Snowflake Data Clean Rooms: Administrator tasks¶

This topic describes the tasks for the administrator of a Snowflake Data Clean Room. For information about installing the clean room environment in your Snowflake account, see Installing the Snowflake Data Clean Rooms environment.

Updating the clean rooms environment¶

Snowflake Data Clean Rooms updates their binaries weekly to support new features, procedures, and UI updates. You can find release notes for significant new releases in the feature updates section of the Snowflake release notes page (search for “clean rooms”).

Clean rooms UI updates¶

The clean rooms UI environment is updated automatically by Snowflake; all users need to do to get the updated version is sign out and sign back in to the clean rooms UI.

Clean rooms API updates¶

A clean rooms administrator can either enable automatic API updates (recommended) or update the API environment manually for each new release, as described next.

Automatic API updates¶

A clean rooms API administrator can enable clean rooms updates to be installed automatically upon release by running the following SQL commands once in their account:

USE ROLE SAMOOHA_APP_ROLE;
CALL SAMOOHA_BY_SNOWFLAKE_LOCAL_DB.library.enable_local_db_auto_upgrades();

Clean rooms API users in that account will see the updates shortly when they are rolled out, without needing to log out.

Manual API updates¶

We recommend enabling automatic clean room updates for your account. But if you prefer to update your account’s API environment manually, you can do so by running the following SQL commands each time you want to update the environment:

USE ROLE SAMOOHA_APP_ROLE;
CALL SAMOOHA_BY_SNOWFLAKE_LOCAL_DB.library.apply_patch();

You can find your release number by running the following SQL command:

SELECT * FROM SAMOOHA_BY_SNOWFLAKE_LOCAL_DB.ADMIN.VERSION;

Using a different warehouse¶

Clean rooms come with several warehouses that can access the API. Choose the warehouse that is appropriate for your needs. You can also choose a custom warehouse size for specific actions, such as for provider activation.

However, your clean room can use any warehouse you choose, if you grant USAGE and OPERATE privileges on that warehouse to the SAMOOHA_APP_ROLE role.

For example, to add a warehouse my_big_warehouse that can be used to run analyses, execute the following commands from a worksheet:

USE ROLE ACCOUNTADMIN;

CREATE WAREHOUSE my_big_warehouse WITH WAREHOUSE_SIZE = X5LARGE;
GRANT USAGE, OPERATE ON WAREHOUSE my_big_warehouse TO ROLE SAMOOHA_APP_ROLE;

监控 Clean Room UI 活动¶

An administrator can track what users are doing in the clean rooms UI by monitoring the query history in your Snowflake account.

To access the query history for your clean room environment, do one of the following, depending on whether you want to use SQL or Snowsight:

SELECT *,
  TRY_PARSE_JSON(query_tag) AS query_tag_details
  FROM snowflake.account_usage.query_history
  WHERE query_tag_details IS NOT NULL
    AND query_tag_details:request_type = 'DCR'
    AND query_tag_details:user_email = 'joe@example.com';

监控由提供商运行的分析

提供者运行的分析是指提供者创建并共享 Clean Room 的过程，在使用者链接他们的数据后，在 Clean Room 中进行分析。这些分析在使用者的账户中运行，而不是在提供者的账户中。本节描述了使用者如何在 Clean Room 中跟踪由提供者分析执行的查询。

Snowflake Data Clean Rooms assigns a query tag to each query executed for a provider-run analysis. This query tag takes the form cleanroom_UUID_provider_account_locator. A consumer can retrieve all queries associated with provider-run analyses by searching for the query tag in the query history of their account.

To retrieve the query, first obtain the UUID for a clean room, then search for the query tag. In the following code, replace cleanroom_name and provider_account_locator with the appropriate values.

-- Retrieve clean room UUID
SELECT cleanroom_id FROM samooha_by_snowflake_local_db.public.cleanroom_record
  WHERE cleanroom_name = '<cleanroom_name>';

-- Retrieve queries with provider-run query tag
SELECT * FROM snowflake.account_usage.query_history
  WHERE query_tag = cleanroom_id || '<provider_account_locator>;

You can also use Snowsight to filter the query history by the appropriate query tag after using SQL to retrieve the clean room UUID.

自定义可用连接器

您可以使用连接器将 Clean Room 环境与生态系统合作伙伴集成到一起。作为提供商的 Clean Room 管理员，您可以自定义 Clean Room 环境，以限制哪些连接器作为 Clean Room 用户的选项出现。例如，如果您有一个首选的激活合作伙伴，您可以配置 Clean Room 环境，使得当使用者在 Clean Room 中激活分析结果时，该合作伙伴是唯一的选择。

要在 Clean Room 中控制可用的连接器，您需要 MANAGE_DCR_CONNECTORS 角色。

1. Sign in to the clean rooms UI.

2. In the left navigation, select Admin » Profile & Features.

3. 可选：要自定义激活连接器，请执行以下步骤：

   1. On the Activation tile, select Edit.
   2. Select which activation options you want to display, and then select Save.

4. 可选：要自定义身份和数据提供程序连接器，请按照以下步骤操作：

   1. On the Identity & Data Provider tile, select Edit.
   2. Select which identity options you want to display, and then select Save.

