cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results forĀ 
Search instead forĀ 
Did you mean:Ā 
Help
Community Platform Discussions
Connect with fellow community members to discuss general topics related to the Databricks platform, industry trends, and best practices. Share experiences, ask questions, and foster collaboration within the community.
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results forĀ 
Search instead forĀ 
Did you mean:Ā 

Automate run as workflow parameter to default to current user

ivvande
New Contributor II

ā€Ž01-24-2025 12:11 AM - edited ā€Ž01-24-2025 12:19 AM

I am trying to run a workflow within Databricks. I have 2 workflows, workflow one which always runs as the service principal, as all data gets accessed and wrangled within this workflow, and workflow 2 which always defaults to the last run account. In workflow 2 we expect users to set the 'run as' parameter to themselves, as there is a security check built into the workflow that only allows the user to see data they are authorized to see. 

The issue I am facing is that the the run as parameter stays on the user who last made a change to the workflow. This creates the risk that another user can run the workflow with the previous users account. 

Is there a way to set the run as parameter to always default to the current user?

 

ivvande_0-1737706760905.png

 

 

0 Kudos
4 REPLIES 4

Isi
Contributor

ā€Ž01-24-2025 01:00 AM

Hey,

Iā€™d like to share my thoughts on this, as I believe the situation might be more complex than it seems, and I feel you might be using a workaround to address a problem that could be tackled differently.

If the core issue revolves around who can view specific data, you could leverage built-in catalog tools and permission settings to control data access at a more granular level. Instead of relying on the ā€˜run asā€™ parameter, you could implement access controls using catalog-level permissions, ensuring that users can only read the data they are authorized to see.

Additionally, if you need to generate results after data wrangling, a more scalable approach would be to create dynamic views, allowing only specific users (through groups) to have visibility over certain data. This can be achieved using a SQL view with conditional logic, such as:

 

CREATE OR REPLACE VIEW filtered_data AS 
SELECT * 
FROM raw_data 
WHERE 
  CASE 
    WHEN current_user IN ('user1', 'user2') THEN sensitive_column 
    ELSE NULL 
  END;

 

 

Unlike manual adjustments in the workflow execution settings, which can introduce operational risks and dependencies on user actions, catalog-level permissions ensure consistent data governance and security across all workloads.

If you find this answer helpful, feel free to mark it as resolved or give it a šŸ‘!

šŸ™‚

0 Kudos

saurabh18cs
Valued Contributor III

ā€Ž01-24-2025 02:58 AM

Hi, how are you expecting to achieve this? Do you want users who are manually triggering this workflow first update to their run_as? or you want to make this happen programatically?

0 Kudos

ivvande
New Contributor II
In response to saurabh18cs

ā€Ž01-24-2025 03:53 AM

Users will only trigger this workflow if they need to enquire if a specific change has happened, so it will always be triggered manually by different users

0 Kudos

saurabh18cs
Valued Contributor III
In response to ivvande

ā€Ž01-24-2025 04:30 AM

I would say then you have to look for some sort of automation in front which will trigger this workflow and update runas to this current user. Or if users are asked to change them manually before every run which is very tricky right.

look for devops pipline or easier python script to do this for your user.

0 Kudos

Join Us as a Local Community Builder!

Passionate about hosting events and connecting people? Help us grow a vibrant local communityā€”sign up today to get started!

Sign Up Now
Announcements