https://community.databricks.com/t5/data-governance/some-thinkings-around-data-security/m-p/137240#M2659 <P>Hey&nbsp;<a href="https://community.databricks.com/t5/user/viewprofilepage/user-id/118423">@F_Goudarzi</a>&nbsp;, here are some things to think about:</P> <H3 class="_7uu25p0 qt3gz9c _7pq7t612 heading3 _7uu25p1">Is this a security issue?</H3> <UL class="qt3gz97 qt3gz92"> <LI class="qt3gz9a"> <P class="qt3gz91 paragraph">This is expected behavior: <STRONG>workspace admins</STRONG> have broad authority over workspace assets (including viewing notebook content).</P> </LI> <LI class="qt3gz9a"> <P class="qt3gz91 paragraph"><STRONG>Row filters</STRONG> and <STRONG>column masks</STRONG> apply at query time to base data. They don’t retroactively redact values already saved in a notebook cell output or other derived artifacts.</P> </LI> </UL> <H3 class="_7uu25p0 qt3gz9c _7pq7t612 heading3 _7uu25p1">Recommended controls and mitigations</H3> <UL class="qt3gz97 qt3gz92"> <LI class="qt3gz9a"> <P class="qt3gz91 paragraph"><STRONG>Minimize and centralize workspace admins.</STRONG> Limit the role to trusted platform/IT operators.</P> </LI> <LI class="qt3gz9a"> <P class="qt3gz91 paragraph"><STRONG>Use workspace bindings</STRONG> to restrict which workspaces can access sensitive catalogs and locations.</P> </LI> <LI class="qt3gz9a"> <P class="qt3gz91 paragraph"><STRONG>Prefer ABAC, row filters, and column masks</STRONG> for data-level enforcement. Keep fine-grained policies centralized and consistent.</P> </LI> <LI class="qt3gz9a"> <P class="qt3gz91 paragraph"><STRONG>Harden notebook hygiene</STRONG> for sensitive workloads:</P> <UL class="qt3gz98 qt3gz92"> <LI class="qt3gz9a">Avoid persisting raw sensitive values in notebook outputs.</LI> <LI class="qt3gz9a">Write results to governed tables and clear cell outputs when sharing.</LI> </UL> </LI> <LI class="qt3gz9a"> <P class="qt3gz91 paragraph"><STRONG>Run jobs as service principals</STRONG> and store outputs in secured locations, not in notebook cells. Keep workspace admin membership constrained since they can reassign job ownership.</P> </LI> <LI class="qt3gz9a"> <P class="qt3gz91 paragraph"><STRONG>Enable and monitor audit logs</STRONG> to review access, ownership changes, and policy evaluations.</P> </LI> </UL> <H3 class="_7uu25p0 qt3gz9c _7pq7t612 heading3 _7uu25p1">Bottom line</H3> <P class="qt3gz91 paragraph">What you observed is consistent with the scope of the workspace admin role and with masking being enforced at data-access time over the source tables—not over previously saved notebook content.</P> <P class="qt3gz91 paragraph">Hope this helps, Louis.</P> Sat, 01 Nov 2025 12:40:28 GMT Louis_Frolio 2025-11-01T12:40:28Z https://community.databricks.com/t5/data-governance/some-thinkings-around-data-security/m-p/99243#M2264 <P>Hi there,</P><P>We are using Databricks and are in the early stages of adopting it. Recently, I noticed something in Databricks that caught my attention.</P><P>I implemented column-level security, which works such that if you are a member of a particular group, you can see unmasked data; otherwise, the data is masked.</P><P>However, I observed that as a workspace admin, you are able to view all users' notebooks. If a user whose notebook is being viewed by the admin has higher privileges and can see unmasked data, and the output of that data is stored in their notebook, then the admin can also view the unmasked data—even though they are not part of the group with the necessary privileges.</P><P>I'm wondering if this does not sound like a security issue?</P> Mon, 18 Nov 2024 19:16:51 GMT https://community.databricks.com/t5/data-governance/some-thinkings-around-data-security/m-p/99243#M2264 F_Goudarzi 2024-11-18T19:16:51Z https://community.databricks.com/t5/data-governance/some-thinkings-around-data-security/m-p/137240#M2659 <P>Hey&nbsp;<a href="https://community.databricks.com/t5/user/viewprofilepage/user-id/118423">@F_Goudarzi</a>&nbsp;, here are some things to think about:</P> <H3 class="_7uu25p0 qt3gz9c _7pq7t612 heading3 _7uu25p1">Is this a security issue?</H3> <UL class="qt3gz97 qt3gz92"> <LI class="qt3gz9a"> <P class="qt3gz91 paragraph">This is expected behavior: <STRONG>workspace admins</STRONG> have broad authority over workspace assets (including viewing notebook content).</P> </LI> <LI class="qt3gz9a"> <P class="qt3gz91 paragraph"><STRONG>Row filters</STRONG> and <STRONG>column masks</STRONG> apply at query time to base data. They don’t retroactively redact values already saved in a notebook cell output or other derived artifacts.</P> </LI> </UL> <H3 class="_7uu25p0 qt3gz9c _7pq7t612 heading3 _7uu25p1">Recommended controls and mitigations</H3> <UL class="qt3gz97 qt3gz92"> <LI class="qt3gz9a"> <P class="qt3gz91 paragraph"><STRONG>Minimize and centralize workspace admins.</STRONG> Limit the role to trusted platform/IT operators.</P> </LI> <LI class="qt3gz9a"> <P class="qt3gz91 paragraph"><STRONG>Use workspace bindings</STRONG> to restrict which workspaces can access sensitive catalogs and locations.</P> </LI> <LI class="qt3gz9a"> <P class="qt3gz91 paragraph"><STRONG>Prefer ABAC, row filters, and column masks</STRONG> for data-level enforcement. Keep fine-grained policies centralized and consistent.</P> </LI> <LI class="qt3gz9a"> <P class="qt3gz91 paragraph"><STRONG>Harden notebook hygiene</STRONG> for sensitive workloads:</P> <UL class="qt3gz98 qt3gz92"> <LI class="qt3gz9a">Avoid persisting raw sensitive values in notebook outputs.</LI> <LI class="qt3gz9a">Write results to governed tables and clear cell outputs when sharing.</LI> </UL> </LI> <LI class="qt3gz9a"> <P class="qt3gz91 paragraph"><STRONG>Run jobs as service principals</STRONG> and store outputs in secured locations, not in notebook cells. Keep workspace admin membership constrained since they can reassign job ownership.</P> </LI> <LI class="qt3gz9a"> <P class="qt3gz91 paragraph"><STRONG>Enable and monitor audit logs</STRONG> to review access, ownership changes, and policy evaluations.</P> </LI> </UL> <H3 class="_7uu25p0 qt3gz9c _7pq7t612 heading3 _7uu25p1">Bottom line</H3> <P class="qt3gz91 paragraph">What you observed is consistent with the scope of the workspace admin role and with masking being enforced at data-access time over the source tables—not over previously saved notebook content.</P> <P class="qt3gz91 paragraph">Hope this helps, Louis.</P> Sat, 01 Nov 2025 12:40:28 GMT https://community.databricks.com/t5/data-governance/some-thinkings-around-data-security/m-p/137240#M2659 Louis_Frolio 2025-11-01T12:40:28Z