Snowflake Data Clean Rooms: Administrator tasks¶

This topic describes the tasks for the administrator of a Snowflake Data Clean Room. For information about installing the clean room environment in your Snowflake account, see Installing the Snowflake Data Clean Rooms environment.

Using a different warehouse¶

Clean rooms come with several warehouses that can access the API. Choose the warehouse that is appropriate for your needs. You can also choose a custom warehouse size for specific actions, such as for provider activation.

However, your clean room can use any warehouse you choose, if you grant USAGE and OPERATE privileges on that warehouse to the SAMOOHA_APP_ROLE role.

For example, to add a warehouse my_big_warehouse that can be used to run analyses, execute the following commands from a worksheet:

USE ROLE ACCOUNTADMIN;

CREATE WAREHOUSE my_big_warehouse WITH WAREHOUSE_SIZE = X5LARGE;
GRANT USAGE, OPERATE ON WAREHOUSE my_big_warehouse TO ROLE SAMOOHA_APP_ROLE;

Copy

Monitor clean rooms UI activity¶

As an administrator, you can track what users are doing in the clean rooms UI by monitoring the query history in your Snowflake account. You can identify query history entries that correspond to activity in the clean rooms UI because the value of user_name is the name of the service user that was created when the Snowflake account was configured.

You can use the user_email query tag to identify which clean room user performed an action.

To access the query history for your clean room environment, do one of the following, depending on whether you want to use SQL or Snowsight:

Snowsight:

Sign in the Snowflake account associated with your clean room environment as a user with the ACCOUNTADMIN role.
Select Monitoring » Query History.
Use the User filter to select the service account user associated with the clean room environment.

SQL:

Execute queries against the QUERY_HISTORY view in the ACCOUNT_USAGE schema of the shared SNOWFLAKE database.

For example, to trace the clean rooms UI activity of the user joe@example.com, execute the following code:

SELECT *,
  TRY_PARSE_JSON(query_tag) AS query_tag_details
  FROM snowflake.account_usage.query_history
  WHERE query_tag_details IS NOT NULL
    AND query_tag_details:request_type = 'DCR'
    AND query_tag_details:user_email = 'joe@example.com';

Copy

Monitor provider-run analyses¶

A provider-run analysis refers to the process of a provider creating and sharing a clean room, then running an analysis in the clean room after the consumer links their data. These analyses run in the consumer’s account, not the provider’s. This section describes how the consumer can track the queries executed by the provider’s analyses in the clean room.

Snowflake Data Clean Rooms assigns a query tag to each query executed for a provider-run analysis. This query tag takes the form cleanroom_UUID_provider_account_locator. A consumer can retrieve all queries associated with provider-run analyses by searching for the query tag in the query history of their account.

To retrieve the query, first obtain the UUID for a clean room, then search for the query tag. In the following code, replace cleanroom_name and provider_account_locator with the appropriate values.

-- Retrieve clean room UUID
SELECT cleanroom_id FROM samooha_by_snowflake_local_db.public.cleanroom_record
  WHERE cleanroom_name = '<cleanroom_name>';

-- Retrieve queries with provider-run query tag
SELECT * FROM snowflake.account_usage.query_history
  WHERE query_tag = cleanroom_id || '<provider_account_locator>;

Copy

You can also use Snowsight to filter the query history by the appropriate query tag after using SQL to retrieve the clean room UUID.

Customize available connectors¶

Connectors let you integrate your clean room environment with your ecosystem partners. As the clean room administrator for a provider, you can customize the clean room environment to limit which connectors appear as options for the clean room user. For example, if you have a single preferred activation partner, you can configure the clean room environment so that the partner is the only option when a consumer activates the results of an analysis in a clean room.

Note

Your customizations apply to new clean rooms only.

To control which connectors are available in a clean room, you need the MANAGE_DCR_CONNECTORS role.

Sign in to the clean rooms UI.
In the left navigation, select Admin » Profile & Features.
Optional: To customize activation connectors, follow these steps:
1. On the Activation tile, select Edit.
2. Select which activation options you want to display, and then select Save.
Optional: To customize identity and data provider connectors, follow these steps:
1. On the Identity & Data Provider tile, select Edit.
2. Select which identity options you want to display, and then select Save.

Brand your clean rooms¶

You can configure a profile for your clean room environment so every clean room created is branded with your logo and company name. To define the logo and name for your company, you need the MANAGE_DCR_PROFILE_AND_FEATURES role.

