Google Cloud BigQuery Clean Room FAQs

Prior to orchestrating BigQuery clean rooms in LiveRamp Clean Room, it is important to configure the necessary permissions in the Google Cloud Platform (GCP) and LiveRamp Clean Room, as well as enable certain APIs for your project. For information, see “Configure a BigQuery Data Connection for a BigQuery Clean Room”.

Yes, multiple Google service accounts can be used in an organization to bring data.

LiveRamp uses these permissions to create a dataset in the owner/partner project. This is done to create an authorized view in a dataset that is shared as a private exchange.

The role helps render the data connections screen UI. It helps fetch the table metadata and render it on the LiveRamp Clean Room UI.

We create an authorized view from the owner/partner table and it lives in a separate shared dataset other than the owner dataset. LiveRamp orchestrates the creation of this shared dataset. Note that this shared dataset is different from the source dataset and is only created to be part of the private exchange in Analytics Hub.

You can create custom roles with the minimum set of permissions listed in “Configure a BigQuery Data Connection for a BigQuery Clean Room” and assign them to the project.

BigQuery Metadata Viewer permission is expected at the table level. So LiveRamp doesn’t have access to the rest of the tables which do not have the above role and are not a part of the data connections screen.

LiveRamp is creating the authorized view in the clean room Owner’s BigQuery project. In order to facilitate the process of creating the authorized view, LiveRamp first creates a dataset and then creates an authorized view in it which is accessible to LiveRamp.The permissions needed to do this are bigquery.datasets.create, bigquery.datasets.get, and bigquery.datasets.update. LiveRamp can only create, update, or get a dataset which is the one LiveRamp creates while creating the authorized view. The LiveRamp service account does not have access to list any other datasets in the Owner BigQuery project.

If some columns are masked, the Owner service account would need to provide the BigQuery Data Viewer role at the table level. If there is no masking, the Owner service account needs the BigQuery Metadata Viewer role (listed in “Configure a BigQuery Data Connection for a BigQuery Clean Room”).

When the owner/partner configures the data connection in a clean room, LiveRamp creates a dataset, an authorized view, and a private exchange and a listing under the exchange and then adds the LiveRamp service account as an Analytics Hub subscriber to the listing.

Authorized views, Private Exchange, and listing are created in the Client Project. At the time of clean room question execution, the LiveRamp service account subscribes to the private listing, creates a BigQuery job, and, after the job is complete, unsubscribes from the listing. This is what is known as “ephemeral access”.

Partitioning is highly recommended for best performance.

We support compute in the clean room Owner’s project today through a clean room parameter in the BigQuery clean room called “Billing Project ID”. It's set in the clean room configuration screen and is where the compute will happen and the BigQuery jobs will be created.

The Billing Project ID of the clean room determines which project gets billed for the job execution.

It doesn’t matter. It could be any BigQuery project with the appropriate billing setup.