topic Re: Unity Catalog - How to read prod data in dev with appropriate read-only access? in Data Engineering

Unity Catalog - How to read prod data in dev with appropriate read-only access?

ChristianRRL — Thu, 07 May 2026 13:26:54 GMT

Hi there,

Our team is currently migrating to using Unity Catalog. We have two databricks workspaces for dev & prod, and one thing that I'm wondering is if there is a simple/appropriate way to have only two catalogs dev & prod, where the prod databricks workspace has read-write access to the prod catalog, and in the dev workspace we have read-write access to the dev catalog AND read-only access to the prod catalog.

One approach that our team is considering is having 3 catalogs: dev, prod, and prod_readonly, where the prod_readonly would be available in the dev environment. But I'm wondering, can we accomplish this same functionality with only having two catalogs and ensuring the prod catalog cannot be edited if in the dev workspace.

Re: Unity Catalog - How to read prod data in dev with appropriate read-only access?

szymon_dybczak — Thu, 07 May 2026 15:11:40 GMT

Hi @ChristianRRL ,

Yes, you can absolutely do this with just two catalogs. The prod_readonly catalog idea is unnecessary in this case. Unity Catalog has a first-class feature called workspace-catalog binding that handles this exact scenario.

By default, all catalogs in Unity Catalog are accessible from any workspace attached to the same metastore. Workspace-catalog binding lets you override this default to restrict a catalog to one or more specific workspaces, and when binding a catalog to a workspace, you can optionally restrict that workspace to read-only access - all write operations from that workspace to the catalog are blocked.

Critically, these bindings override user-level permissions. If a user has privileges on an object but tries to access it from an unbound workspace, access is denied. This means you don't need to fiddle with fine-grained GRANTs to achieve the isolation - the binding itself enforces it at the platform level.

You can read more at below link:

Workspace-catalog binding | Databricks on AWS

Re: Unity Catalog - How to read prod data in dev with appropriate read-only access?

nayan_wylde — Thu, 07 May 2026 15:23:57 GMT

Yes — you can accomplish exactly what you described with only two catalogs (dev + prod). You do not need a third prod_readonly catalog.
There are two complementary control planes in Unity Catalog:

Workspace-level restriction (workspace-catalog binding) = controls where a catalog can be accessed from, and can enforce read-only from a specific workspace.
UC privileges (GRANT/REVOKE) = controls who can read/write/manage objects within the catalog.

The cleanest pattern for Dev RW + Prod RO is:

Bind prod catalog to both workspaces, but mark the Dev workspace binding as read-only.
Grant read-only privileges to dev principals on prod catalog/schemas/tables.
Keep prod workspace binding as read-write and grant write privileges only to prod principals / service principals.