Sign in to the clean rooms UI.
In the left navigation, select Admin » Profile & Features.
In the Company profile section, do the following:
1. Upload a logo for your company in JPG or PNG format. This logo will appear on every clean room that is created.
2. Edit the Company Name to define the name that you want to appear on the clean rooms that are created in your environment.

Enable single sign-on (SSO)¶

To enable single sign-on (SSO) with Snowflake Authentication, contact Snowflake Support.

Allow key-pair authentication¶

The service account user that the clean room environment uses to communicate with your Snowflake account uses key-pair authentication to authenticate. If your Snowflake account uses authentication policies to control how users authenticate, then the authentication policy controlling the service account user must allow key-pair authentication.

To allow key-pair authentication, either remove all authentication policies, or add an authentication policy with AUTHENTICATION_METHODS = ALL or AUTHENTICATION_METHODS = KEYPAIR. If your Snowflake account has an account-level authentication policy that does not allow key-pair authentication, you need to create a new authentication policy with the appropriate parameter, then assign the policy to the service account user that was created during the installation process.

You can check your authentication policies by running this command:

SHOW AUTHENTICATION POLICIES;

Copy

An empty results table indicates no policies, which means that key-pair authentication is allowed.

Enable or disable activation in the clean room UI¶

Activation when using the clean room UI is controlled globally by a clean room administrator. Activation in the clean room API is controlled at the clean room level by the provider.

This section shows how to enable or disable activation when using the clean room UI. To learn how to enable activation when using the API, read the activation instructions.

Provider and consumer activation are enabled by default in your clean room account when using the clean room UI. Third-party activation must be enabled manually.

Here is how to enable or disable activation for UI users in your account:

Sign in to the clean room environment in the clean rooms UI as a DCR administrator.
Select Admin » Profile & Features.
In the Activation section, select Edit.
- To manage consumer activation: Check or clear the checkbox next to Collaborator Account.
- To manage provider activation: Check or clear the checkbox next to your own account name.
- To manage third-party activation: Check or clear the checkbox next to the third-party activation target you wish to enable or disable. Third-party activation is enabled through connectors, and is available only in the clean room UI. See the list of available third party connectors.

Learn how to implement activation in a clean room.

Configure network policies¶

If your Snowflake account uses a network policy to control network traffic, you must explicitly allow traffic from the IP addresses that the clean rooms UI uses to communicate with your Snowflake account.

Find your cloud provider account region in the table below and configure your account network policy to allow all the IP addresses listed in that row:

Snowflake account region	Allow these IP addresses for the clean rooms UI
AWS US West (Oregon) AWS US East (Ohio) AWS US East (N. Virginia) AWS South America (Sao Paulo) Azure West US 2 (Washington) Azure Central US (Iowa) Azure South Central US (Texas) Azure East US 2 (Virginia) GCP US Central1 (Iowa) GCP US East4 (N. Virginia)	52.7.249.136 34.195.16.248 52.7.210.215
AWS Canada (Central) Azure Canada Central (Toronto)	15.223.145.218 3.96.6.109 15.222.142.44
AWS EU (Ireland) AWS Europe (London) AWS EU (Paris) AWS EU (Frankfurt) AWS EU (Stockholm) AWS EU (Zurich) Azure UK South (London) Azure North Europe (Ireland) Azure West Europe (Netherlands) Azure Switzerland North (Zurich) Azure UAE North (Dubai) GCP Europe West2 (London) GCP Europe West4 (Netherlands)	54.93.86.99 3.126.238.8 3.127.143.168
AWS Asia Pacific (Mumbai) Azure Central India (Pune)	35.154.94.29 13.235.168.249 15.206.48.175
AWS Asia Pacific (Singapore) AWS Asia Pacific (Tokyo) AWS Asia Pacific (Osaka) AWS Asia Pacific (Seoul) AWS Asia Pacific (Jakarta) Azure Southeast Asia (Singapore) Azure Japan East (Tokyo)	13.228.90.174 52.220.42.130 52.220.249.16
AWS Asia Pacific (Sydney) Azure Australia East (New South Wales)	52.65.205.236 52.62.198.227 3.104.160.96

See details about the service account for this environment¶

The clean rooms UI uses a service account to communicate with Snowflake. This service account was created by the account administrator when they installed the Clean Room environment for this account.

You cannot modify details about the service account user.

To see details about the service account for this Clean Room environment you need the MANAGE_DCR_PROFILE_AND_FEATURES role.

Navigate to the Snowflake Data Clean Rooms login page.
Navigate to Admin > Snowflake Admin.
On the Snowflake Admin page you can see information such as the service user name and service user email.