topic Re: Grant permissions to groups on catalogs linked to the same metastore in Administration & Architecture

Grant permissions to groups on catalogs linked to the same metastore

jmsimonramos1 — Sat, 21 Sep 2024 07:54:19 GMT

Hi everyone!

I am configuring several projects using Databricks, and I have a question regarding permission management in Unity Catalog. Here's the situation:

Currently, I have two different Databricks resources in an Azure account, each with its respective workspace:

Azure_Databricks_1 > my_workspace_1
Azure_Databricks_2 > my_workspace_2

Additionally, I have configured and added a metastore called "my_metastore" to both workspaces, so that both can use the same Unity Catalog metastore.

Furthermore, each of the two workspaces has different users, meaning there are users common to both workspaces, and users who are not. To manage access more easily, I have created workspace-level groups, specifically a group called “data_access.”

In addition to that, each workspace has a catalog linked to the "my_metastore," and within those catalogs, the bronze, silver, and gold schemas are defined, so the structure looks something like this:

Azure_Databricks_1

my_workspace_1 > “data_access” group

my_catalog_1 > linked to “my_metastore” with the following schemas inside:

bronze

silver

gold

Azure_Databricks_2

my_workspace_2 > “data_access” group

my_catalog_2 > linked to “my_metastore” with the following schemas inside:

bronze

silver

gold

My question is: Is there any way to give users in the “data_access” group of workspace_1 permissions to create tables, volumes, etc., ONLY in the schemas associated with the “my_catalog_1” catalog?

The idea is that I, as an account-level administrator, create this catalog and schema structure in each workspace, as mentioned above, and then provide users in the “data_access” group (who can be different in each workspace) permissions to create tables and other objects but ONLY within that specific catalog, rather than in all catalogs defined within my Unity Catalog.

Important: Users in the “data_access” group for “my_catalog_1” should not have any access to the schemas and tables in the “my_catalog_2” catalog. That’s why I’m trying to figure out how to restrict data access at the catalog level.

Any ideas on how I can do this?

P.S.: I have account admin and workspace admin permissions for all workspaces.

Thank you very much in advance.

Best regards.

Re: Grant permissions to groups on catalogs linked to the same metastore

CharlesWoo — Sat, 21 Sep 2024 09:00:44 GMT

You could bind the catalog to specific workspaces, making them accessbile only from workspaces they are bound to.
https://docs.databricks.com/en/catalogs/binding.html

In your example:
if `my_catalog_2` is bound to `my_workspace_2` a user in `my_workspace_1` will not be able to access or modify objects in `my_catalog_2` even if they have permissions to do so in Unity Catalog.

Re: Grant permissions to groups on catalogs linked to the same metastore

jmsimonramos1 — Sun, 22 Sep 2024 07:13:52 GMT

Hello, thanks for your response.

Indeed, I had already considered that part. My problem is that I cannot grant privileges to `my_catalog_2` (which is associated with `my_workspace_2`) to a group at the workspace level.

In other words, I want all users in the "data_engineers" group of `my_workspace_2` to have `ALL_PRIVILEGES` on all schemas of `my_catalogo_2`.

Re: Grant permissions to groups on catalogs linked to the same metastore

filipniziol — Sun, 22 Sep 2024 08:02:22 GMT

Hi @jmsimonramos1,

You create data_users_1 group.
You grant data_users_1 the needed privileges to my_catalog_1:

GRANT ALL PRIVILEGES ON CATALOG my_catalog_1 to `data_access_1`;

You create data_users_2 group.
You grant data_users_2 the needed privileges to my_catalog_2:

GRANT ALL PRIVILEGES ON CATALOG my_catalog_2 to `data_access_2`;

data_users_1 has now all privileges on my_catalog_1, whereas data_users_2 has now all privileges on my_catalog_2
There is no need to limit catalog visibility on the workspace level if there is no requirement to do so.
Check the docs on unity catalog privilege management