cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Help
Data Engineering
Join discussions on data engineering best practices, architectures, and optimization strategies within the Databricks Community. Exchange insights and solutions with fellow data engineers.
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 

Folder execute permissions

Go to solution
adrianhernandez
New Contributor III

Thursday

Hello,

After reading multiple posts, going thru online forums, even asking AI I still don't have an answer for my questions. On the latest Databricks with unity catalog, what happens if I give users Execute permissions on a folder.

  1. Can they view the contents of the folder (E.g. notebooks list)?
  2. If they click on a notebook can they view the code? I remember working with PVC (pre Unity catalog) Databricks on AWS, permissions seemed to be different as you could specify Read + Execute and users could view the code and execute it.

What I'm trying to accomplish (if possible) is to allow users to run notebooks on a given folder but not view the code.

0 Kudos
1 ACCEPTED SOLUTION

Accepted Solutions

Go to solution
szymon_dybczak
Esteemed Contributor III

Thursday

Hi @adrianhernandez ,

You're confusing UC catalog permissions with workspace ACL permissions. In UC you have following securable objects on which privileges can be granted:

szymon_dybczak_0-1759435303669.png

In Azure Databricks, you can use access control lists (ACLs) to configure permission to access workspace level objects like folders, files, notebooks, computes etc.

You can manage workspace object permissions by adding objects to folders.Objects in a folder inherit all permissions settings of that folder.
For example, a user that has the CAN RUN permission on a folder has CAN RUN permission on the alerts in that folder. If you grant a user access to an object inside the folder, they can view the parent folder's name, even if they do not have permissions on the parent folder.
For instance, a notebook named test1.py is in a folder named Workflows. If you grant a user CAN VIEW on test1.py and no permissions on Workflows, the user can see that the parent folder is named Workflows. The user cannot view or access any other objects in the Workflows folder unless they have been granted permissions on them.

Below you can find all permission that you can set on Folders:

https://learn.microsoft.com/en-us/azure/databricks/security/auth/access-control/#folder-acls

szymon_dybczak_1-1759435606247.png


And here'e a list of ACL you can set on notebooks:

https://learn.microsoft.com/en-us/azure/databricks/security/auth/access-control/#notebook

szymon_dybczak_2-1759435703327.png

 

So to sum it up. In my opinion you can't accomplish what you want. Because ACL required to run notebook - CAN RUN permission - already contains also CAN VIEW permission.

 

View solution in original post

0 Kudos
2 REPLIES 2

Go to solution
szymon_dybczak
Esteemed Contributor III

Thursday

Hi @adrianhernandez ,

You're confusing UC catalog permissions with workspace ACL permissions. In UC you have following securable objects on which privileges can be granted:

szymon_dybczak_0-1759435303669.png

In Azure Databricks, you can use access control lists (ACLs) to configure permission to access workspace level objects like folders, files, notebooks, computes etc.

You can manage workspace object permissions by adding objects to folders.Objects in a folder inherit all permissions settings of that folder.
For example, a user that has the CAN RUN permission on a folder has CAN RUN permission on the alerts in that folder. If you grant a user access to an object inside the folder, they can view the parent folder's name, even if they do not have permissions on the parent folder.
For instance, a notebook named test1.py is in a folder named Workflows. If you grant a user CAN VIEW on test1.py and no permissions on Workflows, the user can see that the parent folder is named Workflows. The user cannot view or access any other objects in the Workflows folder unless they have been granted permissions on them.

Below you can find all permission that you can set on Folders:

https://learn.microsoft.com/en-us/azure/databricks/security/auth/access-control/#folder-acls

szymon_dybczak_1-1759435606247.png


And here'e a list of ACL you can set on notebooks:

https://learn.microsoft.com/en-us/azure/databricks/security/auth/access-control/#notebook

szymon_dybczak_2-1759435703327.png

 

So to sum it up. In my opinion you can't accomplish what you want. Because ACL required to run notebook - CAN RUN permission - already contains also CAN VIEW permission.

 

0 Kudos

Go to solution
adrianhernandez
New Contributor III

Thursday

Thanks for your response. That's what I imagined although could not confirm as my current project uses Unity Catalog and we are not allowed to run many commands including ACL related PySpark code.

Join Us as a Local Community Builder!

Passionate about hosting events and connecting people? Help us grow a vibrant local community—sign up today to get started!

Sign Up Now
Announcements