https://community.databricks.com/t5/data-engineering/abac-tag-support-for-for-streaming-tables-spark-lakeflow/m-p/140630#M51494 <P>One way to get version control might be to use the Terraform resource&nbsp;<A href="https://registry.terraform.io/providers/databricks/databricks/latest/docs/resources/entity_tag_assignment" target="_blank">entity_tag_assignment</A>. I am not sure if it supports governed_tags, but I'll experiment in the coming weeks.</P><P>This separates the version control on where the tags are defined and where the Declarative Pipeline code, but at least it is version control and you don't have to write and maintain something yourself.</P> Sat, 29 Nov 2025 06:52:45 GMT excavator-matt 2025-11-29T06:52:45Z https://community.databricks.com/t5/data-engineering/abac-tag-support-for-for-streaming-tables-spark-lakeflow/m-p/140544#M51459 <P>Hi!</P><P>We're using Spark Lakeflow Declarative Pipelines for ingesting data from various data sources. However, in order to achieve compliance with GDPR, we are planning to start using <A href="https://docs.databricks.com/aws/en/data-governance/unity-catalog/abac/policies" target="_self">ABAC tagging</A>.</P><P>However, I don't understand how we are supposed to use this implement this on streaming tables with version control. <A href="https://docs.databricks.com/aws/en/ldp/developer/ldp-python-ref-streaming-table" target="_self">The documentation</A> is doesn't mention it.</P><P>I think you can tag the tables manually, but that might risk getting lost as tables are recreated. I also consider simply not allowing free access in bronze and apply tagging in version controlled models, but that seems harsh.</P><P>Have I missed something or is the support lacking here?</P> Thu, 27 Nov 2025 18:44:56 GMT https://community.databricks.com/t5/data-engineering/abac-tag-support-for-for-streaming-tables-spark-lakeflow/m-p/140544#M51459 excavator-matt 2025-11-27T18:44:56Z https://community.databricks.com/t5/data-engineering/abac-tag-support-for-for-streaming-tables-spark-lakeflow/m-p/140556#M51462 <P><a href="https://community.databricks.com/t5/user/viewprofilepage/user-id/179384">@excavator-matt</a>&nbsp;</P><P><SPAN>“Can we tag streaming tables with ABAC and expect it to be safe across versions?”</SPAN></P><UL><LI><SPAN>Yes, streaming tables are fully subject to UC ABAC, but if the table is physically recreated, table‑level tags can be lost</SPAN></LI></UL><P><SPAN>“Is there first‑class support in Lakeflow for this?”</SPAN></P><UL><LI><SPAN>Right now, the docs do not show any integration layer that manages governed tags&nbsp;<A href="https://docs.databricks.com/aws/en/ldp/developer/ldp-sql-ref-create-streaming-table" target="_blank">https://docs.databricks.com/aws/en/ldp/developer/ldp-sql-ref-create-streaming-table</A></SPAN></LI></UL><P><SPAN>“What is a sane pattern?”</SPAN></P><UL><LI><SPAN>Use Unity Catalog everywhere for Lakeflow</SPAN></LI><LI><SPAN>Put GDPR‑relevant tags and ABAC policies at catalog leve</SPAN></LI><LI><SPAN>, manage table/column tags via IaC or deployment jobs that re‑apply tags after pipeline changes,</SPAN></LI></UL><P>ABAC policies work on Unity Catalog tables<BR />But Lakeflow Declarative Pipelines do not version governed tags for you, so you must manage tags and policies at the UC layer</P><P>Solution thinking:</P><OL><LI><SPAN>For GDPR‑style constraints&nbsp; attach governed tags at catalog level&nbsp;</SPAN></LI><LI><SPAN>ABAC policies can key off both governed tags and other attributes like table name</SPAN></LI><LI><SPAN>For streaming models that are versioned (for example, customer_latest_v1, customer_latest_v2), you can keep them in a “sensitive” schema (tagged as PII) and have policies that apply uniformly,</SPAN></LI><LI><SPAN>Automate tags as part of CI/CD for Lakeflow</SPAN></LI></OL><P><SPAN>If you share a bit about how you currently version streaming tables (e.g., drop/recreate vs ALTER vs new names), a more pipeline‑specific tagging workflow can be solutioned</SPAN></P> Thu, 27 Nov 2025 20:49:39 GMT https://community.databricks.com/t5/data-engineering/abac-tag-support-for-for-streaming-tables-spark-lakeflow/m-p/140556#M51462 ManojkMohan 2025-11-27T20:49:39Z https://community.databricks.com/t5/data-engineering/abac-tag-support-for-for-streaming-tables-spark-lakeflow/m-p/140630#M51494 <P>One way to get version control might be to use the Terraform resource&nbsp;<A href="https://registry.terraform.io/providers/databricks/databricks/latest/docs/resources/entity_tag_assignment" target="_blank">entity_tag_assignment</A>. I am not sure if it supports governed_tags, but I'll experiment in the coming weeks.</P><P>This separates the version control on where the tags are defined and where the Declarative Pipeline code, but at least it is version control and you don't have to write and maintain something yourself.</P> Sat, 29 Nov 2025 06:52:45 GMT https://community.databricks.com/t5/data-engineering/abac-tag-support-for-for-streaming-tables-spark-lakeflow/m-p/140630#M51494 excavator-matt 2025-11-29T06:52:45Z https://community.databricks.com/t5/data-engineering/abac-tag-support-for-for-streaming-tables-spark-lakeflow/m-p/141369#M51708 <P>Correction. Trying this will result in <A href="https://docs.databricks.com/aws/en/error-messages/error-classes#abac_policies_not_supported" target="_self">this error</A><BR /><SPAN>&gt; ABAC policies are not supported on tables defined within a pipeline. Remove the policies or contact Databricks support.</SPAN></P><P><SPAN>So it isn't supported <span class="lia-unicode-emoji" title=":disappointed_face:">😞</span></SPAN></P> Mon, 08 Dec 2025 07:40:09 GMT https://community.databricks.com/t5/data-engineering/abac-tag-support-for-for-streaming-tables-spark-lakeflow/m-p/141369#M51708 excavator-matt 2025-12-08T07:40:09Z