Snowflake Data Clean Rooms: Administrator tasks¶
This topic describes the tasks for the administrator of a Snowflake Data Clean Room. For information about installing the clean room environment in your Snowflake account, see Installing the Snowflake Data Clean Rooms environment.
Using a different warehouse¶
Clean rooms come with several warehouses that can access the API. Choose the warehouse that is appropriate for your needs. You can also choose a custom warehouse size for specific actions, such as for provider activation.
However, your clean room can use any warehouse you choose, if you grant USAGE and OPERATE privileges on that warehouse to the SAMOOHA_APP_ROLE role.
For example, to add a warehouse my_big_warehouse
that can be used to run analyses, execute the following commands from a worksheet:
USE ROLE ACCOUNTADMIN;
CREATE WAREHOUSE my_big_warehouse WITH WAREHOUSE_SIZE = X5LARGE;
GRANT USAGE, OPERATE ON WAREHOUSE my_big_warehouse TO ROLE SAMOOHA_APP_ROLE;
Monitor clean rooms UI activity¶
As an administrator, you can track what users are doing in the clean rooms UI by monitoring the query history in your Snowflake account. You can
identify query history entries that correspond to activity in the clean rooms UI because the value of user_name
is the name of the service
user that was created when the Snowflake account was configured.
You can use the user_email
query tag to identify which clean room user performed an action.
To access the query history for your clean room environment, do one of the following, depending on whether you want to use SQL or Snowsight:
- Snowsight:
Sign in the Snowflake account associated with your clean room environment as a user with the ACCOUNTADMIN role.
Select Monitoring » Query History.
Use the User filter to select the service account user associated with the clean room environment.
- SQL:
Execute queries against the QUERY_HISTORY view in the ACCOUNT_USAGE schema of the shared SNOWFLAKE database.
For example, to trace the clean rooms UI activity of the user
joe@example.com
, execute the following code:SELECT *, TRY_PARSE_JSON(query_tag) AS query_tag_details FROM snowflake.account_usage.query_history WHERE query_tag_details IS NOT NULL AND query_tag_details:request_type = 'DCR' AND query_tag_details:user_email = 'joe@example.com';
Monitor provider-run analyses¶
A provider-run analysis refers to the process of a provider creating and sharing a clean room, then running an analysis in the clean room after the consumer links their data. These analyses run in the consumer’s account, not the provider’s. This section describes how the consumer can track the queries executed by the provider’s analyses in the clean room.
Snowflake Data Clean Rooms assigns a query tag to each query executed for a provider-run analysis. This query tag takes the form
cleanroom_UUID_provider_account_locator
. A consumer can retrieve all queries associated with provider-run analyses by searching
for the query tag in the query history of their account.
To retrieve the query, first obtain the UUID for a clean room, then search for the query tag. In the following code, replace
cleanroom_name
and provider_account_locator
with the appropriate values.
-- Retrieve clean room UUID
SELECT cleanroom_id FROM samooha_by_snowflake_local_db.public.cleanroom_record
WHERE cleanroom_name = '<cleanroom_name>';
-- Retrieve queries with provider-run query tag
SELECT * FROM snowflake.account_usage.query_history
WHERE query_tag = cleanroom_id || '<provider_account_locator>;
You can also use Snowsight to filter the query history by the appropriate query tag after using SQL to retrieve the clean room UUID.
Customize available connectors¶
Connectors let you integrate your clean room environment with your ecosystem partners. As the clean room administrator for a provider, you can customize the clean room environment to limit which connectors appear as options for the clean room user. For example, if you have a single preferred activation partner, you can configure the clean room environment so that the partner is the only option when a consumer activates the results of an analysis in a clean room.
Note
Your customizations apply to new clean rooms only.
To control which connectors are available in a clean room, you need the MANAGE_DCR_CONNECTORS role.
In the left navigation, select Admin » Profile & Features.
