cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results forย 
Search instead forย 
Did you mean:ย 
Help
Data Engineering
Join discussions on data engineering best practices, architectures, and optimization strategies within the Databricks Community. Exchange insights and solutions with fellow data engineers.
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results forย 
Search instead forย 
Did you mean:ย 

What is the recommended approach to enforce row-level security in Unity Catalog for external BI tool

Go to solution
GaneshI
New Contributor III

โ€Ž05-14-2026 04:29 AM

We connect Tableau and Power BI to our Databricks SQL warehouse via OAuth tokens. Does Unity Catalog row filters apply at the SQL layer regardless of the BI tool, or do we need additional enforcement at the warehouse level?

0 Kudos
1 ACCEPTED SOLUTION

Accepted Solutions

Go to solution
Lu_Wang_ENB_DBX
Databricks Employee
Databricks Employee

โ€Ž05-14-2026 08:08 AM

Unity Catalog row filters apply at the SQL/query layer, so if Tableau or Power BI is querying a Databricks SQL warehouse, the filters are enforced there โ€” you do not need a separate warehouse-level row-filter feature. Row filters and column masks are evaluated at query time and integrate with standard SQL.

The key consideration is which identity the OAuth token represents:

  • If the BI connection uses user OAuth / U2M, the filters apply per user.
  • If it uses service principal OAuth / M2M, enforcement still happens, but it is evaluated as the service principal, so all BI users effectively share that principalโ€™s data scope unless you add per-user delegation upstream.

Summary: No extra warehouse-level enforcement is needed for UC row filters themselves; make sure you use the right auth model for the level of per-user isolation you want.

View solution in original post

0 Kudos
1 REPLY 1

Go to solution
Lu_Wang_ENB_DBX
Databricks Employee
Databricks Employee

โ€Ž05-14-2026 08:08 AM

Unity Catalog row filters apply at the SQL/query layer, so if Tableau or Power BI is querying a Databricks SQL warehouse, the filters are enforced there โ€” you do not need a separate warehouse-level row-filter feature. Row filters and column masks are evaluated at query time and integrate with standard SQL.

The key consideration is which identity the OAuth token represents:

  • If the BI connection uses user OAuth / U2M, the filters apply per user.
  • If it uses service principal OAuth / M2M, enforcement still happens, but it is evaluated as the service principal, so all BI users effectively share that principalโ€™s data scope unless you add per-user delegation upstream.

Summary: No extra warehouse-level enforcement is needed for UC row filters themselves; make sure you use the right auth model for the level of per-user isolation you want.

0 Kudos
Announcements