topic Re: Data Explorer minimum permissions in Data Engineering

Data Explorer minimum permissions

dvmentalmadess — Fri, 31 Mar 2023 13:32:36 GMT

What are the minimum permissions are required to search and view objects in Data Explorer? For example, does a user have to have `USE [SCHEMA|CATALOG]` to search or browse in the Data Explorer? Or can anyone with workspace access browse objects and, for example, view a table definition and properties? If it’s the latter, then I assume they can view all the information about a table except sample data unless they had `USE` and `SELECT` permissions?

Normally it would be simple to verify with a test user, but I'm not sure how since I'm using SSO and am an admin.

Re: Data Explorer minimum permissions

karthik_p — Fri, 31 Mar 2023 19:38:50 GMT

@Mark Miller if you are enabled with unity catalog, catalog level select permissions should be fine to view/search

Re: Data Explorer minimum permissions

LandanG — Fri, 31 Mar 2023 19:49:20 GMT

Hi @Mark Miller ,

Right now, users need to have the SELECT + USE permission on the tables and can see the data too, or they do not have the SELECT permission and they do not see the tables at all. You need SELECT to "see" an object, just USE on CATALOG and SCHEMA should not let them see any objects.

This will be addressed in an upcoming feature in the next couple of months. Hopefully that was able to answer your question. Thanks!

Re: Data Explorer minimum permissions

Anonymous — Sat, 01 Apr 2023 02:17:35 GMT

Hi @Mark Miller

Hope everything is going great.

Just wanted to check in if you were able to resolve your issue. If yes, would you be happy to mark an answer as best so that other members can find the solution more quickly? If not, please tell us so we can help you.

Cheers!

Re: Data Explorer minimum permissions

dvmentalmadess — Mon, 03 Apr 2023 20:34:16 GMT

Thank you for the reply. Requiring SELECT is unfortunate - it requires users to know a dataset exists and that it's the right dataset through either tribal knowledge or maintaining an external search/browse mechanism. What I want is for users to be able to search for datasets, view the metadata (e.g., description, quality, source, usage), and then submit a ticket to request access. There doesn't seem to be a middle ground ATM. I could understand requiring USE permission to be able to see a dataset in search results. That said, I feel like I'm missing why I'd have to explicitly grant USE - the docs state that requiring USE is a security feature because it must be combined w/ SELECT before access is granted. However, if I have to grant USE to everyone anyway then why bother? In that case, just remove the complexity of managing USE grants and just require SELECT.

I understand this is still only a 1 year-old solution and I'm excited about using it. I just wanted to take the opportunity to provide feedback.

Re: Data Explorer minimum permissions

LandanG — Mon, 03 Apr 2023 20:49:05 GMT

@Mark Miller it definitely can be confusing and I appreciate the feedback. The mandatory pairing of USE + SELECT to interact with objects is something that will be addressed in an upcoming feature release, hopefully providing the middle ground that you mentioned.

Re: Data Explorer minimum permissions

bearded_data — Wed, 27 Dec 2023 18:07:32 GMT

Hi all - @LandanG I wanted to bump this thread to see if there was any traction on giving us the ability to expose the table metadata to users (using USE <object> permission) while not allowing the users to SELECT from the tables themselves? I think this would go a long way in "democratizing" the centralized data asset that UC is striving to become while still maintaining least privilege.

For context I scoured the release notes, since this post and did not find anything that seemed to fit this bill.

Any update you can provide would be helpful. Thanks!

Re: Data Explorer minimum permissions

Rom — Wed, 27 Dec 2023 18:35:01 GMT

"What I want is for users to be able to search for datasets, view the metadata (e.g., description, quality, source, usage), and then submit a ticket to request access."

If what you want, you need to create a table to capture the metadata of tables in catalog and grant access use/select on this table for users. Then the users can do a search on this table and create a ticket to ask access the tables which they want.

Re: Data Explorer minimum permissions

bearded_data — Wed, 27 Dec 2023 19:15:33 GMT

hey @Rom - while this is a bit of a workaround to get to the intended end goal, it would be nice to see this functionality built into the catalog. From the responses in this thread it seems like this feature is coming. Was curious if anyone from Databricks had any insight or direction on this.

Re: Data Explorer minimum permissions

Wojciech_BUK — Thu, 28 Dec 2023 09:21:38 GMT

This is not solution but a bit of workaround I have usesd:
- expose data from Infomration_schema that basically has most of info that you see on UI

Either table or Dashbaords that contains list of tables in my Lakehouse with most insteresting information.

Re: Data Explorer minimum permissions

bearded_data — Fri, 21 Jun 2024 22:19:21 GMT

Circling back to this. With one of the recent releases you can now GRANT BROWSE at the catalog level! Hopefully they will be rolling this feature out at every object level (schemas and tables specifically).