cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results forย 
Search instead forย 
Did you mean:ย 
Help
Data Governance
Join discussions on data governance practices, compliance, and security within the Databricks Community. Exchange strategies and insights to ensure data integrity and regulatory compliance.
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results forย 
Search instead forย 
Did you mean:ย 

Databricks ABAC : Can single column have two policies?

anhbn
New Contributor II

โ€Ž10-28-2025 12:27 AM

Example: I want

  • Columns tagged sensitive_level = pii โ†’ masked for everyone.

  • But if column is classification = email โ†’ allow users in group "see_email_group" to see it.

Similar to tag:value classification = phone, email, tax_code,...

 

Column Tag Description

emailsensitive_level = 'pii', classification = 'email'Personally identifiable
phonesensitive_level = 'pii', classification = 'phone'Personally identifiable
tax_codesensitive_level = 'pii', classification = 'tax'Highly confidential

Give me advice to create polices to solve the following problems:

  • By default: all users see masked data.

  • Only users in approved groups (e.g. da_email, da_phone, da_tax) can see unmasked data for that column.

Labels:
0 Kudos
6 REPLIES 6

AbhaySingh
Databricks Employee
Databricks Employee

โ€Ž10-29-2025 04:59 PM

Something like following should work for your scenario.

CREATE FUNCTION mask_email_tiered(value STRING) RETURN STRING

  RETURN CASE

    WHEN IS_MEMBER('admin') THEN value                    -- Full access

    WHEN IS_MEMBER('da_email') THEN value                 -- Full access

    WHEN IS_MEMBER('analyst') THEN CONCAT('***@', SPLIT(value, '@')[1])  -- Domain only

    ELSE 'xxx@xxx.com'                                    -- Masked

  END;

0 Kudos

anhbn
New Contributor II
In response to AbhaySingh

โ€Ž10-29-2025 09:02 PM

As following UDFs for ABAC policies best practices , I see Databricks not recommend for use calling is_member() directly inside a UDF

0 Kudos

anhbn
New Contributor II
In response to AbhaySingh

โ€Ž10-29-2025 09:03 PM

As following UDFs for ABAC policies best practices , I see Databricks not recommend for use calling is_member() directly inside a UDF

0 Kudos

AbhaySingh
Databricks Employee
Databricks Employee
In response to anhbn

โ€Ž10-30-2025 03:10 AM

Yes, there is definitely a performance hit. 

I will check with internal teams to figure out an optimal solution. 

Thanks for the link to the doc! 

anhbn
New Contributor II
In response to AbhaySingh

โ€Ž10-30-2025 03:18 AM

Thanks AbhaySingh, Looking forward to hearing from you soon

0 Kudos

AbhaySingh
Databricks Employee
Databricks Employee
In response to anhbn

โ€Ž10-31-2025 05:10 AM

Hi Anhbn,

The solution I proposed is certainly not optimal but a viable stopgap/interim solution assuming it meets your performance needs at the moment.

Team is working on some improvement which we will get to know about when ABAC goes to public preview soon.

Thanks,

 

Join Us as a Local Community Builder!

Passionate about hosting events and connecting people? Help us grow a vibrant local communityโ€”sign up today to get started!

Sign Up Now
Announcements