cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Help
Data Governance
Join discussions on data governance practices, compliance, and security within the Databricks Community. Exchange strategies and insights to ensure data integrity and regulatory compliance.
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 

Databricks ABAC : Can single column have two policies?

anhbn
New Contributor II

a week ago

Example: I want

  • Columns tagged sensitive_level = pii → masked for everyone.

  • But if column is classification = email → allow users in group "see_email_group" to see it.

Similar to tag:value classification = phone, email, tax_code,...

 

Column Tag Description

emailsensitive_level = 'pii', classification = 'email'Personally identifiable
phonesensitive_level = 'pii', classification = 'phone'Personally identifiable
tax_codesensitive_level = 'pii', classification = 'tax'Highly confidential

Give me advice to create polices to solve the following problems:

  • By default: all users see masked data.

  • Only users in approved groups (e.g. da_email, da_phone, da_tax) can see unmasked data for that column.

Labels:
0 Kudos
6 REPLIES 6

AbhaySingh
Databricks Employee
Databricks Employee

a week ago

Something like following should work for your scenario.

CREATE FUNCTION mask_email_tiered(value STRING) RETURN STRING

  RETURN CASE

    WHEN IS_MEMBER('admin') THEN value                    -- Full access

    WHEN IS_MEMBER('da_email') THEN value                 -- Full access

    WHEN IS_MEMBER('analyst') THEN CONCAT('***@', SPLIT(value, '@')[1])  -- Domain only

    ELSE 'xxx@xxx.com'                                    -- Masked

  END;

0 Kudos

anhbn
New Contributor II
In response to AbhaySingh

Wednesday

As following UDFs for ABAC policies best practices , I see Databricks not recommend for use calling is_member() directly inside a UDF

0 Kudos

anhbn
New Contributor II
In response to AbhaySingh

Wednesday

As following UDFs for ABAC policies best practices , I see Databricks not recommend for use calling is_member() directly inside a UDF

0 Kudos

AbhaySingh
Databricks Employee
Databricks Employee
In response to anhbn

Thursday

Yes, there is definitely a performance hit. 

I will check with internal teams to figure out an optimal solution. 

Thanks for the link to the doc! 

anhbn
New Contributor II
In response to AbhaySingh

Thursday

Thanks AbhaySingh, Looking forward to hearing from you soon

0 Kudos

AbhaySingh
Databricks Employee
Databricks Employee
In response to anhbn

Friday

Hi Anhbn,

The solution I proposed is certainly not optimal but a viable stopgap/interim solution assuming it meets your performance needs at the moment.

Team is working on some improvement which we will get to know about when ABAC goes to public preview soon.

Thanks,

 

Join Us as a Local Community Builder!

Passionate about hosting events and connecting people? Help us grow a vibrant local community—sign up today to get started!

Sign Up Now
Announcements