Snowflake Data Clean Rooms: Administrator tasks¶
This topic describes the tasks for the administrator of a Snowflake Data Clean Room. For information about implementing a clean environment for the first time, see Getting started with Snowflake Data Clean Rooms.
Add collaborators¶
A clean room user who has the Admin role must define someone as a collaborator before other users can share a clean room with that collaborator.
Note
If a Snowflake customer has an account in a different region than your Snowflake account, your account administrator must enable Cross-Cloud Auto-Fulfillment before you can add them as a collaborator. For more information, including limitations of collaborating with customers in other regions, see Enable collaboration with consumers in different regions.
To add someone as collaborator within a clean room environment:
Navigate to the sign in page.
Sign in as a clean room administrator. This user does not need to have the ACCOUNTADMIN role in Snowflake.
In the left navigation, select Collaborators.
Do one of the following:
If the collaborator has a Snowflake account, select Snowflake Partners » + Snowflake Partner. You are prompted to enter the details of the collaborator’s Snowflake account.
If the collaborator is not a Snowflake customer, select the Managed Accounts tab to create a clean room managed account for them.
Add users¶
The process of adding clean room users depends on whether they are using the web app or developer APIs to work with the Snowflake Data Clean Room.
- Web app:
To allow users to access the web app, do the following:
Navigate to the sign in page.
Sign in as a clean room administrator. This user does not need to have the ACCOUNTADMIN role in Snowflake.
Select User Management » User Management.
Select + Users.
Enter the email address of the new clean room user.
Select the role of the new user.
The new user is sent an email with a link to join the clean room.
- Developer APIs:
To allow users to use the developer APIs to programmatically work with clean rooms, do the following:
Sign in to the Snowflake account associated with the clean room environment, which is where you installed the Snowflake Native App.
Open a worksheet, and use the ACCOUNTADMIN ROLE to assign the SAMOOHA_APP_ROLE role to the user. For example, to allow a user
joeto use the developer APIs, you can execute:USE ROLE accountadmin; GRANT ROLE samooha_app_role TO USER joe;
Monitor web app activity¶
As an administrator, you can track what users are doing in the web app by monitoring the query history in your Snowflake account. You can
identify query history entries that correspond to activity in the web app because the value of user_name is the name of the service
account user that was created when the Snowflake account was configured.
You can use the user_email query tag to identify which clean room user performed an action.
To access the query history for your clean room environment, do one of the following, depending on whether you want to use SQL or Snowsight:
- Snowsight:
Sign in the Snowflake account associated with your clean room environment as a user with the ACCOUNTADMIN role.
Select Monitoring » Query History.
Use the User filter to select the service account user associated with the clean room environment.
- SQL:
Execute queries against the QUERY_HISTORY view in the ACCOUNT_USAGE schema of the shared SNOWFLAKE database.
For example, execute the following if you want to trace the web app activity of the user
joe@company.com:SELECT *, TRY_PARSE_JSON(query_tag) AS query_tag_details FROM snowflake.account_usage.query_history WHERE query_tag_details IS NOT NULL AND query_tag_details:request_type = 'DCR' AND query_tag_details:user_email = 'joe@company.com';
Customize available connectors¶
Connectors let you integrate your clean room environment with your ecosystem partners. As the clean room administrator for a provider, you can customize the clean room environment to limit which connectors appear as options for the clean room user. For example, if you have a single preferred activation partner, you can configure the clean room environment so that the partner is the only option when a consumer activates the results of an analysis in a clean room.
Note
Your customizations apply to new clean rooms only.
To control which connectors are available in a clean room:
In the left navigation, select Admin » Clean Room Features.
If you are customizing activation connectors, do the following:
On the Activation tile, select Edit.
Select which activation options you want to display, then select Save.
If you are customizing identity and data provider connectors, do the following:
On the Identity & Data Provider tile, select Edit.
Select which identity options you want to display, then select Save.
Enable single sign-on (SSO)¶
Your clean room environment can be configured so users authenticate using your own identity provider via single sign-on (SSO). To enable SSO, contact datacleanroom-support@snowflake.com.