Overview of roles in Snowflake Data Clean Room¶

Overview of roles and components¶

The Snowflake DCR Application consists of two main components:

• A native application that runs in the customer’s account and executes all actions requested by the web application.

• A web application that provides a no-code browser-based interface. The web application is a wrapper that calls the native application to perform actions. The web application is used for the following purposes:

  • By the Snowflake administrator, to install the clean rooms environment and manage Snowflake account-level features.

  • By the web application manager, to manage access to the web application within their account.

  • By non-technical business users to create clean rooms or run queries in a clean room (to act as providers or consumers).

The following diagram shows the various clean room functions and objects, and the Snowflake roles that they require.

The Snowflake administrator, DCR administrator, and clean room manager all access the native application through the web application. The web application uses a service account, DCR_SERVICE_USER, created by the Snowflake administrator. This service account uses the SAMOOHA_APP_ROLE to access the native application. Developers access the native application directly using the SAMOOHA_APP_ROLE.

The diagram shows the four basic functional roles that a user can have in a clean room. One user can act in multiple roles in a given organization.

• Snowflake Administrator: The Snowflake administrator installs and manages the clean rooms environment for a Snowflake account. Management is done mostly using the web application. This role requires the ACCOUNTADMIN role to perform executive actions. Snowflake administrators perform the following tasks:

  • Install the clean room environment.

  • Designate clean rooms administrators.

  • Create the DCR_SERVICE_USER service account needed to run the web application (more on this later).

  • Designate which Snowflake data can be imported into clean rooms in this account by clean room creators.

  • Install and configure various third-party connectors, such as activation connectors (for exporting clean room data to third parties), identity provider connectors (for managing entity PID), and external data connectors (for importing non-Snowflake data).

• DCR administrator: The clean rooms administrator manages the clean rooms environment for a Snowflake account after it has been installed by the Snowflake administrator. This person uses the web application for management tasks. Under the hood, they are using the DCR_SERVICE_USER service account, described below. Clean rooms administrators perform the following tasks:

  • Add other clean rooms administrators.

  • Enable and configure various third-party connectors, such as activation connectors (for exporting clean room data to third parties), identity provider connectors (for managing entity PID), and external data connectors (for importing non-Snowflake data). Enabled connectors can be used by clean room managers.

  • Review security scan results about potential security issues in custom clean room templates.

  • Add clean room managers and other DCR administrators.

• Clean room manager: The clean room manager role in the web application enables users to act as clean room providers and consumers using the web application. Clean room managers are added or removed by the DCR administrator. Under the hood, they are using the DCR_SERVICE_USER service account, described below. Clean room managers can perform the following actions:

  • Create, share, and delete clean rooms according to the general settings configured by the DCR administrator.

  • Specify or create templates for a clean room.

  • Configure differential privacy for a clean room.

  • Share a clean room with specific accounts.

  • Join (install and run) a clean room.

  • Import data into a clean room.

  • Run queries supported by a clean room.

  • Export query results as enabled by a clean room.

• Developer: A developer has the same capabilities as a clean room manager, but uses the API instead of the web application. A developer must use the SAMOOHA_APP_ROLE explicitly when making API calls. The DCR administrator manages developers for an account by granting or un-granting the SAMOOHA_APP_ROLE to the developer’s Snowflake account. A developer can perform the same tasks as a clean room manager except for selecting and configuring connectors.

• ACCOUNTADMIN: The role used by the Snowflake administrator to install and configure the clean rooms environment. Under the hood, this role also is used to assign the SAMOOHA_APP_ROLE to other team members when users are granted access to a clean rooms account.

• SAMOOHA_APP_ROLE: The role used for all non-environment-level management calls to the native app, whether through the web application or when called directly by an API developer. When a user is using the web app, this role is applied transparently to their requests.

• DCR_SERVICE_USER: A service account created by the Snowflake administrator at the time of DCR installation. This account is granted the SAMOOHA_APP_ROLE. The DCR administrator and clean room manager use this object transparently when using the web application.