https://community.databricks.com/t5/data-engineering/what-is-the-recommended-approach-to-enforce-row-level-security/m-p/156916#M54492 <P><STRONG>Unity Catalog row filters apply at the SQL/query layer</STRONG>, so if Tableau or Power BI is querying a <STRONG>Databricks SQL warehouse</STRONG>, the filters are enforced there — you do <STRONG>not</STRONG> need a separate warehouse-level row-filter feature. Row filters and column masks are evaluated <STRONG>at query time</STRONG> and integrate with <STRONG>standard SQL</STRONG>.</P> <P>The key consideration is <STRONG>which identity the OAuth token represents</STRONG>:</P> <UL> <LI>If the BI connection uses <STRONG>user OAuth / U2M</STRONG>, the filters apply <STRONG>per user</STRONG>.</LI> <LI>If it uses <STRONG>service principal OAuth / M2M</STRONG>, enforcement still happens, but it is evaluated as the <STRONG>service principal</STRONG>, so all BI users effectively share that principal’s data scope unless you add per-user delegation upstream.</LI> </UL> <P>Summary: <STRONG>No extra warehouse-level enforcement is needed for UC row filters themselves; make sure you use the right auth model for the level of per-user isolation you want.</STRONG></P> Thu, 14 May 2026 15:08:38 GMT Lu_Wang_ENB_DBX 2026-05-14T15:08:38Z https://community.databricks.com/t5/data-engineering/what-is-the-recommended-approach-to-enforce-row-level-security/m-p/156904#M54488 <P><SPAN>We connect Tableau and Power BI to our Databricks SQL warehouse via OAuth tokens. Does Unity Catalog row filters apply at the SQL layer regardless of the BI tool, or do we need additional enforcement at the warehouse level?</SPAN></P> Thu, 14 May 2026 11:29:42 GMT https://community.databricks.com/t5/data-engineering/what-is-the-recommended-approach-to-enforce-row-level-security/m-p/156904#M54488 GaneshI 2026-05-14T11:29:42Z https://community.databricks.com/t5/data-engineering/what-is-the-recommended-approach-to-enforce-row-level-security/m-p/156916#M54492 <P><STRONG>Unity Catalog row filters apply at the SQL/query layer</STRONG>, so if Tableau or Power BI is querying a <STRONG>Databricks SQL warehouse</STRONG>, the filters are enforced there — you do <STRONG>not</STRONG> need a separate warehouse-level row-filter feature. Row filters and column masks are evaluated <STRONG>at query time</STRONG> and integrate with <STRONG>standard SQL</STRONG>.</P> <P>The key consideration is <STRONG>which identity the OAuth token represents</STRONG>:</P> <UL> <LI>If the BI connection uses <STRONG>user OAuth / U2M</STRONG>, the filters apply <STRONG>per user</STRONG>.</LI> <LI>If it uses <STRONG>service principal OAuth / M2M</STRONG>, enforcement still happens, but it is evaluated as the <STRONG>service principal</STRONG>, so all BI users effectively share that principal’s data scope unless you add per-user delegation upstream.</LI> </UL> <P>Summary: <STRONG>No extra warehouse-level enforcement is needed for UC row filters themselves; make sure you use the right auth model for the level of per-user isolation you want.</STRONG></P> Thu, 14 May 2026 15:08:38 GMT https://community.databricks.com/t5/data-engineering/what-is-the-recommended-approach-to-enforce-row-level-security/m-p/156916#M54492 Lu_Wang_ENB_DBX 2026-05-14T15:08:38Z