Clean Room FAQs
See the sections below for answers to common LiveRamp Clean Room questions.
Permissions and Controls FAQs
See the FAQs below for common permissions questions.
How are permissions managed in LiveRamp Clean Room overall?
Permissions and controls in LiveRamp Clean Room operate across several layers that work together:
Organization roles:
Defined once for your LiveRamp Clean Room organization.
Bundle capabilities such as managing users, creating clean rooms, configuring data connections, and using Question Builder or Intelligence.
For more information, see “Managing LiveRamp Clean Room User Roles”.
Clean room–level roles:
Defined per clean room and assigned to users from the owner or partner organizations.
Decide who can manage users, datasets, questions, flows, and Intelligence in that specific collaboration.
For more information, see “Manage Clean Room Permissions and Controls” and “Manage Permissions Within a Clean Room”.
Question-level permissions:
Control whether partners can view SQL, edit or clone questions, run or schedule them, and see outputs.
For more information, see “Question Permissions and Overrides”.
Dataset and governance controls:
Data connections, dataset provisioning, and dataset analysis rules (join/projection/aggregate rules and input k‑min).
Clean room–level privacy controls such as crowd size (k‑min), time bounds, and privacy-enhancing technologies.
For more information, see “Understanding LiveRamp Clean Room Privacy and Governance Controls” and “Set Dataset Analysis Rules”.
Cloud IAM:
Underlying cloud permissions (for example, BigQuery, AWS) that constrain what LiveRamp can access at all.
For more information, see “Connect to Cloud-Based Data”.
A user’s effective access in a given collaboration is determined by all of these layers together.
How do organization-level roles differ from clean room–level roles?
Organization-level roles:
Created and managed from Clean Room Configuration → Clean Room Roles.
Combine permission sets such as:
Clean Rooms Administrator
Question Builder Administrator
Intelligence Admin
Data Import Jobs Administrator
Assigned when a user is added under Organization → Accounts → Clean Room Access.
Control what the user can do across all clean rooms they later join.
For more information, see “Managing LiveRamp Clean Room User Roles”.
Clean room–level roles:
Created and managed from within the clean room at Access → Partners & Users → Manage Roles (for owners) or Access → Users → Roles (for partners).
Combine clean room permissions such as:
Manage Clean Room Roles
Manage Datasets
View Reports
Question Builder
Intelligence Viewer / Intelligence Creator
Flow Builder, etc.
Assigned when you add users to that specific clean room.
Control what the user can do in that particular collaboration.
A user always acts through the role they are assigned in each clean room, constrained by their org-level role.
How do I see which roles I have today?
To check your own roles:
Click the user icon in the upper-right corner of the UI.
Select My Profile.
Review the following information:
Your organization-level role(s) (for example, "Account Admin", "Organization Admin", "Clean Room Admin").
Any clean room–specific roles you have for particular collaborations.
For more information, see “My Profile”.
How should I design clean room roles for common personas such as data scientists, analysts, marketers, and IT / data engineering?
You can start from the default org roles (for example, "Data Scientist", "Business Analyst", "Data Engineer / IT") and then design clean room–level roles that match how each persona should work inside a given collaboration:
"Analyst" or "Data Scientist" role:
Main capabilities include the following permissions:
Question Builder
Manage Datasets (if they should map datasets to questions)
Create & Delete Question Runs
Create or Modify and Delete Question Schedules
View Reports
Optionally Intelligence Creator (if they build dashboards).
Typically excludes the following permissions:
Manage Clean Room Roles
Partner Management (Owner Only)
"Business Analyst" or "Marketing" role:
Main capabilities include the following permissions:
View Reports
Intelligence Viewer or Intelligence Creator (depending on whether they author dashboards).
Typically excludes the following permissions:
Question Builder
Manage Datasets
Administrative permissions.
"Governance" / privacy role:
Main capabilities include the following permissions:
Manage Datasets
View Reports
Potentially access to question code via question permissions for oversight.
Often combined with org-level roles that grant Trust Center or cross-clean-room visibility.
"IT / Data Engineering" role:
Main capabilities include the following permissions:
Data-import and export admin permissions at the org level.
In clean rooms, Manage Datasets and possibly View Reports.
Typically excludes the following permissions:
Question Builder
Intelligence Creator (unless needed).
For more information on designing these types of roles, see “Managing LiveRamp Clean Room User Roles” and “Manage Clean Room Permissions and Controls”.
How do I give partners view‑only access to question outputs without exposing SQL?
Configure question- and role-level controls together:
At the question level (or clean room defaults):
Enable "View Reports and Output" for the partner organization.
Keep "View Query/Code", "Edit and Delete Question", and "Clone Question" turned off.
For more information, see “Question Permissions and Overrides”.
At the clean room role level, create a partner role that includes the following permissions:
Includes "View Reports" (and optionally "Intelligence Viewer").
Excludes "Question Builder", "Flow Builder", and owner-only permissions.
This lets partners see approved results for specific questions without seeing or editing the underlying SQL.
How do I allow partners to run and schedule questions, but not edit or clone them?
Use execution-only permissions:
At the question level:
Enable the following permissions:
Set up and Schedule Runs
View Reports and Output
Disable the following permissions::
View Query/Code
Edit and Delete Question
Clone Question
At the clean room role level:
For the partner’s role, include the following permissions::
Create & Delete Question Runs
Create or Modify and Delete Question Schedules
View Reports
Exclude "Question Builder" and admin permissions.
