Databricks Community

maaaxx · ‎01-17-2023

Hi databricks community,

I have searched quite a while through the internet but did not find an answer. If I have configured the azure datalake connection in Unity data catalog, is it possible to grant the access to users for a specific file or a folder to them? Have seen quite a lot of examples so far for the structured data only.

Thanks.

-werners- · ‎01-17-2023

No.

Unity catalog enforces permissions on the table level (and catalog and schema etc), but not on the storage level.

Unity itself uses a managed identity or service principal for storage access btw. This id should have access to the data lake.

What you can do is create dynamic views to make a row-level security setup.

https://learn.microsoft.com/en-us/azure/databricks/data-governance/table-acls/object-privileges#row-...

View solution in original post

-werners- · ‎01-17-2023

No.

Unity catalog enforces permissions on the table level (and catalog and schema etc), but not on the storage level.

Unity itself uses a managed identity or service principal for storage access btw. This id should have access to the data lake.

What you can do is create dynamic views to make a row-level security setup.

https://learn.microsoft.com/en-us/azure/databricks/data-governance/table-acls/object-privileges#row-...

Hubert-Dudek · ‎01-17-2023

As @werners said service principal needs to have access to the file level.

In the unity catalog, you can use "READ FILES"/"WRITE FILES" permission to give someone the possibility of reading files from the storage level (but through databricks).

maaaxx · ‎01-26-2023

Hi @Hubert Dudek @Werner Stinckens , thank you for the idea. In our scenario, we would need to share the files inside the azure datalake in the same folder.

Imagine that we have a folder ORDER001 and file1, file2 and file3. Can we use databricks to share the access to user A the access of file1 and file2 but for user B the access to file3?

Some people have suggested to copy the files outside and create separate container. However, this will unavoidably create duplication and we would like to avoid.

Have you an idea how the acsess control in this scenario could be achieve through databricks?

Many thanks

Hubert-Dudek · ‎01-26-2023

It is messy as:

Files are in the same folder (so it complicates using an external location and read-write permission)
Unity Catalog is designed to have tables, and you grant access to tables

I don't know what the files are. Unstructured data can be included in the delta file / metastore table (array or binary).

You could also put these files outside of databricks and manage access separately.

@Werner Stinckens, is it possible to have Unity Catalog and mount another storage container under the dbfs path using credentials passthrough?

-werners- · ‎01-27-2023

I am not sure. Someone at Databricks once told me that mounts and Unity are not friends.

The easiest way to achieve this on file level is either:

not using Unity and use AAD credential passtrough. then define the file access with ACLs on the data lake.
forget about the file access and use dynamic views f.e. to create row level security.

Frankly using ACLs always gets on my nerves. Hard to maintain.

Databricks Community

Can Unity catalog grant the access to a file inside azure datalake storage?

Connect with Databricks Users in Your Area

Announcing the Winners of the Generative AI World Cup

Databricks Learning Festival (Virtual): 15 January - 31 January 2025

How to present and share your Notebook insights in AI/BI Dashboards

Introducing an exclusively Databricks-hosted Assistant

Meet the Databricks MVPs