cancel
Showing results for 
Search instead for 
Did you mean: 
Data Engineering
Join discussions on data engineering best practices, architectures, and optimization strategies within the Databricks Community. Exchange insights and solutions with fellow data engineers.
cancel
Showing results for 
Search instead for 
Did you mean: 

Data Explorer minimum permissions

dvmentalmadess
Valued Contributor

What are the minimum permissions are required to search and view objects in Data Explorer? For example, does a user have to have `USE [SCHEMA|CATALOG]` to search or browse in the Data Explorer? Or can anyone with workspace access browse objects and, for example, view a table definition and properties? If it’s the latter, then I assume they can view all the information about a table except sample data unless they had `USE` and `SELECT` permissions?

Normally it would be simple to verify with a test user, but I'm not sure how since I'm using SSO and am an admin.

1 ACCEPTED SOLUTION

Accepted Solutions

LandanG
Databricks Employee
Databricks Employee

Hi @Mark Miller​ ,

Right now, users need to have the SELECT + USE permission on the tables and can see the data too, or they do not have the SELECT permission and they do not see the tables at all. You need SELECT to "see" an object, just USE on CATALOG and SCHEMA should not let them see any objects. 

This will be addressed in an upcoming feature in the next couple of months. Hopefully that was able to answer your question. Thanks!

View solution in original post

10 REPLIES 10

karthik_p
Esteemed Contributor

@Mark Miller​ if you are enabled with unity catalog, catalog level select permissions should be fine to view/search

LandanG
Databricks Employee
Databricks Employee

Hi @Mark Miller​ ,

Right now, users need to have the SELECT + USE permission on the tables and can see the data too, or they do not have the SELECT permission and they do not see the tables at all. You need SELECT to "see" an object, just USE on CATALOG and SCHEMA should not let them see any objects. 

This will be addressed in an upcoming feature in the next couple of months. Hopefully that was able to answer your question. Thanks!

Thank you for the reply. Requiring SELECT is unfortunate - it requires users to know a dataset exists and that it's the right dataset through either tribal knowledge or maintaining an external search/browse mechanism. What I want is for users to be able to search for datasets, view the metadata (e.g., description, quality, source, usage), and then submit a ticket to request access. There doesn't seem to be a middle ground ATM. I could understand requiring USE permission to be able to see a dataset in search results. That said, I feel like I'm missing why I'd have to explicitly grant USE - the docs state that requiring USE is a security feature because it must be combined w/ SELECT before access is granted. However, if I have to grant USE to everyone anyway then why bother? In that case, just remove the complexity of managing USE grants and just require SELECT.

I understand this is still only a 1 year-old solution and I'm excited about using it. I just wanted to take the opportunity to provide feedback.

@Mark Miller​ it definitely can be confusing and I appreciate the feedback. The mandatory pairing of USE + SELECT to interact with objects is something that will be addressed in an upcoming feature release, hopefully providing the middle ground that you mentioned.

Rom
New Contributor III

"What I want is for users to be able to search for datasets, view the metadata (e.g., description, quality, source, usage), and then submit a ticket to request access."

If what you want, you need to create a table to capture the metadata of tables in catalog and grant access use/select on this table for users. Then the users can do a search on this table and create a ticket to ask access the tables which they want.

bearded_data
New Contributor III

hey @Rom - while this is a bit of a workaround to get to the intended end goal, it would be nice to see this functionality built into the catalog.  From the responses in this thread it seems like this feature is coming. Was curious if anyone from Databricks had any insight or direction on this. 

Anonymous
Not applicable

Hi @Mark Miller​ 

Hope everything is going great.

Just wanted to check in if you were able to resolve your issue. If yes, would you be happy to mark an answer as best so that other members can find the solution more quickly? If not, please tell us so we can help you. 

Cheers!

bearded_data
New Contributor III

Hi all -  @LandanG I wanted to bump this thread to see if there was any traction on giving us the ability to expose the table metadata to users (using USE <object> permission) while not allowing the users to SELECT from the tables themselves?  I think this would go a long way in "democratizing" the centralized data asset that UC is striving to become while still maintaining least privilege. 

For context I scoured the release notes, since this post and did not find anything that seemed to fit this bill. 

Any update you can provide would be helpful. Thanks!

Wojciech_BUK
Valued Contributor III

This is not solution but a bit of workaround I have usesd:
- expose data from Infomration_schema that basically has most of info that you see on UI 

Either table or Dashbaords that contains list of tables in my Lakehouse with most insteresting information.

bearded_data
New Contributor III

Circling back to this.  With one of the recent releases you can now GRANT BROWSE at the catalog level!  Hopefully they will be rolling this feature out at every object level (schemas and tables specifically).

Connect with Databricks Users in Your Area

Join a Regional User Group to connect with local Databricks users. Events will be happening in your city, and you won’t want to miss the chance to attend and share knowledge.

If there isn’t a group near you, start one and help create a community that brings people together.

Request a New Group