Partners can then manage run cadence and see outputs while the logic remains owned and controlled by you.
How do I create a “view‑only” clean room role for internal users or partners?
Create a role that is restricted to viewing:
Main capabilities include the following permissions:
View Reports
Intelligence Viewer (if they should see dashboards)
View-only Flows (if Flows are enabled and you want them to monitor runs)
Explicitly exclude the following permissions:
Manage Clean Room Roles
Partner Management (Owner Only)
Manage Datasets
Question Builder
Intelligence Creator
Flow Builder
Create & Delete Question Runs
Create or Modify and Delete Question Schedules
Assign this role from within the clean room at Access → Partners & Users → Add Users (for owner) or Access → Users → Add Users (for partner). For more information, see “Manage Clean Room Permissions and Controls”.
How do dataset provisioning controls (datasets, fields, row filters, and “partners can assign”) interact with permissions and roles?
Dataset provisioning is your main data minimization control for each collaboration:
When you provision a dataset to a clean room, you decide:
Which datasets are exposed.
Which columns are queryable.
Which rows are included (via row-level filters).
Whether partners can assign this dataset to questions.
Permissions then operate on that scoped data:
Clean room roles and question permissions can only use the datasets, columns, and rows that have been provisioned.
Even a user with powerful roles cannot access data that was never provisioned.
For more information, see “Provision a Dataset to a Clean Room" and "Understanding LiveRamp Clean Room Privacy and Governance Controls".
Where do I control which columns can be used for joins, which can be projected in results, and which require input k‑min thresholds?
Use dataset analysis rules at the dataset level in a clean room:
From within the clean room, select Datasets → Analysis Rules (gear icon).
Configure:
Which columns can be used in joins.
Which columns can be projected (returned in results).
Which aggregation functions (COUNT, SUM, AVG, etc.) are allowed per column.
Where input k‑min (aggregation thresholds) apply for specific identifier fields.
These rules enforce safe usage of each dataset, regardless of who writes the queries. For more information, see “Set Dataset Analysis Rules”.
How can I ensure partners cannot query or export very small, highly sensitive fields?
Combine several controls:
Block projection of PII-labeled fields in analytics questions.
Restrict which columns can be joined and aggregated.
Require input k‑min for sensitive identifiers, so intermediate results must meet a minimum audience size.
Clean room–level crowd size (output k‑min):
Set a minimum audience size (for example, 100) so result rows under that threshold are suppressed.
Configured as part of clean room parameters.
For more information, see "Privacy-Preserving Techniques and Clean Room Results".
Dataset provisioning:
Filter out unneeded or especially sensitive fields when provisioning the dataset to the clean room.
Together, these make it technically difficult to return or act on overly granular cohorts.
What is crowd size (k‑min), where do I configure it, and how does it affect which results users see?
Crowd size / k‑min is a minimum audience size that rows in result sets must meet in order to be shown. Typical values are 50–100+ users, depending on policy.
When you create or edit a clean room, in the Parameters and Permissions or equivalent privacy section, set the Crowd Size / k‑min value.
Any row that does not meet the threshold is suppressed.
This applies to user metrics flagged for k‑min enforcement in questions.
For more information, see "Understanding LiveRamp Clean Room Privacy and Governance Controls" and "Privacy-Preserving Techniques and Clean Room Results".
How should I choose crowd size and, when available, noise (for example, Data Decibel / differential privacy) settings?
Use higher thresholds when:
Partners can build free‑form queries.
Outputs are closer to individual-level metrics.
You want to align with stricter industry norms (for example, 100+ users per cell).
Use moderate or lower thresholds when:
Partners run only owner-authored templates.
Outputs are heavily aggregated and not used for activation.
Collaborations are limited and tightly governed.
Use noise / differential privacy when:
You want to guard against differencing attacks (running similar queries repeatedly).
You need stronger technical guarantees in addition to k‑min.
For more information, see "Understanding LiveRamp Clean Room Privacy and Governance Controls" and "Privacy-Preserving Techniques and Clean Room Results".
What is the difference between restricting access with dataset provisioning, dataset analysis rules, and question-level permissions?
These layers address different questions:
Dataset provisioning:
What data is even available in this collaboration?
Which datasets, columns, and rows are exposed to a clean room.
Dataset analysis rules:
How can this data be used?
Allowed joins, projections, aggregations, and input k‑min for each dataset.
Question-level permissions:
What can each partner do with this specific question and its outputs?
Whether partners can see SQL, run or schedule, clone, or view outputs for that question.
You typically use all three together: minimize data at provisioning, enforce safe patterns via dataset analysis rules, and tune partner behavior with question permissions.
How do I limit which clean room permissions my partners are allowed to assign to their own users?
As the clean room owner:
Select Access → Partners & Users.
For the partner organization, click the More Options menu and then select Manage Permissions.
Turn on only the permissions you want that partner to be able to use in their own roles (for example, View Reports and Intelligence Viewer, but not Question Builder or Manage Datasets).
Click .
Partners can then create roles for their users, but only using the permissions you made available. For more information, see "Manage Clean Room Permissions and Controls".
What are the main clean room–level permissions and what does each allow?
Typical clean room permissions include (names may be localized in your UI):
Manage Clean Room Roles:
Add and remove users in the clean room.
Define roles and assign roles to users.
Manage Datasets:
Configure datasets for that clean room.
Assign datasets to questions.
View Reports:
View question run outputs and, when applicable, flow run reports.
