cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results forย 
Search instead forย 
Did you mean:ย 
Help
Administration & Architecture
Explore discussions on Databricks administration, deployment strategies, and architectural best practices. Connect with administrators and architects to optimize your Databricks environment for performance, scalability, and security.
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results forย 
Search instead forย 
Did you mean:ย 

Grant permissions to groups on catalogs linked to the same metastore

jmsimonramos1
New Contributor II

โ€Ž09-21-2024 12:54 AM

Hi everyone!
I am configuring several projects using Databricks, and I have a question regarding permission management in Unity Catalog. Here's the situation:
 
Currently, I have two different Databricks resources in an Azure account, each with its respective workspace:
  • Azure_Databricks_1 > my_workspace_1
  • Azure_Databricks_2 > my_workspace_2
Additionally, I have configured and added a metastore called "my_metastore" to both workspaces, so that both can use the same Unity Catalog metastore.
 
Furthermore, each of the two workspaces has different users, meaning there are users common to both workspaces, and users who are not. To manage access more easily, I have created workspace-level groups, specifically a group called โ€œdata_access.โ€
 
In addition to that, each workspace has a catalog linked to the "my_metastore," and within those catalogs, the bronze, silver, and gold schemas are defined, so the structure looks something like this:
 
Azure_Databricks_1  
my_workspace_1 > โ€œdata_accessโ€ group  
my_catalog_1 > linked to โ€œmy_metastoreโ€ with the following schemas inside:  
bronze  
silver  
gold
 
Azure_Databricks_2  
my_workspace_2 > โ€œdata_accessโ€ group  
my_catalog_2 > linked to โ€œmy_metastoreโ€ with the following schemas inside:  
bronze  
silver  
gold 
 
My question is: Is there any way to give users in the โ€œdata_accessโ€ group of workspace_1 permissions to create tables, volumes, etc., ONLY in the schemas associated with the โ€œmy_catalog_1โ€ catalog?
 
The idea is that I, as an account-level administrator, create this catalog and schema structure in each workspace, as mentioned above, and then provide users in the โ€œdata_accessโ€ group (who can be different in each workspace) permissions to create tables and other objects but ONLY within that specific catalog, rather than in all catalogs defined within my Unity Catalog.
 
Important: Users in the โ€œdata_accessโ€ group for โ€œmy_catalog_1โ€ should not have any access to the schemas and tables in the โ€œmy_catalog_2โ€ catalog. Thatโ€™s why Iโ€™m trying to figure out how to restrict data access at the catalog level.
 
Any ideas on how I can do this?  
 
P.S.: I have account admin and workspace admin permissions for all workspaces.
 
Thank you very much in advance.  
Best regards. 
0 Kudos
3 REPLIES 3

CharlesWoo
New Contributor II

โ€Ž09-21-2024 02:00 AM

You could bind the catalog to specific workspaces, making them accessbile only from workspaces they are bound to.
https://docs.databricks.com/en/catalogs/binding.html

In your example:
if `my_catalog_2` is bound to `my_workspace_2` a user in `my_workspace_1` will not be able to access or modify objects in `my_catalog_2` even if they have permissions to do so in Unity Catalog.

0 Kudos

jmsimonramos1
New Contributor II
In response to CharlesWoo

โ€Ž09-22-2024 12:13 AM

Hello, thanks for your response.

Indeed, I had already considered that part. My problem is that I cannot grant privileges to `my_catalog_2` (which is associated with `my_workspace_2`) to a group at the workspace level.

In other words, I want all users in the "data_engineers" group of `my_workspace_2` to have `ALL_PRIVILEGES` on all schemas of `my_catalogo_2`.

0 Kudos

filipniziol
Esteemed Contributor
In response to jmsimonramos1

โ€Ž09-22-2024 01:02 AM

Hi @jmsimonramos1,

  • You create data_users_1 group.
  • You grant data_users_1 the needed privileges to my_catalog_1: 

 

GRANT ALL PRIVILEGES ON CATALOG my_catalog_1 to `data_access_1`;โ€‹

 

  • You create data_users_2 group.
  • You grant data_users_2 the needed privileges to my_catalog_2:

 

GRANT ALL PRIVILEGES ON CATALOG my_catalog_2 to `data_access_2`;โ€‹โ€‹

 

  • data_users_1 has now all privileges on my_catalog_1, whereas data_users_2 has now all privileges on my_catalog_2
  • There is no need to limit catalog visibility on the workspace level if there is no requirement to do so.
  • Check the docs on unity catalog privilege management
0 Kudos
Announcements