cancel
Showing results for 
Search instead for 
Did you mean: 
Administration & Architecture
Explore discussions on Databricks administration, deployment strategies, and architectural best practices. Connect with administrators and architects to optimize your Databricks environment for performance, scalability, and security.
cancel
Showing results for 
Search instead for 
Did you mean: 

workspace local group once workspace has been migrated/Associated to Unity Catalog

VJ3
New Contributor III

Hello,

Once we associate/migrate Databricks workspace to Unity Catalog, all the workspaces group will sync with Unity Catalog and workspace group would be renamed to workspace-local group. Databricks recommends to remove workspace-local group. Do we know if any security implication if we do not remove workspace-local group from workspaces which is already associated with Unity Catalog?

Can workspace admin (of workspace which is already associated with unity catalog) add users into workspace-local group and grant access to specific tables/schema/views etc..?

 

 

 

 

1 ACCEPTED SOLUTION

Accepted Solutions

Kaniz_Fatma
Community Manager
Community Manager

Hi @VJ3, When you associate or migrate a Databricks workspace to the Unity Catalog, all workspace groups will synchronize with the Unity Catalog, and the workspace groups will be renamed as workspace-local groups. Databricks indeed recommends removing these workspace-local groups. 

 

Let’s explore the implications and permissions related to this:

 

Security Implications:

  • If you do not remove the workspace-local group from workspaces that are already associated with the Unity Catalog, there could be potential security risks. These legacy groups are limited in their capabilities:
    • Workspace-local groups cannot be assigned to additional workspaces.
    • They cannot be granted access to data in a Unity Catalog metastore.
    • Workspace-local groups cannot be granted account-level roles.
  • By keeping these groups, you might have a fragmented access control system, making it harder to manage permissions consistently across workspaces.

Adding Users and Permissions:

  • Workspace admins of workspaces associated with the Unity Catalog can indeed add users to the workspace-local group.
  • However, the permissions granted to the workspace-local group are limited:
    • You can grant access to specific tables, schemas, views, etc., within the workspace.
    • But remember that workspace-local groups cannot access data in the Unity Catalog metastore.
    • For more robust and centralized management, consider migrating these workspace-local groups to account groups. Account groups allow more flexibility in managing access to data and roles using the Unity Catalog.

Migrating to Account Groups:

  • Databricks recommends turning existing workspace-local groups into account groups to take advantage of centralized workspace assignment and data access management using the Unity Catalog.
  • To do this, follow the steps to migrate workspace-local groups to account groups.

In summary, while it’s possible to work with workspace-local groups, transitioning to account groups provides better security and management capabilities. Ensure that your permissions align with your organization’s security policies and best practices1

View solution in original post

1 REPLY 1

Kaniz_Fatma
Community Manager
Community Manager

Hi @VJ3, When you associate or migrate a Databricks workspace to the Unity Catalog, all workspace groups will synchronize with the Unity Catalog, and the workspace groups will be renamed as workspace-local groups. Databricks indeed recommends removing these workspace-local groups. 

 

Let’s explore the implications and permissions related to this:

 

Security Implications:

  • If you do not remove the workspace-local group from workspaces that are already associated with the Unity Catalog, there could be potential security risks. These legacy groups are limited in their capabilities:
    • Workspace-local groups cannot be assigned to additional workspaces.
    • They cannot be granted access to data in a Unity Catalog metastore.
    • Workspace-local groups cannot be granted account-level roles.
  • By keeping these groups, you might have a fragmented access control system, making it harder to manage permissions consistently across workspaces.

Adding Users and Permissions:

  • Workspace admins of workspaces associated with the Unity Catalog can indeed add users to the workspace-local group.
  • However, the permissions granted to the workspace-local group are limited:
    • You can grant access to specific tables, schemas, views, etc., within the workspace.
    • But remember that workspace-local groups cannot access data in the Unity Catalog metastore.
    • For more robust and centralized management, consider migrating these workspace-local groups to account groups. Account groups allow more flexibility in managing access to data and roles using the Unity Catalog.

Migrating to Account Groups:

  • Databricks recommends turning existing workspace-local groups into account groups to take advantage of centralized workspace assignment and data access management using the Unity Catalog.
  • To do this, follow the steps to migrate workspace-local groups to account groups.

In summary, while it’s possible to work with workspace-local groups, transitioning to account groups provides better security and management capabilities. Ensure that your permissions align with your organization’s security policies and best practices1

Join 100K+ Data Experts: Register Now & Grow with Us!

Excited to expand your horizons with us? Click here to Register and begin your journey to success!

Already a member? Login and join your local regional user group! If there isn’t one near you, fill out this form and we’ll create one for you to join!