Create & Delete Question Runs:
Create and delete question runs.
Create or Modify and Delete Question Schedules:
Create, edit, and delete scheduled question runs.
Question Builder:
Author analytical and list questions (requires Question Builder product access).
Intelligence Viewer / Intelligence Creator:
View or build dashboards and reports in Intelligence.
Partner Management (owner only):
Add partners.
Manage which permissions are available to partners.
Modify partner roles and role assignments.
Add and Delete Questions (owner only):
Add available questions into the clean room.
Delete questions from the clean room.
Flow-related permissions (when Flows is enabled)
Flow Builder
Create, Schedule, and Delete Flow Runs
Manage Questions (for flows)
Manage Datasets (for flows)
View-only Flows
For more information, see the permission table in "Manage Clean Room Permissions and Controls".
How do default question permissions work, and how do I change them?
Each clean room has default question permissions that apply to new questions authored or provisioned by a given organization:
Select Details → Parameters and Permissions.
Under question permissions, configure the following permissions:
View Query/Code
Edit and Delete Question
Clone Question
Set up and Schedule Runs
View Reports and Output
For each permission, choose:
Whether it is on or off by default.
Whether it applies to any partner or specific partner organizations.
These defaults affect only new questions created thereafter. For per-question changes, see "Question Permissions and Overrides".
When should I use permission overrides on individual questions, and what can I change?
Use overrides when a particular question is more or less sensitive than your standard pattern.
To configure overrides:
Select Questions.
In the row for the question you what to configure overrides for, click the More Options menu (the three dots) and select Permissions Override.
For each partner, adjust the following controls:
View Query/Code
Edit and Delete Question
Clone Question
Set up and Schedule Runs
View Reports and Output
Click .
For example, you might keep most questions run-only for partners, but allow full code visibility and cloning for a small set of co-developed templates. For more information, see "Question Permissions and Overrides".
How can I let a trusted partner clone one of my questions and take ownership of the copy without editing my original?
For that specific question:
Select Questions.
In the row for the question, click the More Options menu (the three dots) and select Permissions Override.
For the partner organization:
Enable "Clone Question".
Keep "Edit and Delete Question" off if you do not want them editing your original.
Optionally keep "View Query/Code" off if you only want them to work from the cloned template.
Click .
The partner can then clone the question, become the owner of the cloned version, and edit that copy without affecting your original.
How do I onboard a new partner team and give them different access tiers (admin, analyst, viewer)?
From the partner’s perspective:
Accept the invitation:
The partner user receives a clean room invitation from the owner.
If they are new to LiveRamp Clean Room, an organization is created for them.
Set up org-level roles for the partner’s "Account Admin" or "Organization Admin":
Creates roles like "Partner Admin", "Partner Analyst", "Partner Viewer" using "Managing LiveRamp Clean Room User Roles".
Assigns these roles to users under Organization → Accounts → Clean Room Access.
Ensure the owner has enabled the right permission set for the partner org under Access → Partners & Users → Manage Permissions.
See "Clean Room Partner Implementation Guide" for an end-to-end view.
How do I control who can build vs. only view Intelligence dashboards and reports?
Use Intelligence-specific permissions in your roles:
For dashboard builders:
In their clean room role, include:
Intelligence Creator (or Intelligence Writer)
View Reports (so they can see question outputs)
Assign this role via Access → Partners & Users → Manage Roles (for owners) or Access → Users → Roles (for partners).
For view-only users:
In their role, include:
Intelligence Viewer
View Reports (if they also need to see tabular outputs)
Exclude Intelligence Creator.
For more information, see "Intelligence Access and Structure".
What additional permissions are needed to create and manage Flows, run/schedule Flows, and view Flow runs?
When the Flows feature is enabled, add Flow-related permissions to roles:
Flow designers / engineers:
Main capabilities:
Flow Builder
Create, Schedule, and Delete Flow Runs
Manage Questions (for flows)
Manage Datasets (for flows)
View Reports (for flow run outputs)
Observers / operational stakeholders
Main capabilities:
View-only Flows
View Reports
Configure these from Access → Partners & Users → Manage Roles (for owners) or Access → Users → Roles (for partners). For more information, see "Flow Management".
How do cloud IAM permissions (for example, BigQuery service account roles, AWS IAM roles) limit what LiveRamp can see and do?
Cloud IAM is the outer boundary for Clean Room operations:
In BigQuery clean rooms:
You grant LiveRamp service accounts:
Minimum dataset permissions (for example, bigquery.datasets.get, bigquery.datasets.create, bigquery.tables.getData) on specific datasets.
Metadata-only roles (such as BigQuery Metadata Viewer) as needed to render schema in data connections.
LiveRamp typically:
Creates a dedicated dataset for authorized views and private exchanges.
Subscribes to and unsubscribes from Analytics Hub listings at run-time, using an ephemeral access pattern.
For more information, see "Configure a BigQuery Data Connection for a BigQuery Clean Room".
In AWS clean rooms:
IAM roles and trust relationships define:
Which AWS Clean Rooms resources LiveRamp can create/manage.
Which S3 buckets results can be written to or read from.
For more information, see "Configure AWS Roles for AWS Clean Rooms".
Clean Room permissions then operate inside whatever scope those IAM roles expose.
Why can a user log in to LiveRamp Clean Room but not see any clean rooms listed, and how do I fix it?
Common causes:
The user has only been added at the organization level, not to any specific clean room.
The user’s org role exists, but they do not yet have a clean room–level role in any collaboration.
