate URL from Snowsight, the Snowflake web application. The URL is specific to each account.

To get a feel for using the web application, try out the web application tutorial, or read more about the web application.

API¶

Snowflake provides a number of stored procedures to create or run clean rooms. These procedures can be called through Snowsight notebooks or worksheets or any other command-line interface where you can run stored procedures in your Snowflake account.

These procedures enable you to perform most of the consumer or provider actions needed to create, manage or use a clean room as a provider or consumer. The API does not enable administrative actions; to administer a clean room you must use the web app. Read the reference documentation for the API.

Permissions and access: In order to use the API you must be granted access to use the samooha_app_role by the DCR administrator for your Snowflake account. When using the API, use your Snowflake login credentials.

Read about the clean rooms API or try out the API tutorial.