topic Re: Folder execute permissions in Data Engineering

Folder execute permissions

adrianhernandez — Thu, 02 Oct 2025 19:21:53 GMT

Hello,

After reading multiple posts, going thru online forums, even asking AI I still don't have an answer for my questions. On the latest Databricks with unity catalog, what happens if I give users Execute permissions on a folder.

Can they view the contents of the folder (E.g. notebooks list)?
If they click on a notebook can they view the code? I remember working with PVC (pre Unity catalog) Databricks on AWS, permissions seemed to be different as you could specify Read + Execute and users could view the code and execute it.

What I'm trying to accomplish (if possible) is to allow users to run notebooks on a given folder but not view the code.

Re: Folder execute permissions

szymon_dybczak — Thu, 02 Oct 2025 20:10:08 GMT

Hi @adrianhernandez ,

You're confusing UC catalog permissions with workspace ACL permissions. In UC you have following securable objects on which privileges can be granted:

In Azure Databricks, you can use access control lists (ACLs) to configure permission to access workspace level objects like folders, files, notebooks, computes etc.

You can manage workspace object permissions by adding objects to folders.Objects in a folder inherit all permissions settings of that folder.
For example, a user that has the CAN RUN permission on a folder has CAN RUN permission on the alerts in that folder. If you grant a user access to an object inside the folder, they can view the parent folder's name, even if they do not have permissions on the parent folder.
For instance, a notebook named test1.py is in a folder named Workflows. If you grant a user CAN VIEW on test1.py and no permissions on Workflows, the user can see that the parent folder is named Workflows. The user cannot view or access any other objects in the Workflows folder unless they have been granted permissions on them.

Below you can find all permission that you can set on Folders:

https://learn.microsoft.com/en-us/azure/databricks/security/auth/access-control/#folder-acls

And here'e a list of ACL you can set on notebooks:

https://learn.microsoft.com/en-us/azure/databricks/security/auth/access-control/#notebook

So to sum it up. In my opinion you can't accomplish what you want. Because ACL required to run notebook - CAN RUN permission - already contains also CAN VIEW permission.

Re: Folder execute permissions

adrianhernandez — Thu, 02 Oct 2025 20:34:35 GMT

Thanks for your response. That's what I imagined although could not confirm as my current project uses Unity Catalog and we are not allowed to run many commands including ACL related PySpark code.