topic Re: Databricks ABAC : Can single column have two policies? in Data Governance

Databricks ABAC : Can single column have two policies?

anhbn — Tue, 28 Oct 2025 07:27:41 GMT

Columns tagged sensitive_level = pii → masked for everyone.
But if column is classification = email → allow users in group "see_email_group" to see it.

Similar to tag:value classification = phone, email, tax_code,...

Column Tag Description

email	sensitive_level = 'pii', classification = 'email'	Personally identifiable
phone	sensitive_level = 'pii', classification = 'phone'	Personally identifiable
tax_code	sensitive_level = 'pii', classification = 'tax'	Highly confidential

Give me advice to create polices to solve the following problems:

By default: all users see masked data.
Only users in approved groups (e.g. da_email, da_phone, da_tax) can see unmasked data for that column.

AbhaySingh — Wed, 29 Oct 2025 23:59:04 GMT

Something like following should work for your scenario.

CREATE FUNCTION mask_email_tiered(value STRING) RETURN STRING

RETURN CASE

WHEN IS_MEMBER('admin') THEN value -- Full access

WHEN IS_MEMBER('da_email') THEN value -- Full access

WHEN IS_MEMBER('analyst') THEN CONCAT('***@', SPLIT(value, '@')[1]) -- Domain only

ELSE 'xxx@xxx.com' -- Masked

END;

anhbn — Thu, 30 Oct 2025 04:02:27 GMT

As following UDFs for ABAC policies best practices , I see Databricks not recommend for use calling is_member() directly inside a UDF

anhbn — Thu, 30 Oct 2025 04:03:28 GMT

As following UDFs for ABAC policies best practices , I see Databricks not recommend for use calling is_member() directly inside a UDF

AbhaySingh — Thu, 30 Oct 2025 10:10:38 GMT

Yes, there is definitely a performance hit.

I will check with internal teams to figure out an optimal solution.

Thanks for the link to the doc!

anhbn — Thu, 30 Oct 2025 10:18:50 GMT

Thanks AbhaySingh, Looking forward to hearing from you soon

AbhaySingh — Fri, 31 Oct 2025 12:10:31 GMT

Hi Anhbn,

The solution I proposed is certainly not optimal but a viable stopgap/interim solution assuming it meets your performance needs at the moment.

Team is working on some improvement which we will get to know about when ABAC goes to public preview soon.

Thanks,