cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Help
Administration & Architecture
Explore discussions on Databricks administration, deployment strategies, and architectural best practices. Connect with administrators and architects to optimize your Databricks environment for performance, scalability, and security.
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 

Grant permissions to groups on catalogs linked to the same metastore

jmsimonramos1
New Contributor

7 hours ago

Hi everyone!
I am configuring several projects using Databricks, and I have a question regarding permission management in Unity Catalog. Here's the situation:
 
Currently, I have two different Databricks resources in an Azure account, each with its respective workspace:
  • Azure_Databricks_1 > my_workspace_1
  • Azure_Databricks_2 > my_workspace_2
Additionally, I have configured and added a metastore called "my_metastore" to both workspaces, so that both can use the same Unity Catalog metastore.
 
Furthermore, each of the two workspaces has different users, meaning there are users common to both workspaces, and users who are not. To manage access more easily, I have created workspace-level groups, specifically a group called “data_access.”
 
In addition to that, each workspace has a catalog linked to the "my_metastore," and within those catalogs, the bronze, silver, and gold schemas are defined, so the structure looks something like this:
 
Azure_Databricks_1  
my_workspace_1 > “data_access” group  
my_catalog_1 > linked to “my_metastore” with the following schemas inside:  
bronze  
silver  
gold
 
Azure_Databricks_2  
my_workspace_2 > “data_access” group  
my_catalog_2 > linked to “my_metastore” with the following schemas inside:  
bronze  
silver  
gold 
 
My question is: Is there any way to give users in the “data_access” group of workspace_1 permissions to create tables, volumes, etc., ONLY in the schemas associated with the “my_catalog_1” catalog?
 
The idea is that I, as an account-level administrator, create this catalog and schema structure in each workspace, as mentioned above, and then provide users in the “data_access” group (who can be different in each workspace) permissions to create tables and other objects but ONLY within that specific catalog, rather than in all catalogs defined within my Unity Catalog.
 
Important: Users in the “data_access” group for “my_catalog_1” should not have any access to the schemas and tables in the “my_catalog_2” catalog. That’s why I’m trying to figure out how to restrict data access at the catalog level.
 
Any ideas on how I can do this?  
 
P.S.: I have account admin and workspace admin permissions for all workspaces.
 
Thank you very much in advance.  
Best regards. 
0 Kudos
1 REPLY 1

CharlesWoo
New Contributor II

5 hours ago

You could bind the catalog to specific workspaces, making them accessbile only from workspaces they are bound to.
https://docs.databricks.com/en/catalogs/binding.html

In your example:
if `my_catalog_2` is bound to `my_workspace_2` a user in `my_workspace_1` will not be able to access or modify objects in `my_catalog_2` even if they have permissions to do so in Unity Catalog.

0 Kudos

Connect with Databricks Users in Your Area

Join a Regional User Group to connect with local Databricks users. Events will be happening in your city, and you won’t want to miss the chance to attend and share knowledge.

If there isn’t a group near you, start one and help create a community that brings people together.

Request a New Group
Announcements