Google Cloud BigQuery Clean Room FAQs

What do we need to do to get the most out of BigQuery clean rooms?

Prior to orchestrating BigQuery clean rooms in LiveRamp Clean Room, it is important to configure the necessary permissions in the Google Cloud Platform (GCP) and LiveRamp Clean Room, as well as enable certain APIs for your project. For information, see “Configuring BigQuery Permissions for BigQuery Clean Rooms”.

Are multiple service accounts allowed in a single organization?

Yes, multiple Google service accounts can be used in an organization to bring data.

Why does a service account need bigquery.datasets.get and bigquery.datasets.create permissions?

LiveRamp uses these permissions to create a dataset in the owner/partner project. This is done to create an authorized view in a dataset that is shared as a private exchange.

What is the use of the “BigQuery Metadata Viewer” role on the table to the owner/partner service account?

The role helps render the data connections screen UI. It helps fetch the table metadata and render it on the LiveRamp Clean Room UI.

Why do you need to create datasets in our GCP project?

We create an authorized view from the owner/partner table and it lives in a separate shared dataset other than the owner dataset. LiveRamp orchestrates the creation of this shared dataset. Note that this shared dataset is different from the source dataset and is only created to be part of the private exchange in Analytics Hub.

What if we do not want to use BigQuery Data Owner or other BigQuery roles?

You can create custom roles with the minimum set of permissions listed in “Configuring BigQuery Permissions for BigQuery Clean Rooms” and assign them to the project.

I have four tables in a dataset but am using only one table in the clean room. Is LiveRamp able to access the rest of the tables?

BigQuery Metadata Viewer permission is expected at the table level. So LiveRamp doesn’t have access to the rest of the tables which do not have the above role and are not a part of the data connections screen.

Do authorized views need to be created in the clean room owner's project? Can LiveRamp host the authorized views?

LiveRamp is creating the authorized view in the clean room Owner’s BigQuery project. In order to facilitate the process of creating the authorized view, LiveRamp first creates a dataset and then creates an authorized view in it which is accessible to LiveRamp.The permissions needed to do this are bigquery.datasets.create, bigquery.datasets.get, and bigquery.datasets.update. LiveRamp can only create, update, or get a dataset which is the one LiveRamp creates while creating the authorized view. The LiveRamp service account does not have access to list any other datasets in the Owner BigQuery project.

For some of our columns, such as email address, we have implemented column-level security. Does the Owner service account and/or the LiveRamp service account need permission to read columns with column level security if we are using the Analytics Hub/private exchange?

If some columns are masked, the Owner service account would need to provide the BigQuery Data Viewer role at the table level. If there is no masking, the Owner service account needs the BigQuery Metadata Viewer role (listed in “Configuring BigQuery Permissions for BigQuery Clean Rooms”).

At which step in the process is the Analytics Hub private exchange created?

When the owner/partner configures the data connection in a clean room, LiveRamp creates a dataset, an authorized view, and a private exchange and a listing under the exchange and then adds the LiveRamp service account as an Analytics Hub subscriber to the listing.

Is the clean room created in the Client Project?

Authorized views, Private Exchange, and listing are created in the Client Project. At the time of clean room question execution, the LiveRamp service account subscribes to the private listing, creates a BigQuery job, and, after the job is complete, unsubscribes from the listing. This is what is known as “ephemeral access”.

Do we need to add any partitions to the BigQuery assets?

Partitioning is highly recommended for best performance.

How does compute work for BigQuery clean rooms?

We support compute in the clean room Owner’s project today through a clean room parameter in the BigQuery clean room called “Billing Project ID”. It's set in the clean room configuration screen and is where the compute will happen and the BigQuery jobs will be created.

Who gets billed for the compute?

The Billing Project ID of the clean room determines which project gets billed for the job execution.

Does the billing project specified need to be the same as the project via which authorized views will be shared in Analytics Hub?

It doesn’t matter. It could be any BigQuery project with the appropriate billing setup.