Databricks

VJ3 · ‎02-12-2024

Hello,

Once we associate/migrate Databricks workspace to Unity Catalog, all the workspaces group will sync with Unity Catalog and workspace group would be renamed to workspace-local group. Databricks recommends to remove workspace-local group. Do we know if any security implication if we do not remove workspace-local group from workspaces which is already associated with Unity Catalog?

Can workspace admin (of workspace which is already associated with unity catalog) add users into workspace-local group and grant access to specific tables/schema/views etc..?

Kaniz · ‎02-12-2024

Hi @VJ3, When you associate or migrate a Databricks workspace to the Unity Catalog, all workspace groups will synchronize with the Unity Catalog, and the workspace groups will be renamed as workspace-local groups. Databricks indeed recommends removing these workspace-local groups.

Let’s explore the implications and permissions related to this:

Security Implications:

If you do not remove the workspace-local group from workspaces that are already associated with the Unity Catalog, there could be potential security risks. These legacy groups are limited in their capabilities:
- Workspace-local groups cannot be assigned to additional workspaces.
- They cannot be granted access to data in a Unity Catalog metastore.
- Workspace-local groups cannot be granted account-level roles.
By keeping these groups, you might have a fragmented access control system, making it harder to manage permissions consistently across workspaces.

Adding Users and Permissions:

Workspace admins of workspaces associated with the Unity Catalog can indeed add users to the workspace-local group.
However, the permissions granted to the workspace-local group are limited:
- You can grant access to specific tables, schemas, views, etc., within the workspace.
- But remember that workspace-local groups cannot access data in the Unity Catalog metastore.
- For more robust and centralized management, consider migrating these workspace-local groups to account groups. Account groups allow more flexibility in managing access to data and roles using the Unity Catalog.

Migrating to Account Groups:

Databricks recommends turning existing workspace-local groups into account groups to take advantage of centralized workspace assignment and data access management using the Unity Catalog.
To do this, follow the steps to migrate workspace-local groups to account groups.

In summary, while it’s possible to work with workspace-local groups, transitioning to account groups provides better security and management capabilities. Ensure that your permissions align with your organization’s security policies and best practices1

View solution in original post

Kaniz · ‎02-12-2024

Hi @VJ3, When you associate or migrate a Databricks workspace to the Unity Catalog, all workspace groups will synchronize with the Unity Catalog, and the workspace groups will be renamed as workspace-local groups. Databricks indeed recommends removing these workspace-local groups.

Let’s explore the implications and permissions related to this:

Security Implications:

If you do not remove the workspace-local group from workspaces that are already associated with the Unity Catalog, there could be potential security risks. These legacy groups are limited in their capabilities:
- Workspace-local groups cannot be assigned to additional workspaces.
- They cannot be granted access to data in a Unity Catalog metastore.
- Workspace-local groups cannot be granted account-level roles.
By keeping these groups, you might have a fragmented access control system, making it harder to manage permissions consistently across workspaces.

Adding Users and Permissions:

Workspace admins of workspaces associated with the Unity Catalog can indeed add users to the workspace-local group.
However, the permissions granted to the workspace-local group are limited:
- You can grant access to specific tables, schemas, views, etc., within the workspace.
- But remember that workspace-local groups cannot access data in the Unity Catalog metastore.
- For more robust and centralized management, consider migrating these workspace-local groups to account groups. Account groups allow more flexibility in managing access to data and roles using the Unity Catalog.

Migrating to Account Groups:

Databricks recommends turning existing workspace-local groups into account groups to take advantage of centralized workspace assignment and data access management using the Unity Catalog.
To do this, follow the steps to migrate workspace-local groups to account groups.

In summary, while it’s possible to work with workspace-local groups, transitioning to account groups provides better security and management capabilities. Ensure that your permissions align with your organization’s security policies and best practices1

Databricks

workspace local group once workspace has been migrated/Associated to Unity Catalog

Unity Catalog Lakeguard: Industry-first and only data governance for multi-user Apache™ Spark cluste

Announcing the General Availability of Databricks Asset Bundles

Register now and save 50% on training at Data + AI Summit!

How to successfully build GenAI applications

Meet DBRX, the New Standard for High-Quality LLMs