Native Data Clean Rooms¶
Snowflake Native Data Clean Rooms are designed for business arrangements where parties want to collaborate on sensitive or proprietary data without giving full access to the data. They provide a privacy-preserving environment for implementing a data collaboration agreement (data contract) between business users. Unlike Secure Data Sharing, where shared data can be used without restriction, clean rooms allow parties to collaborate while giving data providers additional controls that help protect their sensitive information.
Note
You can build your own clean room using the data clean room framework instead of using a Native Data Clean Room. However, building your own clean room requires additional technical expertise and does not have a web interface.
With a build-your-own clean room, you can specify exactly what data can be retrieved by a consumer (pre-defined access), which might be required if clean room participants are untrusted or semi-trusted.
For an example of how to build your own clean room using the data clean room framework, see the Build a Data Clean Room in Snowflake quickstart.
Introduction to Native Data Clean Rooms¶
Snowflake Native Data Clean Rooms allow data providers to securely share data while maintaining control of that data. By using a clean room, the data provider can regulate how a clean room participant can interact with the shared data. For example, when users query data in a clean room, they must formulate their queries to meet the requirements of the clean room, as defined by the data provider.
The restrictions imposed by a clean room are not so restrictive that it eliminates the usefulness of the shared data. The other party can join and enrich the shared data with their own data as long as it does not violate the clean room constraints.
Advantages of a clean room include:
Securely sharing data without having to copy or move data.
Sharing data while maintaining control of how others use it.
Providing flexibility that allows each party to customize how they want to filter, combine, and aggregate clean room data, within the constraints set by the data owner.
Providing the same clean room to multiple partners using private listings and the Snowflake Marketplace.
Clean room participants and workflow¶
Clean rooms use the concept of a provider and consumer, similar to other Snowflake features like Secure Data Sharing and the Native Apps Framework. The data owner is a provider who uses a clean room to safely share data and logic. This provider publishes the clean room as a listing so the consumer can install and use the clean room in their own account.
The following summarizes the tasks the provider and consumer complete as they collaborate with a clean room.
Provider:
Creates policies (outside of the clean room) that can be used by the clean room to control what the consumer can do with the data.
Creates the clean room, sharing the data objects (tables and views) and application logic (stored procedures and user-defined functions) that will be available to consumers in the clean room.
Assigns existing policies to the shared tables and views.
Tests the clean room in their own account to make sure it is ready to distribute to consumers.
Releases the clean room so it can be scanned for security and packaged for distribution.
Publishes the clean room so consumers can install it in their own accounts.
Consumer:
Installs the clean room from a private listing or from the Snowflake Marketplace, depending on how the provider published it.
Executes queries against the shared data, including joining and enriching it with their own data. Can also run stored procedures and functions provided by the clean room.
The consumer can install multiple clean rooms (from one or more providers), which allows a query in the consumer’s account to work with data from multiple parties, including the consumer’s own data, within a privacy-preserving environment. However, the consumer cannot install a clean room more than once from the same listing.
Control of your data¶
Clean rooms restrict what a consumer can do with the data you are sharing. The ability to place restrictions on shared data comes from assigning policies to a table or view.
About policies¶
Policies are assigned to tables and views. When you use a clean room to share data, you can use policies to maintain control of what can be done with the data. For example, policies can force a consumer to form their queries in a particular way or hide individual records from query results.
The following policies can be assigned to tables and views in a clean room:
Aggregation policy - Requires consumers to aggregate results rather than return individual records.
Projection policy - Prevents consumers from returning (projecting) values from a particular column of a table, while allowing them to filter on that column.
Row access policy - Prevents consumers from accessing specific records returned by a query. Requires Enterprise Edition or higher.
Note
Because a clean room is built on the Snowflake Native App Framework, the body of a policy that is used within a clean room must conform to the same restrictions as the setup script of a Snowflake Native App, including the use of context functions. For a list of these restrictions, see Restrictions on the setup script and Limitations when calling context functions from the setup script.
There are two categories of policies in a clean room:
- App-level policy:
Policy that is applied to a data object (table or view) within the clean room, which limits its scope to the clean room. An app-level policy restricts data in the clean room without affecting access to the table or view in the provider’s account or a consumer outside of the clean room (if the same table or view is shared using secure data sharing or a different clean room).
- Object-level policy:
Policy that is applied to a data object outside of the clean room. A provider can assign a policy to a table or view independent of creating a clean room. As a result, the user creating a clean room might include a table or view that is already constrained by a policy. Within a clean room, these are known as object-level policies.
Object-level policies cannot be removed from a data object from within the clean room. As a result, access to tables and views in the clean room cannot be more permissive than access to them in the provider’s account. The object-level policy can be removed from a table or view using SQL in the provider account, which affects both the provider account and the clean room.
A clean room can include both categories for a particular type of policy. For example, a table in a clean room could be constrained by both an app-level aggregation policy and an object-level aggregation policy. When a data object has an object-level policy and an app-level policy of the same type, queries against the object must meet the requirements of the more restrictive policy.
Changes to objects outside of a clean room¶
The data, policies, and logic included in a clean room continue to exist outside of the clean room, and can continue to change. How the clean room handles these changes depends on the item being modified.
- Data Objects:
A clean room is updated automatically with changes to tables and views. For example, if new data is added to a table outside of the clean room it is automatically available to the clean room consumer. Similarly, if a column is added or removed from a table outside of the clean room, the consumer experiences the change automatically. As a result, removing a column from a table in the provider account could break a consumer’s queries in the clean room.
If a policy is assigned or detached from a table or view in the provider account, the restrictions of the clean room change accordingly.
