Databricks

dvmentalmadess · ‎03-31-2023

What are the minimum permissions are required to search and view objects in Data Explorer? For example, does a user have to have `USE [SCHEMA|CATALOG]` to search or browse in the Data Explorer? Or can anyone with workspace access browse objects and, for example, view a table definition and properties? If it’s the latter, then I assume they can view all the information about a table except sample data unless they had `USE` and `SELECT` permissions?

Normally it would be simple to verify with a test user, but I'm not sure how since I'm using SSO and am an admin.

LandanG · ‎03-31-2023

Hi @Mark Miller ,

Right now, users need to have the SELECT + USE permission on the tables and can see the data too, or they do not have the SELECT permission and they do not see the tables at all. You need SELECT to "see" an object, just USE on CATALOG and SCHEMA should not let them see any objects.

This will be addressed in an upcoming feature in the next couple of months. Hopefully that was able to answer your question. Thanks!

View solution in original post

karthik_p · ‎03-31-2023

@Mark Miller if you are enabled with unity catalog, catalog level select permissions should be fine to view/search

LandanG · ‎03-31-2023

Hi @Mark Miller ,

Right now, users need to have the SELECT + USE permission on the tables and can see the data too, or they do not have the SELECT permission and they do not see the tables at all. You need SELECT to "see" an object, just USE on CATALOG and SCHEMA should not let them see any objects.

This will be addressed in an upcoming feature in the next couple of months. Hopefully that was able to answer your question. Thanks!

dvmentalmadess · ‎04-03-2023

Thank you for the reply. Requiring SELECT is unfortunate - it requires users to know a dataset exists and that it's the right dataset through either tribal knowledge or maintaining an external search/browse mechanism. What I want is for users to be able to search for datasets, view the metadata (e.g., description, quality, source, usage), and then submit a ticket to request access. There doesn't seem to be a middle ground ATM. I could understand requiring USE permission to be able to see a dataset in search results. That said, I feel like I'm missing why I'd have to explicitly grant USE - the docs state that requiring USE is a security feature because it must be combined w/ SELECT before access is granted. However, if I have to grant USE to everyone anyway then why bother? In that case, just remove the complexity of managing USE grants and just require SELECT.

I understand this is still only a 1 year-old solution and I'm excited about using it. I just wanted to take the opportunity to provide feedback.

LandanG · ‎04-03-2023

@Mark Miller it definitely can be confusing and I appreciate the feedback. The mandatory pairing of USE + SELECT to interact with objects is something that will be addressed in an upcoming feature release, hopefully providing the middle ground that you mentioned.

Rom · ‎12-27-2023

"What I want is for users to be able to search for datasets, view the metadata (e.g., description, quality, source, usage), and then submit a ticket to request access."

If what you want, you need to create a table to capture the metadata of tables in catalog and grant access use/select on this table for users. Then the users can do a search on this table and create a ticket to ask access the tables which they want.

bearded_data · ‎12-27-2023

hey @Rom - while this is a bit of a workaround to get to the intended end goal, it would be nice to see this functionality built into the catalog. From the responses in this thread it seems like this feature is coming. Was curious if anyone from Databricks had any insight or direction on this.

Anonymous · ‎03-31-2023

Hi @Mark Miller

Hope everything is going great.

Just wanted to check in if you were able to resolve your issue. If yes, would you be happy to mark an answer as best so that other members can find the solution more quickly? If not, please tell us so we can help you.

Cheers!

bearded_data · ‎12-27-2023

Hi all - @LandanG I wanted to bump this thread to see if there was any traction on giving us the ability to expose the table metadata to users (using USE <object> permission) while not allowing the users to SELECT from the tables themselves? I think this would go a long way in "democratizing" the centralized data asset that UC is striving to become while still maintaining least privilege.

For context I scoured the release notes, since this post and did not find anything that seemed to fit this bill.

Any update you can provide would be helpful. Thanks!