使用隐私预算

This topic describes how to manage privacy budgets in a privacy policy. For an introduction to privacy budgets and how they help prevent queries from revealing sensitive information about an entity, see Limiting privacy loss.

A privacy budget is created automatically when you define a privacy budget name in the body of the privacy policy. You don’t create a privacy budget independent of a privacy policy.

当查询会导致累积隐私损失超过隐私预算限制时，查询将失败，直到隐私预算刷新。

要管理隐私预算，您需要拥有指定隐私预算的隐私策略的 OWNERSHIP 权限。

查看隐私预算

Each privacy budget is namespaced to a privacy policy. There can be multiple privacy budgets with the same name, but each is unique to a privacy policy. Within a privacy policy, a privacy budget is further namespaced to the consumer account incurring privacy loss. As a result, multiple accounts can have a privacy budget with the same name and limit on privacy loss, but Snowflake calculates the cumulative privacy loss for each account separately.

隐私预算名称在隐私政策中必须是唯一的。多个账户可以拥有名称相同的隐私预算，且 Snowflake 会分别统计每个账户的累计隐私损失。

View a privacy budget to see its limit on privacy loss as well as the cumulative privacy loss incurred by users associated with the budget. You can use this information to determine whether the cumulative privacy loss is approaching the privacy budget’s limit. See what properties exist in a privacy budget object.

Note

与隐私预算相关的累计隐私损失不包括数据提供商账户以外的账户所产生的隐私损失。

You have the following two options for viewing privacy budgets. For both options, a privacy budget appears only if analysts associated with the privacy budget have incurred privacy loss or if an administrator has reset the privacy budget.

To query all privacy budgets in the account, use the PRIVACY_BUDGETS view in the Account Usage schema. The PRIVACY_BUDGETS view in the ACCOUNT USAGE schema contains all privacy budgets in the account. You can use it to view privacy budgets associated with all of the privacy policies that you own, and can filter results to focus on specific privacy budgets by name. For example, to focus on a specific privacy budget associated with the patients_policy privacy policy, you might execute the following query:
```
SELECT * FROM snowflake.account_usage.privacy_budgets
  WHERE policy_name='patients_policy' AND budget_name='analyst_budget';
```
To view the privacy budgets associated with a particular privacy policy, use the CUMULATIVE_PRIVACY_LOSSES table function. You can use the CUMULATIVE_PRIVACY_LOSSES table function to retrieve privacy budgets associated with a particular privacy policy. Unlike the PRIVACY_BUDGETS view in the ACCOUNT USAGE schema, this function does not have a fixed amount of latency and will return the real-time values for the cumulative privacy losses. When calling the function, the name of the privacy policy must be fully qualified.

For example, to view the privacy budgets that are specified in the my_policy_privacy policy, execute the following:
```
SELECT *
  FROM TABLE(SNOWFLAKE.DATA_PRIVACY.CUMULATIVE_PRIVACY_LOSSES(
 'my_policy_db.my_policy_schema.my_policy_privacy'));
```

为隐私预算设置隐私设置

Snowflake 允许调整隐私预算对隐私损失的限制，以及每个汇总花费的最大隐私预算支出（统称为差分隐私中的 epsilon）。要设置这些控制措施，您可在隐私策略正文中指定以下参数：

BUDGET_LIMIT — Sets the privacy budget’s limit on cumulative privacy loss.
MAX_BUDGET_PER_AGGREGATE – Sets the maximum amount of the privacy budget spend per aggregate (that is, the maximum privacy loss incurred by each aggregate function in a query).

For example, to use the ALTER PRIVACY POLICY command to adjust the privacy controls of an existing privacy budget, you might execute:

ALTER PRIVACY POLICY users_policy SET BODY ->
  PRIVACY_BUDGET(BUDGET_NAME=>'analysts',
  BUDGET_LIMIT=>300,
  MAX_BUDGET_PER_AGGREGATE=>0.1);

You can also define these controls when executing the CREATE PRIVACY POLICY command to create the privacy policy.

Caution

When changing the BUDGET_LIMIT, MAX_BUDGET_PER_AGGREGATE, or BUDGET_WINDOW parameter, any parameter not specified in your ALTER PRIVACY POLICY command reverts back to its default value. So in the previous example, the BUDGET_WINDOW parameter, which determines how often Snowflake resets the privacy budget, will revert to its default value.

For more information about setting privacy controls, see Adjust privacy controls.

隐私预算刷新

关于刷新时间段

Snowflake 会定期将隐私预算的累计隐私损失重置为 0，以便分析师运行一组新的查询。这一刷新时间段被称为预算窗口。通过这种自动刷新功能，分析师即可在有新数据添加到表中时访问这些数据。从理论上来说，分析师尚未得知关于这些新数据的任何信息，因此让他们运行更多查询是合适的。

默认预算窗口为每周一次。

修改刷新时间段

To modify the privacy budget refresh period, update the budget_window value of the privacy policy’s privacy_budget. For example:

ALTER PRIVACY POLICY users_policy SET BODY ->
  PRIVACY_BUDGET(BUDGET_NAME=>'analysts', BUDGET_WINDOW=>'daily');

Caution

When changing the BUDGET_LIMIT, MAX_BUDGET_PER_AGGREGATE, or BUDGET_WINDOW parameter, any parameter not specified in your ALTER PRIVACY POLICY command reverts back to its default value. So in the previous example, BUDGET_LIMIT and MAX_BUDGET_PER_AGGREGATE will revert to default values.

重置累计隐私损失

As analysts execute queries on data protected by a policy, Snowflake tallies the cumulative privacy loss of those queries. You can call the RESET_PRIVACY_BUDGET stored procedure to reset the cumulative privacy loss to 0, letting the analysts execute additional queries.

The RESET_PRIVACY_BUDGET stored procedure is intended to reset the budget when analysts inadvertently incur privacy loss and want to start over. Remember that the privacy loss is automatically set to 0 when the privacy budget is refreshed.

只有与指定账户中分析师关联的累计隐私损失才会重置为 0，即使隐私预算与多个账户中的分析师关联也是如此。

Note

调用 RESET_PRIVACY_BUDGET 时，累计隐私损失不会立即重置。它会在下一次查询导致隐私损失时重置。因此，如果在调用函数后、首次查询产生隐私损失前查看隐私预算，累计隐私损失不会是 0。

示例

Here’s an example of zeroing out the privacy usage count for all users executing queries in the companyorg.account_123 account:

CALL SNOWFLAKE.DATA_PRIVACY.RESET_PRIVACY_BUDGET(
  'my_policy_db.my_policy_schema.my_policy',
  'analyst_budget',
  'companyorg',
  'account_123');