Databricks Community

Danish11052000 · 4 weeks ago

Hi Team,

I’m currently working on building a consolidated view of access permissions across our Databricks environment.

For Unity Catalog (UC) objects, I’m able to retrieve permission details using system tables (privileges / audit logs).
However, for legacy (non-UC) setups, I understand that access is primarily managed via mount points and underlying ADLS ACLs, which are not captured in UC system tables.

Could you please guide on the following:

How can we fetch a complete list of mount points along with their mapping to ADLS paths?
Is there any recommended approach to extract or audit ACL / permission details applied on these mount points (or underlying storage)?
Are there any existing tools, logs, or governance sources (e.g., APIs) that provide mount-level access visibility?

From my current understanding, UC permissions alone are not sufficient, and mount point access details are a key missing piece for complete access governance

Any guidance, references, or best practices would be really helpful.

Thanks in advance!

amirabedhiafi · 4 weeks ago

Hello @Danish11052000 !

Thank you for the question it really helped me to review my knowledge and go back and pay attention to this subject 😄

and guess what ? you are correct because UC permissions alone will not give complete access governance for legacy DBFS mounts. For mounts, governance has to be built from DBKS mount inventory with audit logs, Azure Storage RBAC/ACLs and storage access logs.

So for the mount inventory you can use dbutils.fs.mounts() from each workspace because they are workspace level aliases between DBFS and cloud storage and they store the storage location, driver config and credentials needed to access the data. If you check the doc they are already deprecated so you need to think about migrating to UC external locations instead. https://learn.microsoft.com/en-us/azure/databricks/dbfs/mounts

This is an example I did and it is working :

mounts = []

for m in dbutils.fs.mounts():
    mounts.append({
        "mount_point": m.mountPoint,
        "source": m.source,
        "encryption_type": getattr(m, "encryptionType", None)
    })

mount_df = spark.createDataFrame(mounts)
display(mount_df)

# here u can persist for gov
mount_df.write.mode("overwrite").saveAsTable("governance_legacy.databricks_mount_inventory")

this gives you the mapping :

/mnt/raw/customers  ->  abfss://raw@storageaccount.dfs.core.windows.net/customers

For ACLs, the permissions are not stored on the DBKS mount itself and they are enforced at the underlying ADLS Gen2 layer through Azure RBAC and POSIX ACLs. Try to check this doc it explains that part :

https://learn.microsoft.com/en-us/azure/storage/blobs/data-lake-storage-access-control

for a single path you can check ACL with Azure CLI:

az storage fs access show \
  --account-name <storage-account> \
  --file-system <container> \
  --path <directory-or-file-path> \
  --auth-mode login

With az storage fs access show you can get ACL for a directory or file and for broader auditing you typically need to crawl the mounted ADLS path and extract ACLs using Azure CLI, PS or Azure Storage SDK.

You can list paths with FileSystemClient.get_paths() and read ACL with get_access_control()

You can also use audit logs to identify mount and unmount events but this is not the same as a full current permission model because DBKS audit logs include DBFS operational events such as mount and unmount with params like mountPoint and owner.

For storage access auditing, personally I use Azure Storage diagnostic and Azure Blob or ADLS logs can be routed to log analytics and to your info supported categories include only StorageRead, StorageWrite and StorageDelete.

If this answer resolves your question, could you please mark it as “Accept as Solution”? It will help other users quickly find the correct fix.

Senior BI/Data Engineer | Microsoft MVP Data Platform | Microsoft MVP Power BI | Power BI Super User | C# Corner MVP

Danish11052000 · 4 weeks ago

Thanks for the explanation. Based on your example, mount points are retrieved using dbutils.fs.mount, and since mounts are being deprecated, migration to Unity Catalog is required.

Currently, I am already using Unity Catalog, so dbutils.mounts won't work. Is there an alternative way to retrieve these details via an API?

Also, since non-UC workspaces will gradually migrate to UC, how should we handle this situation in the meantime?

Ashwin_DSA · 4 weeks ago

Hi @Danish11052000,

Not exactly. dbutils.fs.mounts() is for legacy DBFS mounts, and it can still work in some Unity Catalog-enabled workspaces if those mounts still exist and the cluster/access mode permits DBFS access. However, mounts are deprecated and are not the Unity Catalog model.

In Unity Catalog, the equivalents to inspect are external locations, storage credentials, and volumes rather than mounts. So there isn’t a direct "list mounts" UC API; instead, you’d use commands/APIs such as SHOW EXTERNAL LOCATIONS, SHOW STORAGE CREDENTIALS, and SHOW VOLUMES, plus the Files API/SDK for volume file operations.

During migration, support both patterns... use dbutils.fs.mounts() only for remaining legacy mounts, and use UC metadata objects for UC-governed storage.

Lastly, when you mention that non-UC workspaces will gradually migrate to UC, I assume this is an activity you will be handling. I want to clarify that this process will not happen automatically, in case you had that impression.

If this answer resolves your question, could you mark it as “Accept as Solution”? That helps other users quickly find the correct fix.

Regards,
Ashwin | Delivery Solution Architect @ Databricks
Helping you build and scale the Data Intelligence Platform.
***Opinions are my own***