Manage clean room users and access¶

Overview¶

This topic describes how an account administrator manages user access to the clean rooms UI and API in their account.

Access to the clean rooms UI and API are granted separately. Clean rooms defines several application roles that permit access to the API and various subsections of the UI. The account administrator creates a custom role, grants the desired application roles to allow fine-grained access to the UI and API, then grants the role to various users in that account.

This strategy utilizes the Snowflake role-based access control (RBAC) model to delegate privileges appropriately to clean room users and collaborators in their account. For more information about RBAC, see Overview of Access Control. To see which users were granted a specific role, run the following SQL command:

SHOW GRANTS OF ROLE <role_name>;
Copy

Tip

This topic uses the following terms:

  • Clean room users: Users who have been granted access to the clean rooms UI or API in their Snowflake account.

  • Clean room collaborators: Consumers invited to join a clean room by the clean room provider. A collaborator is also a clean room user — that is, they must have access to the clean rooms UI or API to be able to accept an invitation and use the clean room.

Manage access to the clean rooms UI¶

One can access the clean rooms UI with the proper roles. A clean room user must also be assigned a default warehouse and granted the USAGE privilege on it.

The following roles grant permission to manage or access the clean rooms UI:

  • ACCOUNTADMIN: Role used to install or uninstall the clean rooms environment. This role also enables access to the Snowflake Admin page in the clean rooms UI. Account administrators use this page to manage the service user and account features such as Cross-Cloud Auto-Fulfillment, external and Iceberg tables, and dataset registration for UI users. This role has all clean room UI privileges; a user running as ACCOUNTADMIN doesn’t need any additional UI application roles.

  • MANAGE_CLEANROOMS: Application role that provides the ability to create, update, delete, and install cleanrooms, and create, update, delete, and run analyses in the clean rooms UI.

  • MANAGE_DCR_PROFILE_AND_FEATURES: Application role that provides access to the Profile & Features page in the Admin section of the UI, where you can manage the company profile and control which third-party connectors can be used in clean rooms.

  • MANAGE_DCR_CONNECTORS: Application role that provides access to the Connectors page in the UI, where you can configure third-party connectors.

  • MANAGE_DCR_COLLABORATORS: Application role that provides access to the Collaborators page in the UI, where you can manage the list of approved collaborators available to clean room providers in the UI. This role does not control the list of collaborators available to providers when using API; API users can invite anyone to collaborate. For more information, see Manage clean room collaborators.

Example

The following code shows how to create a custom role, grant that role several UI capabilities, and then grant the custom role to a user.

-- Create the role.
USE ROLE ACCOUNTADMIN;
CREATE ROLE dcr_access;

-- Grant capabilities to the new role.
GRANT APPLICATION ROLE SAMOOHA_BY_SNOWFLAKE.MANAGE_CLEANROOMS TO ROLE dcr_access;
GRANT APPLICATION ROLE SAMOOHA_BY_SNOWFLAKE.MANAGE_DCR_COLLABORATORS TO ROLE dcr_access;
GRANT APPLICATION ROLE SAMOOHA_BY_SNOWFLAKE.MANAGE_DCR_PROFILE_AND_FEATURES TO ROLE dcr_access;
GRANT APPLICATION ROLE SAMOOHA_BY_SNOWFLAKE.MANAGE_DCR_CONNECTORS TO ROLE dcr_access;

-- Assign the role to a user.
-- You must also grant access to a default warehouse to the role.
GRANT USAGE ON WAREHOUSE <your_warehouse> TO ROLE dcr_access;
ALTER USER <some_user> SET DEFAULT_WAREHOUSE  =  <your_warehouse>;
GRANT ROLE dcr_access to USER <some_user>;
Copy

Manage API users¶

API access is managed using roles. The following Snowflake roles are used to access or manage the API:

  • ACCOUNTADMIN: The role used to install or uninstall the Clean Rooms environment. This role does not include SAMOOHA_APP_ROLE; to use the API, you must use SAMOOHA_APP_ROLE.

