topic Re: RLS in Genie Space in Generative AI

RLS in Genie Space

GunaR — Fri, 17 Oct 2025 06:10:05 GMT

I am developing a Conversational BI Solution using Genie. There are users from different roles and we need to restrict the rows returned based on the user's role. Typically RLS. I understand from documentation Genie leverage the RLS setup on the Unity catalog. This approach expects to onboard the users to Databricks workspace, which is not feasible in my case.

The approach is to use the Genie API to customize the chat experience for the users.

My request is, how can we pass the user ID on every conversation and use this to filter the rows using RLS? Or is there any documentation on the best practices?

Re: RLS in Genie Space

dkushari — Tue, 21 Oct 2025 18:36:12 GMT

Hi @GunaR - Are you saying these users are not set up in Databricks at all, or are you saying these users are set up in an IDP (such as Azure Entra ID) and then synced with Databricks?

Re: RLS in Genie Space

GunaR — Wed, 22 Oct 2025 03:40:45 GMT

Yes, these users are not in Databricks at all. The approach is to expose the custom build chatbot to 500+ users and pass the email ID to custom API, which invoke the Genie API internally. I need to build the mechanism to handle RLS with this approach. Is it feasible?

Re: RLS in Genie Space

Jeeva — Sat, 01 Nov 2025 20:32:23 GMT

Hi Guna , Same Kind of use I have . Did u able to achieve this?

Re: RLS in Genie Space

GunaR — Tue, 04 Nov 2025 04:42:03 GMT

Not yet, still on-research to achieve without onboarding to Databricks. Will keep posted here if I found any,

Re: RLS in Genie Space

bianca_unifeye — Wed, 05 Nov 2025 08:54:39 GMT

Hi @GunaR ,

Building a Databricks App integrated with AI/BI Genie could be a clean way to handle this. Apps allow you to expose Genie (or any model endpoint) to external users without onboarding them into the workspace.

You can authenticate users through your existing IDP (e.g., Entra ID, Okta) and pass their identity or email to the Genie API. That context can then be used to enforce row-level and column-level security via Unity Catalog.

This pattern Databricks App + Genie + Unity Catalog is the recommended way to serve governed, chat-style analytics to larger user groups securely.

Re: RLS in Genie Space

GunaR — Wed, 05 Nov 2025 09:05:29 GMT

Hello @bianca_unifeye Thank you for your response. I am on the same approach. But the Genie API doesn't have option to send the email as request param. https://docs.databricks.com/api/workspace/genie/startconversation

Re: RLS in Genie Space

bianca_unifeye — Wed, 05 Nov 2025 09:08:48 GMT

@GunaR let me check with my team as I believe we had a workaround this.

Re: RLS in Genie Space

Raman_Unifeye — Wed, 05 Nov 2025 09:54:11 GMT

Hi @GunaR

This one is a tricky one as the users are not onboarded to databricks workspace. There is a custom solution you will require to build.

- Use Service Principal for the external application to authenitcate with Genie API. This SP will. have broader access to the table(s) data.

- Use a RLS Policy that uses a parametere which is dynamically passed by Genie.

Create a Unity Catalog SQL function that accepts the external User ID as a parameter, looks up their required filter value, and then applies the RLS logic.
Apply the RLS Filter to Your Data Table (ALTER TABLE ... ADD ROW FILTER)

- Genie API: Passing the User ID and Enforcing the Filter

Modify the Genie Space Instructions to pick up the USER_ID from provided query
Pass the User ID in the API Call -When you call the Genie Conversation API (e.g., /api/2.0/genie/spaces/{space_id}/start-conversation), inject the user ID into the prompt or the request body's context. such as "I am the user with ID <USER_ID>. What is total revenue?"

As mentioned, its a custom solution as there is no direct way to pass the external USER_ID to genie directly.

Re: RLS in Genie Space

GunaR — Tue, 11 Nov 2025 10:48:40 GMT

Noted. Thank you for the suggestion and this make more logical.

Re: RLS in Genie Space

CharlotteMarti2 — Thu, 13 Nov 2025 05:52:55 GMT

You can implement RLS in Genie without adding users to Databricks by passing a user identifier with each API call and having your queries filter rows based on that ID. Typically, you’d set up parameterized queries or session variables that enforce row restrictions per user role. Check if Genie’s API supports context or metadata fields for each conversation—these can carry the user ID and drive the RLS logic.

Re: RLS in Genie Space

GunaR — Thu, 13 Nov 2025 08:20:21 GMT

Thank you for the response @CharlotteMarti2 .

I am on the same lines, Unfortunately I don't see an option in the Genie API to set the context/metadata fields. https://docs.databricks.com/api/workspace/genie/startconversation

Re: RLS in Genie Space

Prathusha_ — Tue, 14 Apr 2026 13:01:12 GMT

Hi Guna, I have been trying to implement the same in my environment. Do you have any luck?