To fix this as an owner:
Select Organization → Accounts → Clean Room Access to confirm the user exists and has a valid org role (for example, "Clean Room Admin", "Business Analyst").
In the specific clean room:
Go to Access → Partners & Users.
Click .
Select the user and assign an appropriate clean room role (for example, "Administrator", "Viewer", or a custom role).
Partners follow a similar flow under Access → Users → Add Users in that clean room.
For more information, see "Managing LiveRamp Clean Room Users".
Why might I get a permission error when I try to run a question, schedule a run, or view a report, and what should I check first?
Typical configuration issues:
For running or scheduling questions:
Your clean room role might be missing the following permissions:
Create & Delete Question Runs
Create or Modify and Delete Question Schedules
The question’s permissions for your organization might not include "Set up and Schedule Runs".
For viewing outputs:
Your role might not include "View Reports".
The question might not grant your organization "View Reports and Output".
For SQL or template access, "View Query/Code" might be disabled for your organization on that question.
First, inspect your assigned role under Access → Partners & Users → Users (for owners) or Access → Users )for partners), then review the relevant question’s permissions. For more information, see "Question Permissions and Overrides".
How can I audit which users and partners have access to a clean room, which roles they have, and what they can do?
Within a clean room:
Partners and roles:
Go to Access → Partners & Users (for owners) or Access → Users (for partners).
Review:
Which organizations are listed (owner and partners).
Which roles each user is assigned in that clean room.
Role definitions:
From Manage Roles, see what permissions each role includes (datasets, questions, Intelligence, flows, partner management, etc.).
Datasets and questions:
Under Datasets, see which datasets are provisioned and which partners can assign them.
Under Questions, use Permissions Override to see which partners can view, run, or edit each question.
For cross-clean-room visibility, if enabled, you can also use Trust Center roles such as "Trust Center Administrator" and "Trust Center Read Only" to see user access and dataset usage across collaborations. For more information, see "Managing LiveRamp Clean Room User Roles".
How do role-based access controls in LiveRamp Clean Room complement Safe Haven / Analytics Environment and cloud-level controls to create an overall governance model?
They form a layered model:
Cloud IAM limits what tables and datasets LiveRamp can touch in the first place (for example, BigQuery or AWS IAM).
Safe Haven / Analytics Environment controls how your underlying data is resolved, stored, and permissioned within LiveRamp’s analytical environment.
LiveRamp Clean Room adds collaboration-specific governance on top:
Organization roles (for example, "Account Admin", "Clean Rooms Administrator", "Intelligence Admin").
Clean room–level roles and permissions for each collaboration.
Partner-level permission availability per clean room.
Dataset provisioning and dataset analysis rules for each dataset.
Question-level permissions and templates (query transparency).
Intelligence and Flows role separation (builders vs. viewers).
Clean room–level privacy controls (crowd size, time bounds, PETs).
Used together, these ensure that data is only accessible where, how, and for as long as policy and contracts allow, while still enabling flexible analytics and activation.
Data Connection FAQs
See the FAQs below for common data connection questions.
How should my files or tables be formatted for a successful data connection?
To avoid schema and formatting errors:
Use supported file types and sizes:
For file-based connections, use CSV or Parquet, staying within documented size limits for each file type and connection type.
Make sure to use a consistent schema:
All files/tables in the connection must share the same set of columns in the same order and compatible types.
If you have multiple schemas, create one data connection per schema.
Make sure to use clean, compliant headers:
Include a single header row.
Use unique header names with no duplicates.
Avoid disallowed characters in headers, and keep names within character length limits.
Include identifiers:
Each row should contain at least one supported identifier type if you plan to use the data in identity-aware workflows.
Use encoding:
Save CSV files as UTF‑8 without a BOM (byte order mark) to avoid “ghost character” and parsing errors.
For more information, see “Format Your Clean Room Data”.
Can one data connection include multiple tables or different schemas?
No:
Each data connection results in a single dataset within the platform.
All files/tables in that connection must share the same schema to process successfully.
To use distinct tables or file sets as separate datasets, you must do one of the following:
Create a separate data connection for each table or file with a different schema.
(Where available) create a derived dataset from a view of multiple data connections, which is still represented as a separate dataset downstream.
Why does partitioning matter?
Partitioning optimizes the dataset even before you get to the query stage. Partitioning improves query performance because data processing during question runs occurs only on the relevant filtered data. For more information, see “Data Connection Partitioning”.
What are the best practices for partitioning?
Data partitioning (dividing a large dataset into smaller, more manageable subsets) is recommended for optimizing query performance and leading to faster processing times. By indicating partition columns for your data connections, data processing during question runs occurs only on the relevant filtered data, which reduces query cost and time to execute. Best practices include:
Partition at the source: When configuring your data connection to LiveRamp Clean Room, define partition columns.
Consider the collaboration context: Make sure that the partition columns make sense for the types of questions that a dataset is likely to be used for. For example:
If you anticipate questions that analyze data over time, partition the dataset by a date field (e.g., event_date or impression_date). This allows queries that filter by date ranges to scan only relevant partitions, reducing processing time and costs.
If the main use case is to analyze data by different brands or products, then partitioning by a brand or product_id column makes sense. This strategy ensures that queries filtering by brand will only access the necessary subset of the data.
Verify column data types: Partitioning supports date, string, integer, and timestamp field types. Complex types (such as arrays, maps, or structs) are not allowed.
