cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results forย 
Search instead forย 
Did you mean:ย 
Help
Data Governance
Join discussions on data governance practices, compliance, and security within the Databricks Community. Exchange strategies and insights to ensure data integrity and regulatory compliance.
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results forย 
Search instead forย 
Did you mean:ย 

RLS Impact on Lake house monitoring quality metrics

Go to solution
karunakaran_r
New Contributor III

โ€Ž08-07-2025 11:53 AM

We have RLS applied on a table and we would like to enable lake house monitoring for a quality profile metrics ,

My Questions:
Which identity is used by Lakehouse Monitoring and how can I find it, so that I can exclude it for unrestricted access to table in our RLS policy. 

karunakaran_r_0-1754592769557.png

 

0 Kudos
1 ACCEPTED SOLUTION

Accepted Solutions

Go to solution
lingareddy_Alva
Honored Contributor III

โ€Ž08-11-2025 07:39 AM

Hi @karunakaran_r 

In Databricks Lakehouse Monitoring, the profiling and drift metric collection runs as a service principal thatโ€™s tied to the Databricks system itself, not as your own user account.
That means when the monitor queries your table, it wonโ€™t be using your personal identity โ€” it uses the Lakehouse Monitoring service identity
(sometimes referred to as the system service principal for lakehouse monitoring).

How to find it for RLS exclusions:
- Go to Admin Console โ†’ Service Principals in your Databricks workspace (you need admin permissions).
- Look for a principal with a name like:
databricks-lakehouse-monitoring
- Note its Service Principal ID (or application ID in Azure AD).
- Update your Row-Level Security policy to include a clause that grants unrestricted access when current_user() or the principal ID equals that service principal.

 

LR

View solution in original post

2 REPLIES 2

Go to solution
lingareddy_Alva
Honored Contributor III

โ€Ž08-11-2025 07:39 AM

Hi @karunakaran_r 

In Databricks Lakehouse Monitoring, the profiling and drift metric collection runs as a service principal thatโ€™s tied to the Databricks system itself, not as your own user account.
That means when the monitor queries your table, it wonโ€™t be using your personal identity โ€” it uses the Lakehouse Monitoring service identity
(sometimes referred to as the system service principal for lakehouse monitoring).

How to find it for RLS exclusions:
- Go to Admin Console โ†’ Service Principals in your Databricks workspace (you need admin permissions).
- Look for a principal with a name like:
databricks-lakehouse-monitoring
- Note its Service Principal ID (or application ID in Azure AD).
- Update your Row-Level Security policy to include a clause that grants unrestricted access when current_user() or the principal ID equals that service principal.

 

LR

Go to solution
karunakaran_r
New Contributor III
In response to lingareddy_Alva

โ€Ž08-15-2025 09:25 AM

Thank you @lingareddy_Alva 

0 Kudos

Join Us as a Local Community Builder!

Passionate about hosting events and connecting people? Help us grow a vibrant local communityโ€”sign up today to get started!

Sign Up Now
Announcements