https://community.databricks.com/t5/data-engineering/restricting-access-to-secrets/m-p/96608#M39304 <P>There isn't a "no permission" ACL as far as I am aware - the lowest is "read" which means any user will still be able to read the secrets.</P> Tue, 29 Oct 2024 08:23:04 GMT jar 2024-10-29T08:23:04Z https://community.databricks.com/t5/data-engineering/restricting-access-to-secrets/m-p/96601#M39302 <P>Hi.&nbsp;</P><P>I want to restrict access to secrets to a security group, as the secrets can be used to retrieve sensitive data only a few people should see. Up until now, we have been using KV-backed secret scopes, but as it's sufficient that Databricks has the (get, list) ACLs for any user to retrieve those secrets using dbutils.secrets.get(), that will not work in this case. How can we restrict access to these secrets?</P><P>Best,</P><P>Johan.</P> Tue, 29 Oct 2024 07:14:31 GMT https://community.databricks.com/t5/data-engineering/restricting-access-to-secrets/m-p/96601#M39302 jar 2024-10-29T07:14:31Z https://community.databricks.com/t5/data-engineering/restricting-access-to-secrets/m-p/96603#M39303 <P>Hi Johan,&nbsp;</P><P>this should work for restriction:&nbsp;</P><P><span class="lia-inline-image-display-wrapper lia-image-align-inline" image-alt="h_h_ak_0-1730187189796.png" style="width: 400px;"><img src="https://community.databricks.com/t5/image/serverpage/image-id/12352iA45F9864DCC5FD88/image-size/medium?v=v2&amp;px=400" role="button" title="h_h_ak_0-1730187189796.png" alt="h_h_ak_0-1730187189796.png" /></span></P><P><A href="https://learn.microsoft.com/en-us/azure/databricks/security/secrets/secrets" target="_blank">https://learn.microsoft.com/en-us/azure/databricks/security/secrets/secrets</A>.</P><P>Fine granulat access based on secrets is currently not possible.</P><P>BR</P><P>&nbsp;</P> Tue, 29 Oct 2024 07:34:02 GMT https://community.databricks.com/t5/data-engineering/restricting-access-to-secrets/m-p/96603#M39303 h_h_ak 2024-10-29T07:34:02Z https://community.databricks.com/t5/data-engineering/restricting-access-to-secrets/m-p/96608#M39304 <P>There isn't a "no permission" ACL as far as I am aware - the lowest is "read" which means any user will still be able to read the secrets.</P> Tue, 29 Oct 2024 08:23:04 GMT https://community.databricks.com/t5/data-engineering/restricting-access-to-secrets/m-p/96608#M39304 jar 2024-10-29T08:23:04Z https://community.databricks.com/t5/data-engineering/restricting-access-to-secrets/m-p/96612#M39306 <P>You can define "READ" &amp; "MANAGE".</P><P>You can set a group e.g. secret_users_group to the secret-scope and assign READ, than only the secret_users_group and MANAGE user has access. All others who are not in the group or not have rights to manage.</P> Tue, 29 Oct 2024 08:42:27 GMT https://community.databricks.com/t5/data-engineering/restricting-access-to-secrets/m-p/96612#M39306 h_h_ak 2024-10-29T08:42:27Z https://community.databricks.com/t5/data-engineering/restricting-access-to-secrets/m-p/96738#M39331 <P>Brilliant, thank you! <span class="lia-unicode-emoji" title=":slightly_smiling_face:">🙂</span></P> Wed, 30 Oct 2024 03:14:51 GMT https://community.databricks.com/t5/data-engineering/restricting-access-to-secrets/m-p/96738#M39331 jar 2024-10-30T03:14:51Z