Cloud-specific formatting: For cloud storage sources like S3, GCS, and Azure, structure your buckets and file paths in a partitioning format based on the partition column. For BigQuery and Snowflake, make sure columns are indicated as partition keys in your source tables.
For more information, see "Data Connection Partitioning".
How should I map fields if my data contains a RampID column?
If your data contains a column with RampIDs, do not slide the PII toggle for that column. Mark the RampID column as a User Identifier and select "RampID" as the identifier type. If the data contains a RampID column, no other columns can be enabled as PII.
Why do I need to map a user identifier during the field mapping process, and what if I don’t have one?
Every data connection must have at least one user identifier mapped:
Many clean room workflows rely on identifying individuals or households to perform the following actions:
Link your data to other datasets.
Perform identity resolution and deconfliction.
Enable audience and measurement use cases.
At least one field must be mapped as a User Identifier in the connection’s field mapping for identity-aware use cases to work correctly.
If you have no obvious identifier column, consider one of the following options:
Add a customer or account ID that is stable and unique per entity to your dataset
Generate a “synthetic” or surrogate key upstream, if that is acceptable for your use case.
Note
Be aware that using a synthetic ID that never appears anywhere else will allow you to analyze that dataset internally but will not create overlap with partner data.
If you’re unsure which column to choose, align with your internal data owners and your LiveRamp contact before finalizing the mapping.
What should I try if my new data connection won’t complete setup (for example, it stays in Draft, Verifying Access, Configuration Failed, or Missing Valid Schema)?
Start with these quick checks:
Verify access and permissions:
Confirm the credential you selected is valid, not expired, and has read access to the target location (project/database, schema, table, bucket, or folder).
If your environment uses network rules or IP allowlisting, make sure the required LiveRamp IP ranges are authorized before retrying the connection.
Verify path or object details:
Verify the project/database, dataset/schema, table/view, or storage path is correct and still exists.
Ensure the location contains non‑empty data that matches what you intend to connect (for example, not a placeholder or empty folder).
Verify schema and headers
Confirm that all files/tables share the same schema, with the same columns in the same order and compatible data types.
Make sure headers are present, unique, and do not contain disallowed characters (such as duplicate names, certain special characters, or overly long column names).
Verify identifiers:
Ensure the data includes at least one column that can be mapped as a user identifier during field mapping; missing identifiers can block runs or yield empty results later.
After fixing anything uncovered above, retry the data connection to re-run validation.
What should I do if the tooltip error message for my data connection seems to indicate that the credentials might be an issue?
When a tooltip or error message explicitly calls out “authentication”, “invalid credentials”, or a “token/session expiry”, it means the platform could not sign in to your cloud source with the saved credential (even if the credential object still exists in the cloud provider UI).
To troubleshoot the issue, perform these steps:
Check the credential in your cloud console:
For the credential used by the data connection (for example, service account key, SAS token, keypair, or password), confirm the following in your cloud provider:
The key/token/user still exists and has not been revoked or disabled.
Any explicit expiry time on the key/token has not passed.
If you see that the key/token is expired or rotated, generate a new one.
Test the same credential directly against the source:
Use your cloud provider’s native tools (CLI, SQL client, storage browser) with the exact same key/token/user that is configured in the LiveRamp credential.
Try a simple read action (for example, list objects in the bucket, select from the table/view).
If this direct test fails with auth-related errors (for example, invalid token, expired token, authentication failed), the credential is no longer valid and must be regenerated.
Rotate or regenerate the credential, then update it in Clean Room:
Create a new key/token/secret in your cloud environment following your internal security practices.
In Clean Room, perform one of the following actions:
Edit the existing credential to paste the new secret.
Create a new credential and point the data connection to it.
Make sure the new credential has at least read/list access to the configured project/database, schema, table, bucket, or folder.
Retry the data connection and re-read the tooltip if needed:
After updating the credential, retry the affected connection.
If authentication is now working, the status should move from “Configuration Failed” to “Mapping Required” or “Completed”.
If it fails again, re-check the tooltip to see whether it still points to authentication/credentials, or whether it now points to a different issue (for example, missing table, invalid path, or schema problems) and troubleshoot accordingly.
What should I do if the status for my data connection is “Mapping Required”?
If the status for your data connection is “Mapping Required”, that means that Clean Room can reach your data and has read the schema, but you still need to perform the map fields step.
From the row for the data connection on the Data Connections page, click the More Options menu (the three dots) and then select Edit Mapping. In the mapping flow, choose which columns to include, set data types and PII/identifier fields, and then save. After mapping is complete, the status should change to “Completed” (or "Ready" for CSV Upload connections). For more information, see the appropriate article for your cloud provider in “Connect to Cloud-Based Data”.
What should I do if the status for my data connection is “Configuration Failed”?
If the status for your data connection is “Configuration Failed”, that means that Clean Room was unable to connect to your data source and read the dataset during the “Verifying Access” stage. You can hover over the status icon to see a tooltip with more detail on what went wrong (for example, a permissions issue, wrong project or database, missing table or view, or an invalid path).
Fix the underlying issue in your cloud environment (such as credentials, roles, allowlisting, region, or object name) and then retry the data connection. If the issue is fixed, the status should change to “Mapping Required”.
What should I do if the status for my data connection is “Failed”?
If the status for your data connection is “Failed”, that means that an identity resolution job for that data connection did not complete successfully. You can hover over the status icon to see a tooltip with the error message and additional context (for example, problems with identifier fields, schema changes, or configuration).
