Hi @VJ3, When you associate or migrate a Databricks workspace to the Unity Catalog, all workspace groups will synchronize with the Unity Catalog, and the workspace groups will be renamed as workspace-local groups. Databricks indeed recommends removing these workspace-local groups.
Let’s explore the implications and permissions related to this:
Security Implications:
- If you do not remove the workspace-local group from workspaces that are already associated with the Unity Catalog, there could be potential security risks. These legacy groups are limited in their capabilities:
- Workspace-local groups cannot be assigned to additional workspaces.
- They cannot be granted access to data in a Unity Catalog metastore.
- Workspace-local groups cannot be granted account-level roles.
- By keeping these groups, you might have a fragmented access control system, making it harder to manage permissions consistently across workspaces.
Adding Users and Permissions:
- Workspace admins of workspaces associated with the Unity Catalog can indeed add users to the workspace-local group.
- However, the permissions granted to the workspace-local group are limited:
- You can grant access to specific tables, schemas, views, etc., within the workspace.
- But remember that workspace-local groups cannot access data in the Unity Catalog metastore.
- For more robust and centralized management, consider migrating these workspace-local groups to account groups. Account groups allow more flexibility in managing access to data and roles using the Unity Catalog.
Migrating to Account Groups:
- Databricks recommends turning existing workspace-local groups into account groups to take advantage of centralized workspace assignment and data access management using the Unity Catalog.
- To do this, follow the steps to migrate workspace-local groups to account groups.
In summary, while it’s possible to work with workspace-local groups, transitioning to account groups provides better security and management capabilities. Ensure that your permissions align with your organization’s security policies and best practices1