给 Clean Room 标明品牌¶

您可以为 Clean Room 环境配置简介，以便创建的每个 Clean Room 都带有您的徽标和公司名称。要为您的公司定义徽标和名称，您需要 MANAGE_DCR_PROFILE_AND_FEATURES 角色。

1. Sign in to the clean rooms UI.
2. In the left navigation, select Admin » Profile & Features.
3. In the Company profile section, do the following:
   1. 上传公司的徽标，格式为 JPG 或 PNG。这个标志将出现在创建的每个 Clean Room 上。
   2. Edit the Company Name to define the name that you want to appear on the clean rooms that are created in your environment.

启用单点登录 (SSO)¶

To enable single sign-on (SSO) with Snowflake Authentication, contact Snowflake Support. An account must use Snowflake authentication to enable SSO; if you aren’t using it yet, migrate to Snowflake authentication before requesting SSO.

允许密钥对身份验证

The service account user that the clean room environment uses to communicate with your Snowflake account uses key-pair authentication to authenticate. If your Snowflake account uses authentication policies to control how users authenticate, then the authentication policy controlling the service account user must allow key-pair authentication.

To allow key-pair authentication, either remove all authentication policies, or add an authentication policy with AUTHENTICATION_METHODS = ALL or AUTHENTICATION_METHODS = KEYPAIR. If your Snowflake account has an account-level authentication policy that does not allow key-pair authentication, you need to create a new authentication policy with the appropriate parameter, then assign the policy to the service account user that was created during the installation process.

您可以通过运行以下命令来检查您的身份验证策略：

SHOW AUTHENTICATION POLICIES;

空结果表表示没有策略，这意味着允许密钥对身份验证。

Manage the service user¶

The clean rooms UI uses a service user account as an intermediary to perform most clean room actions. You can modify the key or switch the clean rooms service user after it has been created or added to your account using the clean rooms UI as described in this section.

You can find information about the service user under Snowflake Admin » Snowflake » Service User Management.

Change the service user¶

If you want to change the service user name or use a new service user (essentially the same thing):

1. Open Snowflake Admin » Service User Management and select (Edit).
2. Change the name of the service user to a user that you have created and is accessible in the current account.
3. Select Reauthenticate to open a confirmation dialog.
4. Read the information in the dialog, then select Confirm to start using that agent.

Change the service user key¶

If you want to change your service user RSA key, you should do so as described next. If you change the key outside of the clean room environment, you will no longer be able to use most UI functionality until you change the service user key back as described next.

1. Open Snowflake Admin » Service User Management and select (Edit).
2. Select Reauthenticate near the manual setup section to open a confirmation dialog.
3. Read the information in the dialog, then select Confirm to generate a new RSA key.

You can see information about the service agent’s public key by running the following SQL command, substituting in your service user’s name where indicated:

DESCRIBE USER <service_user_name> ->>
  SELECT *
    FROM $1
      WHERE "property" ILIKE 'RSA_PUBLIC_KEY%';

Clean rooms doesn’t support key rotation using RSA_PUBLIC_KEY_2, so ignore the information about RSA_PUBLIC_KEY_2.

在 Clean Room UI 中启用或禁用激活¶

使用 Clean Room UI 时的激活由 Clean Room 管理员全局控制。Clean Room API 中的激活由提供商在 Clean Room 级别上控制。

This section shows how to enable or disable activation when using the clean room UI. To learn how to enable activation when using the API, read the activation instructions.

使用 Clean Room UI 时，您的 Clean Room 账户中默认启用提供商和使用者激活。第三方激活必须手动启用。

以下是为账户中的 UI 用户启用或禁用激活的方法：

1. Sign in to the clean room environment in the clean rooms UI as a DCR administrator.
2. Select Admin » Profile & Features.
3. In the Activation section, select Edit.
   • To manage consumer activation: Check or clear the checkbox next to Collaborator Account.
   • 要管理 提供商激活，请执行以下操作：选中或清除您自己的账户名称旁的复选框。
   • To manage third-party activation: Check or clear the checkbox next to the third-party activation target you wish to enable or disable. Third-party activation is enabled through connectors, and is available only in the clean room UI. See the list of available third party connectors.

Learn how to implement activation in a clean room.

配置网络策略

If your Snowflake account uses a network policy to control network traffic, you must explicitly allow traffic from the IP addresses that the clean rooms UI uses to communicate with your Snowflake account.

Find the IP addresses used for your region in the IP network addresses used by clean rooms UI column in the IP address table.

查看此环境的服务账户的详细信息

Clean Room UI 使用服务账户与 Snowflake 进行通信。此服务账户是由账户管理员在为此账户安装 Clean Room 环境时创建的。

您不能修改有关服务账户用户的详细信息。

要查看有关此 Clean Room 环境的服务账户的详细信息，您需要 MANAGE_DCR_PROFILE_AND_FEATURES 角色。

2. Navigate to Admin > Snowflake Admin.
3. On the Snowflake Admin page you can see information such as the service user name and service user email.