Review that message, fix the underlying issue in your environment (such as identifier columns, data formats, or permissions), and then retry the data connection. If the job fails again with the same error, contact your LiveRamp representative or create a support case.
What should I do if the status for my data connection is “Missing Valid Schema”?
If the status for your data connection is “Missing Valid Schema”, that means that Clean Room can reach the data location but cannot find a usable table/view or file schema there.
For cloud storage data connections (such as AWS S3, GCS, Azure, Databricks, and Iceberg Catalog), confirm that the expected data files or data schema reference file are present, have valid headers, and match the configured schema.
For cloud warehouse data connections (such as BigQuery or Snowflake), confirm that the project/database, dataset/schema, and table/view values you entered are correct and still point to an existing object with the expected columns.
After you fix the underlying issue, retry the data connection so that Clean Room can re-read the schema.
What should I do if the status for my data connection is “Waiting for File”?
If the status for your data connection is “Waiting for File”, that means that a CSV Upload / Local Upload data connection does not yet have a valid CSV file at the upload location.
From the row for the data connection on the Data Connections page, edit the data connection, use the button to upload the CSV file, and then save the data connection. After Clean Room has uploaded and validated the file, the status should change from “Waiting for File” to “Mapping Required”, and you can then complete the Map Fields step.
Why is validation for my CSV file data connection failing even though my CSV file looks fine?
Even CSVs that look fine can fail (for example, a status of “Configuration Failed” or “Missing Valid Schema”) for small issues:
Hidden BOM / “ghost characters”:
Some tools (especially Excel) add a BOM at the start of the file, which can break header detection.
Re-save as UTF‑8 without BOM or use a script to strip the BOM before re-uploading.
Inconsistent headers across files:
Slight differences (extra spaces, different capitalization, extra columns in some files) can cause schema mismatch.
Ensure every file in the connection uses exactly the same header row and column order.
Delimiter and quoting issues:
If data contains commas, quotes, or line breaks inside fields, but the parser isn’t configured to handle them, you can see errors like “more columns than headers”.
Normalize your CSVs to a consistent delimiter/quote strategy, or consider using a columnar format such as Parquet when possible.
Trailing or malformed rows:
Extra footer lines, partial rows, or corrupted lines at the end of files can also cause validation to fail.
Check for and remove any non-data lines.
After any fix, upload the corrected file(s) and retry the data connection so the schema can be re-read.
For more information, see “Format Your Clean Room Data”.
Clean Room Setup FAQs
See the FAQs below for common setup questions.
Where do queries run in a hybrid or confidential computing clean room?
Queries run within LiveRamp's secure Clean Room environment. For hybrid and hybrid confidential computing (HCC) clean rooms, the underlying engine that executes your SQL queries is Apache Spark SQL in a distributed, multi-tenant environment.
How do I choose where to execute to improve performance?
"Where" primarily refers to the type of clean room that your organization selects based on your collaboration goals and the location of your data and your partners' data. Different clean room types use different execution engines, which impact how queries are processed. Optimizing for performance partly depends on your clean room type (such as Snowflake, Google BigQuery, or Hybrid).
Snowflake: Optimize your queries for Snowflake's native SQL engine. For more information, see "Query Data in Snowflake" in Snowflake's documentation.
BigQuery: Queries use the GoogleSQL dialect, and the compute typically runs within the clean room owner's BigQuery project. For more information, see "Optimize Queries" in the BigQuery documentation.
Hybrid and Hybrid Confidential Computing (HCC): Queries are executed using Apache Spark SQL within LiveRamp's secure data plane environment. For more information, see "Performance Tuning" in the Apache Spark documentation.
Google Cloud BigQuery Clean Room FAQs
See the FAQs below for common Google Cloud BigQuery clean room questions.
BigQuery Clean Room Setup FAQs
Prior to orchestrating BigQuery clean rooms in LiveRamp Clean Room, it is important to configure the necessary permissions in the Google Cloud Platform (GCP) and LiveRamp Clean Room, as well as enable certain APIs for your project. For information, see “Configure a BigQuery Data Connection for a BigQuery Clean Room”.
Yes, multiple Google service accounts can be used in an organization to bring data.
BigQuery Clean Room Permissions FAQs
LiveRamp uses these permissions to create a dataset in the owner/partner project. This is done to create an authorized view in a dataset that is shared as a private exchange.
The role helps render the data connections screen UI. It helps fetch the table metadata and render it on the LiveRamp Clean Room UI.
We create an authorized view from the owner/partner table and it lives in a separate shared dataset other than the owner dataset. LiveRamp orchestrates the creation of this shared dataset. Note that this shared dataset is different from the source dataset and is only created to be part of the private exchange in Analytics Hub.
You can create custom roles with the minimum set of permissions listed in “Configure a BigQuery Data Connection for a BigQuery Clean Room” and assign them to the project.
BigQuery Metadata Viewer permission is expected at the table level. So LiveRamp doesn’t have access to the rest of the tables which do not have the above role and are not a part of the data connections screen.
LiveRamp is creating the authorized view in the clean room Owner’s BigQuery project. In order to facilitate the process of creating the authorized view, LiveRamp first creates a dataset and then creates an authorized view in it which is accessible to LiveRamp.The permissions needed to do this are bigquery.datasets.create, bigquery.datasets.get, and bigquery.datasets.update. LiveRamp can only create, update, or get a dataset which is the one LiveRamp creates while creating the authorized view. The LiveRamp service account does not have access to list any other datasets in the Owner BigQuery project.