Optional: To customize activation connectors, follow these steps:
On the Activation tile, select Edit.
Select which activation options you want to display, and then select Save.
Optional: To customize identity and data provider connectors, follow these steps:
On the Identity & Data Provider tile, select Edit.
Select which identity options you want to display, and then select Save.
Brand your clean rooms¶
You can configure a profile for your clean room environment so every clean room created is branded with your logo and company name. To define the logo and name for your company, you need the MANAGE_DCR_PROFILE_AND_FEATURES role.
In the left navigation, select Admin » Profile & Features.
In the Company profile section, do the following:
Upload a logo for your company in JPG or PNG format. This logo will appear on every clean room that is created.
Edit the Company Name to define the name that you want to appear on the clean rooms that are created in your environment.
Enable single sign-on (SSO)¶
To enable single sign-on (SSO) with Snowflake Authentication, contact Snowflake Support.
Allow key-pair authentication¶
The service account user that the clean room environment uses to communicate with your Snowflake account uses key-pair authentication to authenticate. If your Snowflake account uses authentication policies to control how users authenticate, then the authentication policy controlling the service account user must allow key-pair authentication.
To allow key-pair authentication, either remove all authentication policies, or add an authentication policy with AUTHENTICATION_METHODS = ALL
or AUTHENTICATION_METHODS = KEYPAIR
. If your Snowflake account has an account-level authentication policy that does not allow key-pair
authentication, you need to create a new authentication policy with the appropriate parameter, then assign the policy to the service
account user that was created during the installation process.
You can check your authentication policies by running this command:
SHOW AUTHENTICATION POLICIES;
An empty results table indicates no policies, which means that key-pair authentication is allowed.
Enable or disable activation in the clean room UI¶
Activation when using the clean room UI is controlled globally by a clean room administrator. Activation in the clean room API is controlled at the clean room level by the provider.
This section shows how to enable or disable activation when using the clean room UI. To learn how to enable activation when using the API, read the activation instructions.
Provider and consumer activation are enabled by default in your clean room account when using the clean room UI. Third-party activation must be enabled manually.
Here is how to enable or disable activation for UI users in your account:
Sign in to the clean room environment in the clean rooms UI as a DCR administrator.
Select Admin » Profile & Features.
In the Activation section, select Edit.
To manage consumer activation: Check or clear the checkbox next to Collaborator Account.
To manage provider activation: Check or clear the checkbox next to your own account name.
To manage third-party activation: Check or clear the checkbox next to the third-party activation target you wish to enable or disable. Third-party activation is enabled through connectors, and is available only in the clean room UI. See the list of available third party connectors.
Configure network policies¶
If your Snowflake account uses a network policy to control network traffic, you must explicitly allow traffic from the IP addresses that the clean rooms UI uses to communicate with your Snowflake account.
Find your cloud provider account region in the table below and configure your account network policy to allow all the IP addresses listed in that row:
Snowflake account region |
Allow these IP addresses for the clean rooms UI |
---|---|
|
52.7.249.136
34.195.16.248
52.7.210.215
|
|
15.223.145.218
3.96.6.109
15.222.142.44
|
|
54.93.86.99
3.126.238.8
3.127.143.168
|
|
35.154.94.29
13.235.168.249
15.206.48.175
|
|
13.228.90.174
52.220.42.130
52.220.249.16
|
|
52.65.205.236
52.62.198.227
3.104.160.96
|
See details about the service account for this environment¶
The clean rooms UI uses a service account to communicate with Snowflake. This service account was created by the account administrator when they installed the Clean Room environment for this account.
You cannot modify details about the service account user.
To see details about the service account for this Clean Room environment you need the MANAGE_DCR_PROFILE_AND_FEATURES role.
Navigate to the Snowflake Data Clean Rooms login page.
Navigate to Admin > Snowflake Admin.
On the Snowflake Admin page you can see information such as the service user name and service user email.