  • SAMOOHA_APP_ROLE: This role grants full permission to the clean rooms API in this account. (This role is used by the clean rooms UI to communicate with the API.)

  • Run-only developer role: Someone using SAMOOHA_APP_ROLE can grant usage on a limited-access role. This role, also called a run role, grants permission to use a subset of API procedures on a subset of clean rooms in the consumer context. These limited roles can be granted to roles to provide scoped usage in your account for specific users, such as data analysts.

Grant or revoke full API access¶

The SAMOOHA_APP_ROLE role grants a user full API access to all clean rooms in an account.

Grant full API access:

USE ROLE ACCOUNTADMIN;
GRANT ROLE SAMOOHA_APP_ROLE TO USER <user_name>;
Copy

Revoke full API access:

USE ROLE ACCOUNTADMIN;
REVOKE ROLE SAMOOHA_APP_ROLE FROM USER <user_name>;
Copy

Grant limited API access¶

You can grant limited API access to specified clean rooms in your account. Limited access grants the ability to call only a subset of consumer procedures, such as consumer.run_analysis, but not the ability to install, create, join, or modify a clean room.

Here is how to grant limited access to a user:

  1. A user with full API access who can grant the SAMOOHA_APP_ROLE role creates a new role, and assigns limited functionality to that role:

    -- Create the role.
USE ROLE ACCOUNTADMIN;
CREATE ROLE MARKETING_ANALYST_ROLE;
GRANT USAGE ON WAREHOUSE APP_WH TO MARKETING_ANALYST_ROLE; -- Or whichever warehouse you are using

-- Grant limited functionality to the role for a subset of clean rooms.
CALL samooha_by_snowflake_local_db.consumer.grant_run_on_cleanrooms_to_role(
  [$cleanroom_1, $cleanroom_2],
  'MARKETING_ANALYST_ROLE'
);

-- Grant the role to a user.
GRANT ROLE MARKETING_ANALYST_ROLE TO USER george.washington;
    Copy

  2. The user then uses their limited role to perform specific actions in the clean room account:

     -- User george.washington logs in and uses the limited role.
 USE WAREHOUSE APP_WH
 USE ROLE MARKETING_ANALYST_ROLE;
 USE SECONDARY ROLES NONE;

 -- Consumer-run analyses should succeed.
 CALL samooha_by_snowflake_local_db.consumer.run_analysis(
   $cleanroom_name,
   'prod_overlap_analysis',
   ['MY_DB.MYDATA.CONVERSIONS'],  -- Consumer tables
   ['MY_DB.MYDATA.EXPOSURES'],      -- Provider tables
   object_construct(
     'max_age', 30
   )
 );

-- Clean room creation and management procedures fail.
CALL samooha_by_snowflake_local_db.provider.cleanroom_init($cleanroom_name, 'INTERNAL');
    Copy

Revoke limited API access¶

Manage clean room collaborators¶

Collaborators are users invited to join a clean room as a consumer by a clean room provider.

When using the clean rooms UI, creators can invite collaborators from a collaborators list that is managed by someone using the MANAGE_DCR_COLLABORATORS role.

When using the clean rooms API, providers are not limited by a predefined collaborators list, and can add any clean room collaborator by Snowflake account locator. If you want to invite a collaborator without a Snowflake account, you must first create a clean room managed account for them.

Note

If a Snowflake collaborator has an account in a different region than your Snowflake account, your account administrator must enable Cross-Cloud Auto-Fulfillment before you can add them as a collaborator.

To manage the collaborator list used in the clean rooms UI, you need the MANAGE_DCR_COLLABORATORS role.

  1. Navigate to the Snowflake Data Clean Rooms login page.

  2. In the left navigation, select Collaborators.

  3. Do one of the following:

    • If the collaborator has a Snowflake account, select Snowflake Partners » + Snowflake Partner. Respond to the prompts to enter the details of the collaborator’s Snowflake account.

    • If the collaborator is not a Snowflake customer, select the Managed Accounts tab to create a clean room managed account for them.

Language: English