If some columns are masked, the Owner service account would need to provide the BigQuery Data Viewer role at the table level. If there is no masking, the Owner service account needs the BigQuery Metadata Viewer role (listed in “Configure a BigQuery Data Connection for a BigQuery Clean Room”).
When the owner/partner configures the data connection in a clean room, LiveRamp creates a dataset, an authorized view, and a private exchange and a listing under the exchange and then adds the LiveRamp service account as an Analytics Hub subscriber to the listing.
Authorized views, Private Exchange, and listing are created in the Client Project. At the time of clean room question execution, the LiveRamp service account subscribes to the private listing, creates a BigQuery job, and, after the job is complete, unsubscribes from the listing. This is what is known as “ephemeral access”.
BigQuery Clean Room Compute FAQs
We support compute in the clean room owner’s project today through a clean room parameter in the BigQuery clean room called “Billing Project ID”. It's set in the clean room configuration screen and is where the compute will happen and the BigQuery jobs will be created.
BigQuery Clean Room Billing FAQs
The Billing Project ID of the clean room determines which project gets billed for the job execution.
It doesn’t matter. It could be any BigQuery project with the appropriate billing setup.
Question and Query FAQs
See the FAQs below for common questions about Question Builder and Query Builder.
What can I do to improve the performance of my question runs?
Perform data validation in your own environment before connecting your data source to LiveRamp Clean Room. The key areas to consider include making sure that you’re seeing the expected row counts and fill rates for key fields.
The fields listed in LiveRamp's sample schemas can be used to prepare your data for your clean room collaboration use cases. Pay close attention to column names, data types, any required hashing for PII, and so on. Having the proper file formatting in place will make the remainder of your setup much more seamless. Validating it with QA queries in your own environment can reduce costs and save time once you've connected your data to LiveRamp.
Enable partitioning for date columns and key string columns for the datasets assigned to the question, and use partitioning so that only the relevant data is used during execution, not the entire dataset. Data partitioning significantly enhances query performance, reduces data egress, and thus optimizes cost. For information, see "Partition a Dataset in LiveRamp Clean Rooms".
Optimize your queries based on the cloud environment of your clean room type.
Different clean room types use different execution engines, which can impact the performance of question runs. Your Clean Room partners' chosen cloud platform and region also impact the performance of your shared question runs. If you and your partner use the same clean room type, your query will make use of the same SQL engine. While LiveRamp Clean Room is designed to be cloud-agnostic and enable connections to data stored in major cloud providers, the underlying cloud platforms and regions of you and your partners can affect the collaboration and data processing.
What SQL engine should I optimize for?
The SQL engine you should optimize for depends on the specific type of clean room you are using, because different clean room types may support different SQL dialects:
Hybrid and Hybrid Confidential Computing (HCC) clean rooms use Apache Spark SQL because of its support for distributed processing of large datasets. For information, see "Clean Compute on Apache Spark".
Google BigQuery clean rooms use GoogleSQL.
Snowflake clean rooms support standard SQL.
What is LiveRamp's default warehouse size for a question run?
Question Builder's "Advanced Question Settings" include various options for the "Processing capacity needed to run the question". If a question is taking 8 hours to execute or longer, we recommend bumping up the warehouse size.
The available warehouse sizes may be used to select the level of compute required to process your question successfully.
Warehouse Size | When to use |
Default | Default processing capacity is appropriate for the vast majority of queries and datasets. |
Medium | Medium capacity is only required for Questions that are not satisfied by the default setting or for complex queries. |
Large | Large capacity is only required for Questions that are not satisfied by the default setting / exceptionally complex queries and large record counts (1+ billion). |
Extra Large | Extra large capacity is only required for Questions that are not satisfied by the Large setting / exceptionally complex queries and very large record counts (10+ billion). |
2X Large | Intended for extremely complex questions and very large datasets. Use only when Extra Large capacity is insufficient. |
3X Large | Designed for exceptionally high-complexity questions and massive-scale datasets. Requires pre-approval from LiveRamp due to significant resource consumption. |
Why are queries that work in my cloud data warehouse failing in LiveRamp Clean Rooms?
LiveRamp's Hybrid and Hybrid Confidential Compute (HCC) clean rooms use Apache Spark as the underlying engine for executing queries. This leverages distributed computing, which does not auto-scale (and increase cost) to meet the demands of a query. Cloud data warehouses use centralized computing, which is set up to provide greater resources (and increase cost) as the query requires more compute consumption.
Spark is designed for the distributed processing of large datasets, where each query execution is allocated a fixed amount of compute resources. LiveRamp is continually optimizing how these resources are allocated, but due to the fixed nature of each execution job, you may need to test and learn to determine which warehouse size is appropriate for your question. Optimizing queries for Spark involves considering how data is partitioned and processed across nodes. Inefficient queries in this distributed environment can lead to performance bottlenecks, high memory consumption, and potential failures.
Ways to mitigate this risk are to:
Leverage data connection partitioning to ensure only relevant data is processed during query execution
Optimize your code for Spark SQL execution. Not sure how to optimize for this query engine? See LiveRamp's AI SQL Optimization helper.
Leverage the CACHE TABLE function for storing CTEs for repeated use.
What could be leading to memory issues with clean rooms, such as functions failing after 3 hours?
