cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Help
Data Engineering
Join discussions on data engineering best practices, architectures, and optimization strategies within the Databricks Community. Exchange insights and solutions with fellow data engineers.
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 

How to grant access to views without granting access to underlying tables

Go to solution
alm
New Contributor III

‎05-30-2023 05:43 AM

I have a medallion architecture:

  • Bronze layer: Raw data in tables
  • Silver layer: Refined data in views created from the bronze layer
  • Gold layer: Data products as views created from the silver layer

Currently I have a data scientist that needs access to data in the silver layer through Unity Catalog. When he's granted permission (SELECT; USE) to the data in the silver layer, he gets an exception because he does not have USE permission to the data in the bronze layer. If he is granted USE permission, an exception is raised that he does not have SELECT permission to the data in the bronze layer. I do not want to grant him SELECT permission on the raw data.

Is it not possible to grant access to a view without granting access to the underlying table? If not, what is then the use-case of the views?

If this proves to be impossible, what is then the solution? If I make shallow clones, will it solve my problem, or will I encounter something similar?

1 ACCEPTED SOLUTION

Accepted Solutions

Go to solution
MoJaMa
Databricks Employee
Databricks Employee

‎02-27-2024 08:39 AM

Single-user clusters use a different security mode which is the reason for this difference.

On single-user/assigned clusters, you'll need the Fine Grained Access Control service (which is a Serverless service) - that is the solution to this problem (also allows you to read tables with RLS/CLM, Dynamic Views and DLT's Streaming Tables and materialized Views - all stuff that is problematic to read on single-user(ie assigned) clusters today)

So, assuming you need Shared ML you need:

1. Service Principal Cluster Preview

2. Fine Grained Access Control Preview.

You can talk to your Databricks Account team to enable these.

View solution in original post

0 Kudos
6 REPLIES 6

Go to solution
Jerry01
New Contributor III

‎07-26-2023 09:37 AM

I am also facing the same issue. Do we have a solution for this?

0 Kudos

Go to solution
Tharun-Kumar
Databricks Employee
Databricks Employee

‎07-26-2023 08:45 PM

Hi @alm 

Could you let us know which access mode is being used on the Cluster?

0 Kudos

Go to solution
Jerry01
New Contributor III
In response to Tharun-Kumar

‎07-27-2023 11:11 AM

Tried with single user cluster and shared cluster as well

0 Kudos

Go to solution
alm
New Contributor III
In response to Tharun-Kumar

‎07-30-2023 09:46 PM

Hi @Tharun-Kumar

The problem doesn't occur when using shared access mode, but the shared access isn't supported on ML clusters and so it's a temporary fix only. 

Go to solution
MoJaMa
Databricks Employee
Databricks Employee

‎02-27-2024 08:39 AM

Single-user clusters use a different security mode which is the reason for this difference.

On single-user/assigned clusters, you'll need the Fine Grained Access Control service (which is a Serverless service) - that is the solution to this problem (also allows you to read tables with RLS/CLM, Dynamic Views and DLT's Streaming Tables and materialized Views - all stuff that is problematic to read on single-user(ie assigned) clusters today)

So, assuming you need Shared ML you need:

1. Service Principal Cluster Preview

2. Fine Grained Access Control Preview.

You can talk to your Databricks Account team to enable these.

0 Kudos

Go to solution
alm
New Contributor III
In response to MoJaMa

‎02-28-2024 12:33 AM

Thank you for your reply.

This may very well be the solution to the original problem. Our setup has changed since the question was posed, so I won't be able to test the solution. 

0 Kudos

Connect with Databricks Users in Your Area

Join a Regional User Group to connect with local Databricks users. Events will be happening in your city, and you won’t want to miss the chance to attend and share knowledge.

If there isn’t a group near you, start one and help create a community that brings people together.

Request a New Group
Announcements