cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Help
Data Governance
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 

Unity Catalog Upgrade - Maximizing System Availability - Ideas

NOOR_BASHASHAIK
Contributor

‎07-26-2023 02:26 AM

During UC upgrade, we are required to migrate to account groups from workspace local groups. We are unable to add an account group without first deleting first the workspace local group (as they both have the same name).

And, during this process, the permissions given to these groups on various objects like SQL Warehouses, all-purpose clusters are lost.

Is there a way to make the account groups & workspace local groups co-exist for some time so we can delete workspace local groups after we add account groups?

Two advantages of it –

• We don’t to spend say several minutes to re-apply lost permissions
• Platform/System is available for end users (they will be accessing legacy catalog at least)

Labels:
0 Kudos
3 REPLIES 3

Kaniz
Community Manager
Community Manager

‎07-26-2023 03:25 AM

Hi @NOOR_BASHASHAIK ,

 

Suppose you are enabling identity federation on an existing workspace. In that case, you can use account groups and workspace-local groups side-by-side. Still, it is recommended to turn workspace-local groups into account groups to take advantage of centralized workspace assignment and data access management. However, having two groups with the same name in the same workspace is impossible, so you will need to rename the workspace-local group before creating the account group with the same name.
 
Alternatively, you can make the account group with a different name and manually transfer the permissions from the workspace-local group to the account group.
 
It is important to note that when you remove a group, all users in that group are deleted from the account and lose access to any workspaces they had access to unless they are members of another group or have been directly granted access to the account or any workspaces.
 
Therefore, it is recommended to be cautious when deleting groups and to ensure that all necessary permissions are transferred before doing so.
 
Sources: https://docs.databricks.com/administration-guide/users-groups/groups.html#special-considerations-for... and https://docs.databricks.com/administration-guide/users-groups/groups.html#remove-groups-from-your-da...

 

 

0 Kudos

NOOR_BASHASHAIK
Contributor
In response to Kaniz

‎07-26-2023 05:04 AM

Hi Kaniz,

Is it possible to just convert/flag workspace local groups in the workspace into account groups? I notice the workspace local groups have a flag against them called "Workspace local".

As we will have the same groups coming from account (via SCIM), if we could do the above conversion, then other alternatives like rename are not needed. And the permissions also will stay in tact.

 

0 Kudos

NOOR_BASHASHAIK
Contributor
In response to NOOR_BASHASHAIK

‎07-26-2023 05:41 AM

also, I realized we cannot even rename workspace local groups as they are coming from AAD for us.

0 Kudos
Announcements
Welcome to Databricks Community: Lets learn, network and celebrate together

Join our fast-growing data practitioner and expert community of 80K+ members, ready to discover, help and collaborate together while making meaningful connections. 

Click here to register and join today! 

Engage in exciting technical discussions, join a group with your peers and meet our Featured Members.