https://community.databricks.com/t5/administration-architecture/unity-catalog-lakehouse-federation-permission-to-read-data-from/m-p/56353#M720 <P>Hi Kaniz,</P><P>Sorry but this is not what i am looking for.<BR />This is Azure SQL server and I <STRONG>can</STRONG> connect and read data from it when I have ACL on both Unity Catalog objects:&nbsp;</P><UL><LI>Foreign Catalog (select)<BR />and</LI><LI>Connection (Owner)</LI></UL><P>In my post i mentioned that users can't query SQL Server using Foreign Catalog when they are granted only Select and Use permission on it.<BR />Error states that the end user need also OWNER on CONNECTION that was created in Unity Catalog and if i grant it - they can read the data.</P><P>But in my option this is highly insecure.</P><P>Imagine if you have Table in Unity Catalog and you have to grant both "SELECT" on table for and user as well as ONWER on External Location and Creadentials -&gt; then entire ACL won;t make any sense.</P> Wed, 03 Jan 2024 13:25:25 GMT Wojciech_BUK 2024-01-03T13:25:25Z https://community.databricks.com/t5/administration-architecture/unity-catalog-lakehouse-federation-permission-to-read-data-from/m-p/56276#M715 <P>I have seup&nbsp;<STRONG>connection "SQL-SV-conn"&nbsp;</STRONG>to SQL Server and based on that connection I have created&nbsp;<STRONG>foreign catalog "FC-SQL-SV".<BR /><BR /></STRONG>I have granted All permission on CATALOG to developers:</P><UL><LI>Use Catalog</LI><LI>Use Schema</LI><LI>Select</LI></UL><P>But they can not query table (e.g. by running&nbsp;<SPAN>SELECT</SPAN> <SPAN>*</SPAN> <SPAN>FROM&nbsp;FC-SQL-SV.my_schema.my_table statement )&nbsp;</SPAN><SPAN>and they got this error:</SPAN></P><DIV class=""><DIV class=""><DIV class=""><STRONG>PERMISSION_DENIED: User is not an owner of Connection '<EM>SQL-SV-conn</EM>'.</STRONG></DIV><DIV class="">&nbsp;</DIV><DIV class="">Is this a bug ?<BR />Why users need <STRONG>Ownership</STRONG> over CONNCETION, this is not secure at all as I don't want End User to manage my connection.</DIV></DIV></DIV> Tue, 02 Jan 2024 14:54:23 GMT https://community.databricks.com/t5/administration-architecture/unity-catalog-lakehouse-federation-permission-to-read-data-from/m-p/56276#M715 Wojciech_BUK 2024-01-02T14:54:23Z https://community.databricks.com/t5/administration-architecture/unity-catalog-lakehouse-federation-permission-to-read-data-from/m-p/56353#M720 <P>Hi Kaniz,</P><P>Sorry but this is not what i am looking for.<BR />This is Azure SQL server and I <STRONG>can</STRONG> connect and read data from it when I have ACL on both Unity Catalog objects:&nbsp;</P><UL><LI>Foreign Catalog (select)<BR />and</LI><LI>Connection (Owner)</LI></UL><P>In my post i mentioned that users can't query SQL Server using Foreign Catalog when they are granted only Select and Use permission on it.<BR />Error states that the end user need also OWNER on CONNECTION that was created in Unity Catalog and if i grant it - they can read the data.</P><P>But in my option this is highly insecure.</P><P>Imagine if you have Table in Unity Catalog and you have to grant both "SELECT" on table for and user as well as ONWER on External Location and Creadentials -&gt; then entire ACL won;t make any sense.</P> Wed, 03 Jan 2024 13:25:25 GMT https://community.databricks.com/t5/administration-architecture/unity-catalog-lakehouse-federation-permission-to-read-data-from/m-p/56353#M720 Wojciech_BUK 2024-01-03T13:25:25Z https://community.databricks.com/t5/administration-architecture/unity-catalog-lakehouse-federation-permission-to-read-data-from/m-p/56412#M724 <P>OK, I have found out the answer in below docummentation:</P><P><A href="https://learn.microsoft.com/en-us/azure/databricks/query-federation/#limitations" target="_blank">https://learn.microsoft.com/en-us/azure/databricks/query-federation/#limitations</A></P><UL><LI><P>Single-user access mode is only available <STRONG>for users that own the connection</STRONG>.</P></LI></UL><P>So when I use e.g. Job Cluster that runs in single access mode, then princiapal running the job must be Owner of Connection, thats is sad <span class="lia-unicode-emoji" title=":disappointed_face:">😞</span></P> Thu, 04 Jan 2024 08:42:08 GMT https://community.databricks.com/t5/administration-architecture/unity-catalog-lakehouse-federation-permission-to-read-data-from/m-p/56412#M724 Wojciech_BUK 2024-01-04T08:42:08Z