cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results forย 
Search instead forย 
Did you mean:ย 
Help
Data Governance
Join discussions on data governance practices, compliance, and security within the Databricks Community. Exchange strategies and insights to ensure data integrity and regulatory compliance.
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results forย 
Search instead forย 
Did you mean:ย 

Some thinkings around data security

F_Goudarzi
New Contributor III

โ€Ž11-18-2024 11:16 AM

Hi there,

We are using Databricks and are in the early stages of adopting it. Recently, I noticed something in Databricks that caught my attention.

I implemented column-level security, which works such that if you are a member of a particular group, you can see unmasked data; otherwise, the data is masked.

However, I observed that as a workspace admin, you are able to view all users' notebooks. If a user whose notebook is being viewed by the admin has higher privileges and can see unmasked data, and the output of that data is stored in their notebook, then the admin can also view the unmasked dataโ€”even though they are not part of the group with the necessary privileges.

I'm wondering if this does not sound like a security issue?

Labels:
0 Kudos
1 REPLY 1

Louis_Frolio
Databricks Employee
Databricks Employee

2 weeks ago

Hey @F_Goudarzi , here are some things to think about:

Is this a security issue?

  • This is expected behavior: workspace admins have broad authority over workspace assets (including viewing notebook content).

  • Row filters and column masks apply at query time to base data. They donโ€™t retroactively redact values already saved in a notebook cell output or other derived artifacts.

Recommended controls and mitigations

  • Minimize and centralize workspace admins. Limit the role to trusted platform/IT operators.

  • Use workspace bindings to restrict which workspaces can access sensitive catalogs and locations.

  • Prefer ABAC, row filters, and column masks for data-level enforcement. Keep fine-grained policies centralized and consistent.

  • Harden notebook hygiene for sensitive workloads:

    • Avoid persisting raw sensitive values in notebook outputs.
    • Write results to governed tables and clear cell outputs when sharing.

  • Run jobs as service principals and store outputs in secured locations, not in notebook cells. Keep workspace admin membership constrained since they can reassign job ownership.

  • Enable and monitor audit logs to review access, ownership changes, and policy evaluations.

Bottom line

What you observed is consistent with the scope of the workspace admin role and with masking being enforced at data-access time over the source tablesโ€”not over previously saved notebook content.

Hope this helps, Louis.

0 Kudos

Join Us as a Local Community Builder!

Passionate about hosting events and connecting people? Help us grow a vibrant local communityโ€”sign up today to get started!

Sign Up Now
Announcements