- Policies:
A clean room is updated automatically when someone changes a policy outside of the clean room. As a result, if someone in the provider account modifies a policy, including an app-level policy, the constraints of the clean room change instantly without automatic notification to the consumer.
- Application Logic:
For application logic like stored procedures and user-defined functions, the clean room contains a copy of the logic that exists in the provider account. As a result, the clean room must be manually updated if the provider modifies the logic and wants to include the new version in the clean room.
Built using the Native Apps Framework¶
A Snowflake Native Data Clean Room is a specialized app created with the Native App Framework. While this implementation detail is mostly transparent, it explains, for example, why the clean room is identified as an application package in Provider Studio and is installed as an app.
Because a clean room is an app, a user who is familiar with the Native Apps Framework could use SQL instead of Snowsight to work with the clean room. For example, the consumer could use SHOW APPLICATIONS to view the installed clean room.
Important
While it is safe to use SQL to view the clean room app, using SQL to make changes is discouraged as it can have unintended consequences for those using Snowsight to work with the clean room.
Considerations and Limitations¶
Keep the following considerations and limitations in mind when using Snowflake Native Data Clean Rooms.
Considerations¶
A clean room allows a provider to configure how their data is used, but it is their responsibility to understand what data is being shared, and to configure and test a clean room before inviting others to use it.
A clean room allows a provider to share non-secure objects, which can unintentionally leak data. For examples of how a non-secure view can leak data, see Working with Secure Views.
Limitations¶
Consumers of the clean room must be in the same region as the data provider.
Clean rooms cannot contain row access policies that use mapping tables.
You cannot use SQL instead of Snowsight to create a clean room.
You cannot include data objects (tables and views) or application logic (stored procedures and functions) from more than one database. If you change databases when modifying the clean room, the original objects will be replaced with the objects from the new database.
Clean rooms cannot contain data objects and application logic with names that include special characters.
The schema name cannot contain more than 248 characters.
Clean rooms inherit the limitations of the Snowflake Native App Framework. Not all of the limitations are relevant to creating, sharing, and using clean rooms, but details like available regions and naming conventions are useful to know. For details, see:
General limitations: Known limitations
Limitations on policies and application logic in a clean room: Restrictions on the setup script and Limitations When Calling Context Functions from the Setup Script.
Limitations on data objects in a clean room: Database Objects That Can Be Shared with an Application Package
Manage a clean room as a provider¶
This section describes how a provider can update and delete a clean room.
Important
A provider is responsible for notifying consumers when a clean room changes. The consumer is not automatically notified if the provider modifies application logic or a policy, which can significantly alter the constraints and functionality of the clean room.
Changes to data and policies in the provider account (outside the clean room) can have an effect on the consumer’s experience even though the provider has not altered the clean room itself. For more details, see Changes to objects outside of a clean room
Update a clean room¶
To open an existing clean room, use the navigation menu to select Projects » App Packages, then select Packages.
Once opened, you can make the following changes to the clean room:
Task |
Action |
---|---|
Add/remove data objects and application logic |
|
Update existing application logic |
|
Add/remove an app-level policy |
The consumer experiences the change automatically after a short waiting period. |
Update an app-level policy |
Update the policy in the provider account. The consumer experiences the change automatically after a short waiting period. |
Update the name of the clean room as it appears in the Readme file |
Select Manage » Edit Display Name. |
Work with drafts¶
When you modify the data objects and application logic of a released or published clean room, a draft version of the clean room is created. The changes appear under Draft Changes. Note that changes to policies are applied immediately, and do not create a draft version of the clean room.
To accept the changes in the draft version and update the clean room:
After making changes, wait for the security scan to complete. You can select the Refresh button to check whether the scan is done.
Select Test Locally » Draft Version to test the draft version of the clean room.
Select Release Updates to update the clean room.
If the updated clean room was previously published and installed, the consumer experiences the changes automatically after a short waiting period.
Delete a clean room¶
Deleting a clean room removes its application package from the provider account. It also removes the clean room from consumer accounts.
To delete a clean room:
Sign in to Snowsight.
In the left navigation bar, select Projects » App Packages.
Select the name of the clean room.
If the clean room has already been published, you must unpublish and delete the listing associated with the clean room:
Select the Associated Listings tab, then select the name of the listing you need to delete.
In the top-right corner, select Live » Unpublish.
Select Delete.
If you used Provider Studio to delete a listing, return to the clean room by selecting its name from Projects » App Packages.
In the upper toolbar, select … (More), and then select Drop.
Use a clean room as a consumer¶
Once the provider has published the clean room as a listing, the consumer can install it in their own account.
The process of installing the clean room varies depending on whether the providers shared it as a private listing or published it on the Snowflake Marketplace.
- Prerequisite:
The clean room consumer must be registered as a Snowflake Consumer before installing the clean room.
Install a clean room from a Snowflake Marketplace listing¶
To install a clean room from a Snowflake Marketplace listing:
Sign in to Snowsight.
In the navigation menu, select Data Products » Marketplace.
Search or browse to the listing you want to access.
Select the listing.
Select Get to access the listing.
Select the warehouse that you want to use to install the application.
Select Get.
Select Open to view the Readme file of the clean room. From there, you can start using the clean room.
Execute queries in the clean room¶
To start using an installed clean room:
Sign in to Snowsight.
In the navigation menu, select Data Products » Apps.
Select the clean room, which opens the Readme file.
From the upper toolbar, select Open in worksheet, then run queries against the data objects and execute stored procedures and functions.
With the worksheet open, you can use the left navigation to review the data objects and application logic that has been shared in the clean room. The name of the clean room’s app is based on the name of the clean room that appears in the Readme file.
Tip
For help writing a query that meets the requirements of an aggregation policy in the clean room, see Query Requirements.