Snowflake Data Clean Rooms: Identity and data provider connectors¶
Note
Snowflake Data Clean Rooms do not currently support data subject consent management. Customers are responsible for ensuring they have obtained all necessary rights and consents to use the data linked in their clean rooms. Customers must also ensure compliance with all applicable laws and regulations when using Data Clean Rooms, including in connection with third-party connectors.
You can use connectors to integrate your clean room environment with what your ecosystem partners provides. This topic describes how the clean room admin can configure a connector so that users can enhance their data in the clean room with data provided by an identity partner.
If you are a provider who wants to control which connectors show up as options when a clean room user is creating or installing a clean room, see Customize available connectors.
Important
Third-party connectors are not offered by Snowflake and may be subject to additional terms. These integrations are made available for your convenience, but you are responsible for any content sent to or received from the integrations.
Customers are responsible for obtaining any necessary consents in connection with their use of Snowflake Data Clean Rooms. Please ensure that you are complying with applicable laws and regulations when using Snowflake Data Clean Rooms, including in connection with third-party connectors for activation purposes.
Acxiom Real ID connector¶
Acxiom Real ID lets you generate Real IDs securely within Snowflake, without ever needing to transfer personally identifiable information (PII) outside your Snowflake account.
Tip
For additional help, read the Acxiom Real ID documentation or contact accrealid@acxiom.com for support.
Prerequisites¶
Before configuring the Acxiom connector, you must contact Acxiom for help installing their native app.
Before a clean room administrator configures the connector, the owner of the Acxiom native app must:
Sign in to Snowsight.
Assume the role that has ownership rights to the Acxiom native app. For example, if the
acxiom_admin_rolerole is the owner of the Acxiom native app, execute:USE ROLE acxiom_admin_role;
Execute the following command to grant Snowflake Data Clean Rooms access to the Acxiom
realid_app_roleapplication role:GRANT APPLICATION ROLE <acxiom_app_database>.realid_app_role TO ROLE samooha_app_role;
Configure the Acxiom Real ID connector¶
To configure the Acxiom Real ID connector:
In the left navigation, select Connectors.
Select the Identity & Data Providers tab.
Expand Acxiom - Real ID.
In the Application Database field, enter the name of the application database that was installed by the Acxiom native app.
In the Warehouse drop-down list, select the warehouse size. We recommend
DCR_WH_XLarge, but you can read Acxiom’s guidance on warehouse size and performance. For more information about creating a warehouse for use with Snowflake Data Clean Rooms, see Add warehouse options.Select Save.
Acxiom Real ID Transcoding connector¶
The transcoding functionality of Acxiom Real ID lets you generate a crosswalk of your Acxiom Real IDs and your business partners’ Acxiom Real IDs, without ever needing to transfer PII outside your Snowflake account.
Tip
For additional help, read the Acxiom Real ID Transcoding application or contact accrealid@acxiom.com for support.
Prerequisites¶
You must have installed the Acxiom Real ID native app, as described previously.
You must install the Acxiom Real ID Transcoding application.
Contact your collaborators to get the client ID and client secret generated for them when they installed the Acxiom Real ID Transcoding native app.
Before a clean room administrator configures the connector, the owner of the Acxiom native app must:
Sign in to Snowsight.
Assume the role that has ownership rights to the Acxiom native app. For example, if the
acxiom_admin_rolerole is the owner of the Acxiom native app, execute:USE ROLE acxiom_admin_role;
Execute the following command to grant Snowflake Data Clean Rooms access to the Acxiom
realid_app_roleapplication role:GRANT APPLICATION ROLE <acxiom_app_database>.realid_app_role TO ROLE samooha_app_role;
Configure the Acxiom Real ID Transcoding connector¶
To configure the Acxiom Real ID Transcoding connector:
In the left navigation, select Connectors.
Select the Identity & Data Providers tab.
Expand Acxiom Real ID Transcoding.
In the Application Database field, enter the name of the application database that was installed by the Acxiom native app.
In the Client ID field, enter the client ID provided by Acxiom when you installed the native app.
In the Client Secret field, enter the client secret provided by Acxiom when you installed the native app.
In the Warehouse drop-down list, select the warehouse size. We recommend
DCR_WH_Medium, but you can read Acxiom’s guidance on warehouse size and performance. For more information about creating a warehouse for use with Snowflake Data Clean Rooms, see Add warehouse options.In the Acxiom Collaborator section, select one or more collaborators along with the client ID and client secret that was generated for them when they installed the Acxiom Real ID Transcoding native app. If your collaborator does not appear in the list, you must add them to the clean room environment.
Select Save.
LiveRamp Retrieval API connector¶
The LiveRamp Retrieval API translates personally identifiable information (PII) into a durable, pseudonymous RampID.
Before completing the following procedure, you must contact Snowflake Support to create the configuration table that is required for this connector.
To configure the connector so that your clean environment is integrated with the LiveRamp Retrieval API:
In the left navigation, select Connectors.
Select the Identity & Data Providers tab.
Expand LiveRamp Retrieval API.
In the Configuration Table field, enter the fully qualified name of the configuration table that you created with the assistance of Support.
Select Save.
LiveRamp Transcoding API connector¶
LiveRamp Transcoding API translates your RampID into another collaborator’s RampID space.
Before completing the following procedure, you must contact Snowflake Support to create the configuration table that is required for this connector.