Failures after a long duration, such as 3 hours, are often linked to memory issues that arise during question runs due to how the query is structured. It is not likely caused by functions alone but also by other aspects of the query, such as cross-joins on large datasets or multiple common table expressions (CTEs) reused throughout the query. Failures can also occur for a variety of other reasons, such as within custom Python code, insufficient processing capacity for the warehouse size, transient interruptions, or timeouts.
If troubleshooting steps, such as query optimization and adjusting warehouse size, do not resolve the issue, contact your LiveRamp representative to explore additional options.
Why are my runs queuing for so long?
Long queuing times for question runs can be related to the performance and resource availability within the Clean Room execution environment. If many complex or large queries are submitted simultaneously, there might be insufficient compute resources immediately available, leading to a queue. Problems with the data itself (such as missing data or problematic formatting) could delay the start of a question run if the system encounters problems accessing the necessary data from its source connections. Queueing is not a sign of issues within the system.
What is a Data Plane?
The "data plane" refers to the physical or logical environment where queries are executed and data is processed. It operates within your chosen cloud environment and within a private virtual network in a specific region to ensure data remains localized and secure. This also minimizes data movement and egress costs.
Multiple data planes can participate in question runs, including multiple partners' datasets. LiveRamp Clean Room is built on a multi-plane architecture, with a single control plane coordinating operations across multiple data planes. This design enables scalability and multi-cloud compatibility for secure data collaboration across a global footprint, including the U.S., EU, APAC, and LATAM regions. Each data plane is fully isolated, ensuring secure collaboration and processing data locally to comply with data sovereignty regulations and minimize latency.
How can I resolve a failed question run due to a dataset issue?
If you receive an error message that includes something similar to "Error Message: Failed to read data for dataset=<dataset_name>_pqt", this is likely due to a change at your source data location, such as a deleted source file or a change in permissions.
After a data connection is first created, the Question Run process does not check whether a file still exists or if the data are correct. So, if somebody changes or deletes that file at the source, the question run may fail at a later time.
Recommendations include:
Use consistent field types for the same field within all files and data.
Recast any fields that are inconsistent as "STRING".
Before adding files with recent updates, verify that they use the same format as the reference schema that was previously sent.
LiveRamp Clean Room AI FAQs
How does LiveRamp Clean Room use AI?
LiveRamp Clean Room provides several opportunities to interact with LiveRamp Clean Room AI, Clean Room's generative AI helper bot. The goal of LiveRamp Clean Room AI is to help our users reduce time-to-value in performing tasks within the Clean Room Console by predicting which analyses would be beneficial to your organization, how questions, user lists, and alerts can be built, and how to describe questions to your partners for approval.
LiveRamp recognizes that AI is a broad discipline, and it is often hard to know what data is used to generate AI-powered responses. In the spirit of transparency, we'd like to explain how LiveRamp Clean Room AI works.
What model does LiveRamp Clean Room use to generate helper bot responses?
Clean Room leverages models available via the OpenAI Platform as the foundation models for providing responses to Clean Room Console users. For more information, see "???".
What data does the model use to inform responses?
LiveRamp Clean Room integration uses OpenAI's API to provide responses based on data trained to inform OpenAI's models. To fine-tune the model, Clean Room only leverages the schemas (names, fields, and data types) of the data connections already provided within your organization to provide more relevant responses and suggestions. It's important to note:
OpenAI has no access to messages you write in LiveRamp Clean Room AI or data you have connected to Clean Room Console.
Clean Room does not use your organization's underlying data to inform the models.
Your messages to LiveRamp Clean Room AI are not used to fine-tune the messages you receive.
Are my inputs recorded?
Yes, Clean Room securely stores chat histories as a reference for our Customer Success team in cases where they may need to provide additional support and make improvement requests.
How accurate are responses from LiveRamp Clean Room AI?
While the accuracy of outputs from AI tools is improving at a rapid rate, generative AI is still a nascent field. This means we cannot guarantee that all responses will be accurate and always provide users with the opportunity to correct an AI-generated response before using it.
Do I have to use LiveRamp Clean Room AI?
While we hope LiveRamp Clean Room AI is a useful tool for most users, it is completely optional. If you’d prefer not to use it, we've provided the option to hide LiveRamp Clean Room AI's helper bot.
How should I Interact with LiveRamp Clean Room AI?
You can interact with LiveRamp Clean Room AI in the same manner you would interact with a chatbot on any other website. We recommend asking the helper bot questions and prompting it with messages describing what you hope to achieve. For example:
I want a SQL query that will allow me to understand the overlap between my audience and my partner's audience for CRM and exposure log data.
Give me a query that will tell me the ROAS for my March campaign across all destinations where I've activated data from Clean Room.
Set up an alert that will email me anytime the average basket size across my SKUs at retail locations in Boston dips below $10.00.
If you have any concerns with LiveRamp Clean Room AI's responses or are having trouble using the tools effectively, contact your LiveRamp representative.
What are LiveRamp Clean Room's AI disclosures?
LiveRamp uses OpenAI, L.L.C.'s ("OpenAI") ChatGPT API to help you create alerts, queries, and natural language code descriptions. OpenAI's ChatGPT API uses large language models, and the content it creates may not be fully accurate or reliable. We want you to know:
LiveRamp’s agreement with OpenAI prevents OpenAI from using your data to train its models. OpenAI describes its data usage policies here.
In addition to the industry-standard technical, administrative, and physical controls that LiveRamp uses to protect your data, OpenAI's requests and responses are encrypted using transport layer security (TLS), and OpenAI API is SOC 2 Type 2 compliant.