cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Help
Data Engineering
Join discussions on data engineering best practices, architectures, and optimization strategies within the Databricks Community. Exchange insights and solutions with fellow data engineers.
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 

Unity Catalog - How to read prod data in dev with appropriate read-only access?

Go to solution
ChristianRRL
Honored Contributor

Thursday

Hi there,

Our team is currently migrating to using Unity Catalog. We have two databricks workspaces for dev & prod, and one thing that I'm wondering is if there is a simple/appropriate way to have only two catalogs dev & prod, where the prod databricks workspace has read-write access to the prod catalog, and in the dev workspace we have read-write access to the dev catalog AND read-only access to the prod catalog.

One approach that our team is considering is having 3 catalogs: dev, prod, and prod_readonly, where the prod_readonly would be available in the dev environment. But I'm wondering, can we accomplish this same functionality with only having two catalogs and ensuring the prod catalog cannot be edited if in the dev workspace.

0 Kudos
2 ACCEPTED SOLUTIONS

Accepted Solutions

Go to solution
szymon_dybczak
Esteemed Contributor III

Thursday - last edited Thursday

Hi  @ChristianRRL ,

Yes, you can absolutely do this with just two catalogs The prod_readonly catalog idea is unnecessary in this case. Unity Catalog has a first-class feature called workspace-catalog binding that handles this exact scenario.

By default, all catalogs in Unity Catalog are accessible from any workspace attached to the same metastore. Workspace-catalog binding lets you override this default to restrict a catalog to one or more specific workspaces, and when binding a catalog to a workspace, you can optionally restrict that workspace to read-only access - all write operations from that workspace to the catalog are blocked.

Critically, these bindings override user-level permissions. If a user has privileges on an object but tries to access it from an unbound workspace, access is denied. This means you don't need to fiddle with fine-grained GRANTs to achieve the isolation - the binding itself enforces it at the platform level.

You can read more at below link:

Workspace-catalog binding | Databricks on AWS

View solution in original post

Go to solution
nayan_wylde
Esteemed Contributor II

Thursday

Yes — you can accomplish exactly what you described with only two catalogs (dev + prod). You do not need a third prod_readonly catalog.
There are two complementary control planes in Unity Catalog:

Workspace-level restriction (workspace-catalog binding) = controls where a catalog can be accessed from, and can enforce read-only from a specific workspace.
UC privileges (GRANT/REVOKE) = controls who can read/write/manage objects within the catalog.

The cleanest pattern for Dev RW + Prod RO is:

  • Bind prod catalog to both workspaces, but mark the Dev workspace binding as read-only.
  • Grant read-only privileges to dev principals on prod catalog/schemas/tables.
  • Keep prod workspace binding as read-write and grant write privileges only to prod principals / service principals.

View solution in original post

2 REPLIES 2

Go to solution
szymon_dybczak
Esteemed Contributor III

Thursday - last edited Thursday

Hi  @ChristianRRL ,

Yes, you can absolutely do this with just two catalogs The prod_readonly catalog idea is unnecessary in this case. Unity Catalog has a first-class feature called workspace-catalog binding that handles this exact scenario.

By default, all catalogs in Unity Catalog are accessible from any workspace attached to the same metastore. Workspace-catalog binding lets you override this default to restrict a catalog to one or more specific workspaces, and when binding a catalog to a workspace, you can optionally restrict that workspace to read-only access - all write operations from that workspace to the catalog are blocked.

Critically, these bindings override user-level permissions. If a user has privileges on an object but tries to access it from an unbound workspace, access is denied. This means you don't need to fiddle with fine-grained GRANTs to achieve the isolation - the binding itself enforces it at the platform level.

You can read more at below link:

Workspace-catalog binding | Databricks on AWS

Go to solution
nayan_wylde
Esteemed Contributor II

Thursday

Yes — you can accomplish exactly what you described with only two catalogs (dev + prod). You do not need a third prod_readonly catalog.
There are two complementary control planes in Unity Catalog:

Workspace-level restriction (workspace-catalog binding) = controls where a catalog can be accessed from, and can enforce read-only from a specific workspace.
UC privileges (GRANT/REVOKE) = controls who can read/write/manage objects within the catalog.

The cleanest pattern for Dev RW + Prod RO is:

  • Bind prod catalog to both workspaces, but mark the Dev workspace binding as read-only.
  • Grant read-only privileges to dev principals on prod catalog/schemas/tables.
  • Keep prod workspace binding as read-write and grant write privileges only to prod principals / service principals.
Announcements