Automate run as workflow parameter to default to current user
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
a week ago - last edited a week ago
I am trying to run a workflow within Databricks. I have 2 workflows, workflow one which always runs as the service principal, as all data gets accessed and wrangled within this workflow, and workflow 2 which always defaults to the last run account. In workflow 2 we expect users to set the 'run as' parameter to themselves, as there is a security check built into the workflow that only allows the user to see data they are authorized to see.
The issue I am facing is that the the run as parameter stays on the user who last made a change to the workflow. This creates the risk that another user can run the workflow with the previous users account.
Is there a way to set the run as parameter to always default to the current user?
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
a week ago
Hey,
I’d like to share my thoughts on this, as I believe the situation might be more complex than it seems, and I feel you might be using a workaround to address a problem that could be tackled differently.
If the core issue revolves around who can view specific data, you could leverage built-in catalog tools and permission settings to control data access at a more granular level. Instead of relying on the ‘run as’ parameter, you could implement access controls using catalog-level permissions, ensuring that users can only read the data they are authorized to see.
Additionally, if you need to generate results after data wrangling, a more scalable approach would be to create dynamic views, allowing only specific users (through groups) to have visibility over certain data. This can be achieved using a SQL view with conditional logic, such as:
CREATE OR REPLACE VIEW filtered_data AS
SELECT *
FROM raw_data
WHERE
CASE
WHEN current_user IN ('user1', 'user2') THEN sensitive_column
ELSE NULL
END;
Unlike manual adjustments in the workflow execution settings, which can introduce operational risks and dependencies on user actions, catalog-level permissions ensure consistent data governance and security across all workloads.
If you find this answer helpful, feel free to mark it as resolved or give it a 👍!
🙂
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
a week ago
Hi, how are you expecting to achieve this? Do you want users who are manually triggering this workflow first update to their run_as? or you want to make this happen programatically?
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
a week ago
Users will only trigger this workflow if they need to enquire if a specific change has happened, so it will always be triggered manually by different users
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
a week ago
I would say then you have to look for some sort of automation in front which will trigger this workflow and update runas to this current user. Or if users are asked to change them manually before every run which is very tricky right.
look for devops pipline or easier python script to do this for your user.