Grant permissions to groups on catalogs linked to the same metastore

jmsimonramos1
New Contributor II

‎09-21-2024 12:54 AM

Hi everyone!
I am configuring several projects using Databricks, and I have a question regarding permission management in Unity Catalog. Here's the situation:
 
Currently, I have two different Databricks resources in an Azure account, each with its respective workspace:
  • Azure_Databricks_1 > my_workspace_1
  • Azure_Databricks_2 > my_workspace_2
Additionally, I have configured and added a metastore called "my_metastore" to both workspaces, so that both can use the same Unity Catalog metastore.
 
Furthermore, each of the two workspaces has different users, meaning there are users common to both workspaces, and users who are not. To manage access more easily, I have created workspace-level groups, specifically a group called “data_access.”
 
In addition to that, each workspace has a catalog linked to the "my_metastore," and within those catalogs, the bronze, silver, and gold schemas are defined, so the structure looks something like this:
 
Azure_Databricks_1  
my_workspace_1 > “data_access” group  
my_catalog_1 > linked to “my_metastore” with the following schemas inside:  
bronze  
silver  
gold
 
Azure_Databricks_2  
my_workspace_2 > “data_access” group  
my_catalog_2 > linked to “my_metastore” with the following schemas inside:  
bronze  
silver  
gold 
 
My question is: Is there any way to give users in the “data_access” group of workspace_1 permissions to create tables, volumes, etc., ONLY in the schemas associated with the “my_catalog_1” catalog?
 
The idea is that I, as an account-level administrator, create this catalog and schema structure in each workspace, as mentioned above, and then provide users in the “data_access” group (who can be different in each workspace) permissions to create tables and other objects but ONLY within that specific catalog, rather than in all catalogs defined within my Unity Catalog.
 
Important: Users in the “data_access” group for “my_catalog_1” should not have any access to the schemas and tables in the “my_catalog_2” catalog. That’s why I’m trying to figure out how to restrict data access at the catalog level.
 
Any ideas on how I can do this?  
 
P.S.: I have account admin and workspace admin permissions for all workspaces.
 
Thank you very much in advance.  
Best regards. 
0 Kudos

CharlesWoo
New Contributor II

‎09-21-2024 02:00 AM

You could bind the catalog to specific workspaces, making them accessbile only from workspaces they are bound to.
https://docs.databricks.com/en/catalogs/binding.html

In your example:
if `my_catalog_2` is bound to `my_workspace_2` a user in `my_workspace_1` will not be able to access or modify objects in `my_catalog_2` even if they have permissions to do so in Unity Catalog.

0 Kudos

jmsimonramos1
New Contributor II
In response to CharlesWoo

‎09-22-2024 12:13 AM

Hello, thanks for your response.

Indeed, I had already considered that part. My problem is that I cannot grant privileges to `my_catalog_2` (which is associated with `my_workspace_2`) to a group at the workspace level.

In other words, I want all users in the "data_engineers" group of `my_workspace_2` to have `ALL_PRIVILEGES` on all schemas of `my_catalogo_2`.

0 Kudos

filipniziol
Esteemed Contributor
In response to jmsimonramos1

‎09-22-2024 01:02 AM

Hi @jmsimonramos1,

  • You create data_users_1 group.
  • You grant data_users_1 the needed privileges to my_catalog_1: 

 

GRANT ALL PRIVILEGES ON CATALOG my_catalog_1 to `data_access_1`;​

 

  • You create data_users_2 group.
  • You grant data_users_2 the needed privileges to my_catalog_2:

 

GRANT ALL PRIVILEGES ON CATALOG my_catalog_2 to `data_access_2`;​​

 

  • data_users_1 has now all privileges on my_catalog_1, whereas data_users_2 has now all privileges on my_catalog_2
  • There is no need to limit catalog visibility on the workspace level if there is no requirement to do so.
  • Check the docs on unity catalog privilege management
0 Kudos