To configure the connector so that your clean environment is integrated with the LiveRamp Transcoding API:
In the left navigation, select Connectors.
Select the Identity & Data Providers tab.
Expand LiveRamp Transcoding API.
In the Configuration Table field, enter the fully qualified name of the configuration table that you created with the assistance of Support.
Under RampID Collaborators, enter the following:
In the Snowflake Account Locator field, enter the account locator of your collaborator’s Snowflake account.
In the Target Domain field, enter LiveRamp’s target domain for your collaborator’s RampID space.
Select Save.
Merkury Identity connector¶
The Merkury Identity Connector enables the translation of select personally identifiable information (PII) into a pseudonymized Merkury ID.
For additional help, contact rekey@merkle.com
Step 1: Install the Merkury Identity Connector native app¶
Install the Merkury Identity Connector native app. You must contact Merkury for help installing the native application.
Grant privileges to the SAMOOHA_APP_ROLE role:
Sign in to Snowsight.
Assume the role that has ownership rights to the Merkury native app. For example, if the ACCOUNTADMIN role is the owner of the Merkury native app, execute
USE ROLE ACCOUNTADMIN;Execute the following command to grant Snowflake Data Clean Rooms access to the Merkury
DCR_DB_ROLEapplication role:
GRANT APPLICATION ROLE <merkury_app_database>.DCR_DB_ROLE TO ROLE samooha_app_role;
Step 2: Configure the Merkury Identity Connector native app¶
In the left navigation, select Connectors.
Select the Identity & Data Providers tab.
Expand Merkury Identity Connector.
In the Application database field, enter the name of the application database that was installed by the Merkury Identity native app.
Authenticate yourself.
TransUnion TruAudience Identity connector¶
TransUnion TruAudience Identity provides consumer data hygiene, enrichment, and matching solutions using online and offline identifiers.
This section describes how to configure the connector for TransUnion TruAudience Identity. If you are a clean room user who wants to use TransUnion TruAudience Identity during the creation or installation process, see Identity Hub: TransUnion TruAudience Identity.
After you configure the connector, Snowflake maintains a cache that maps TransUnion collaborator IDs to values that uniquely identify records in the source table. As an administrator, you can manage this cache, for example, by deleting specific records from the cache. For more information, see Cache for TransUnion TruAudience Identity.
Prerequisites¶
The following must be completed before configuring the TransUnion TruAudience Identity connector in the clean room environment:
- Step 1: Install the TransUnion native app
Use the Snowflake Marketplace to install the native app for TransUnion TruAudience Identity.
- Step 2: Grant privileges to the clean rooms native app
After the TransUnion native app has been installed, but before a clean room administrator configures the connector, the owner of the TransUnion native app must follow these steps:
Sign in to Snowsight.
Assume a role that has ownership rights to the TransUnion native app. For example, if the
tu_admin_rolerole is the owner of the TransUnion native app, execute:USE ROLE tu_admin_role;
Grant Snowflake Data Clean Rooms access to the TransUnion application role and the TransUnion table installed in step 1:
GRANT APPLICATION ROLE <transunion_app_database>.tru_app_public TO ROLE SAMOOHA_APP_ROLE; GRANT SELECT, INSERT ON TABLE SAMOOHA_BY_SNOWFLAKE_LOCAL_DB.PUBLIC.SAMOOHA_INTERNAL_TRANSUNION_ID_GENERATION_RECORDS TO ROLE SAMOOHA_APP_ROLE;
- Step 3: Ensure the required stored procedure exists
The TransUnion connector relies on a stored procedure, which might not exist in some clean room environments. To ensure that the stored procedure exists, execute the following command as a user with the ACCOUNTADMIN role:
USE ROLE ACCOUNTADMIN; DESCRIBE PROCEDURE SAMOOHA_BY_SNOWFLAKE_LOCAL_DB.PUBLIC.GRANT_EXTERNAL_APP_ROLE;
If you receive an error that the procedure does not exist, you must use the following commands to define the procedure:
USE ROLE ACCOUNTADMIN; CREATE OR REPLACE PROCEDURE SAMOOHA_BY_SNOWFLAKE_LOCAL_DB.PUBLIC.GRANT_EXTERNAL_APP_ROLE(APP_ROLE string, APPLICATION string) RETURNS string LANGUAGE SQL EXECUTE AS OWNER AS $$ GRANT APPLICATION ROLE IDENTIFIER(:APP_ROLE) TO APPLICATION IDENTIFIER(:APPLICATION); $$; GRANT USAGE ON PROCEDURE SAMOOHA_BY_SNOWFLAKE_LOCAL_DB.PUBLIC.GRANT_EXTERNAL_APP_ROLE(string, string) TO ROLE SAMOOHA_APP_ROLE;
Configure connector¶
To configure the TransUnion TruAudience Identity connector:
In the left navigation, select Connectors.
Select the Identity & Data Providers tab.
Expand TransUnion - TruAudience Identity.
In the Application Database field, enter the name of the application database that was installed by the TransUnion native app
In the Collaboration Key field, enter the collaboration key received from TransUnion for authorization.
Select a warehouse that is used when clean room users integrate a table with TransUnion TruAudience Identity.
If you want to complete the process of matching identities within an hour, use the following guidelines to help select the right warehouse size:
Number of rows
Warehouse size
< 100k
Large
1 million
XLarge
5-10 million with addresses
3X-Large
> 10 million
3X-Large
Select Authenticate.