cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Help
Data Engineering
Join discussions on data engineering best practices, architectures, and optimization strategies within the Databricks Community. Exchange insights and solutions with fellow data engineers.
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 

Row Filter on Unity Catalog Tables based on Unity Catalog group appartenance

Go to solution
Antoine_B
Contributor

‎07-31-2024 06:12 AM

Hello,

I would like to prevent users belonging to a given Unity Catalog group ('restricted_users_group') to access some rows of a Unity Catalog Table.

For now, I was able to define a Row Filter function to prevent a list of users to access some rows, thanks to this documentation.
Here is my current function:

-- apply Row Filter only for user restricted@users.com. Filter is disabled for other users
CREATE FUNCTION rd.my_schema.my_row_filter(filter_column INTEGER) RETURNS BOOLEAN
RETURN IF(CURRENT_USER() = 'restricted@users.com', filter_column IN (15, 16, 17), true);

Here is how I apply this Row Filter function to two of my sensitive tables:

ALTER TABLE rd.my_schema.my_table_1 SET ROW FILTER rd.my_schema.my_row_filter ON (id_col);
ALTER TABLE rd.my_schema.my_table_2 SET ROW FILTER rd.my_schema.my_row_filter ON (id_col);


But I would like some help to adapt this function to work with Unity Catalog groups instead of users.
Because I would like to avoid editing my Row Filter function each time a new user is added to this group ('restricted_users_group').

Thanks 🙂
0 Kudos
1 ACCEPTED SOLUTION

Accepted Solutions

Go to solution
Antoine_B
Contributor

‎08-01-2024 05:15 AM

Ok, so this problem needs no tricks. All was in the documentation
I did not know about the function IS_ACCOUNT_GROUP_MEMBER(). 

So this Row Filter function did the job:

CREATE FUNCTION rd.my_schema.my_row_filter(filter_column INTEGER) RETURNS BOOLEAN
RETURN IF(IS_ACCOUNT_GROUP_MEMBER('restricted_users_group'), filter_column IN (15, 16, 17), true);



View solution in original post

0 Kudos
2 REPLIES 2

Go to solution
Antoine_B
Contributor

‎07-31-2024 07:23 AM

I saw the tricks of mapping tables: https://docs.databricks.com/en/tables/row-and-column-filters.html#mapping-table-examples

This means I have to create a Job to keep my mapping table up to date with users in the Unity Catalog group.
I keep this solution in mind, but I wonder if something more integrated in Row Filters functions exists, without the need of a mapping table ?

0 Kudos

Go to solution
Antoine_B
Contributor

‎08-01-2024 05:15 AM

Ok, so this problem needs no tricks. All was in the documentation
I did not know about the function IS_ACCOUNT_GROUP_MEMBER(). 

So this Row Filter function did the job:

CREATE FUNCTION rd.my_schema.my_row_filter(filter_column INTEGER) RETURNS BOOLEAN
RETURN IF(IS_ACCOUNT_GROUP_MEMBER('restricted_users_group'), filter_column IN (15, 16, 17), true);



0 Kudos

Connect with Databricks Users in Your Area

Join a Regional User Group to connect with local Databricks users. Events will be happening in your city, and you won’t want to miss the chance to attend and share knowledge.

If there isn’t a group near you, start one and help create a community that brings people together.

Request a New Group
Announcements