Databricks Community

GunaR · a month ago

I am developing a Conversational BI Solution using Genie. There are users from different roles and we need to restrict the rows returned based on the user's role. Typically RLS. I understand from documentation Genie leverage the RLS setup on the Unity catalog. This approach expects to onboard the users to Databricks workspace, which is not feasible in my case.

The approach is to use the Genie API to customize the chat experience for the users.

My request is, how can we pass the user ID on every conversation and use this to filter the rows using RLS? Or is there any documentation on the best practices?

dkushari · 3 weeks ago

Hi @GunaR - Are you saying these users are not set up in Databricks at all, or are you saying these users are set up in an IDP (such as Azure Entra ID) and then synced with Databricks?

GunaR · 3 weeks ago

Yes, these users are not in Databricks at all. The approach is to expose the custom build chatbot to 500+ users and pass the email ID to custom API, which invoke the Genie API internally. I need to build the mechanism to handle RLS with this approach. Is it feasible?

Jeeva · 2 weeks ago

Hi Guna , Same Kind of use I have . Did u able to achieve this?

GunaR · 2 weeks ago

Not yet, still on-research to achieve without onboarding to Databricks. Will keep posted here if I found any,

bianca_unifeye · a week ago

Hi @GunaR ,

Building a Databricks App integrated with AI/BI Genie could be a clean way to handle this. Apps allow you to expose Genie (or any model endpoint) to external users without onboarding them into the workspace.

You can authenticate users through your existing IDP (e.g., Entra ID, Okta) and pass their identity or email to the Genie API. That context can then be used to enforce row-level and column-level security via Unity Catalog.

This pattern Databricks App + Genie + Unity Catalog is the recommended way to serve governed, chat-style analytics to larger user groups securely.

GunaR · a week ago

Hello @bianca_unifeye Thank you for your response. I am on the same approach. But the Genie API doesn't have option to send the email as request param. https://docs.databricks.com/api/workspace/genie/startconversation

bianca_unifeye · a week ago

@GunaR let me check with my team as I believe we had a workaround this.

Raman_Unifeye · a week ago

Hi @GunaR

This one is a tricky one as the users are not onboarded to databricks workspace. There is a custom solution you will require to build.

- Use Service Principal for the external application to authenitcate with Genie API. This SP will. have broader access to the table(s) data.

- Use a RLS Policy that uses a parametere which is dynamically passed by Genie.

Create a Unity Catalog SQL function that accepts the external User ID as a parameter, looks up their required filter value, and then applies the RLS logic.
Apply the RLS Filter to Your Data Table (ALTER TABLE ... ADD ROW FILTER)

- Genie API: Passing the User ID and Enforcing the Filter

Modify the Genie Space Instructions to pick up the USER_ID from provided query
Pass the User ID in the API Call -When you call the Genie Conversation API (e.g., /api/2.0/genie/spaces/{space_id}/start-conversation), inject the user ID into the prompt or the request body's context. such as "I am the user with ID <USER_ID>. What is total revenue?"

As mentioned, its a custom solution as there is no direct way to pass the external USER_ID to genie directly.

GunaR · Tuesday

Noted. Thank you for the suggestion and this make more logical.

CharlotteMarti2 · Wednesday

You can implement RLS in Genie without adding users to Databricks by passing a user identifier with each API call and having your queries filter rows based on that ID. Typically, you’d set up parameterized queries or session variables that enforce row restrictions per user role. Check if Genie’s API supports context or metadata fields for each conversation—these can carry the user ID and drive the RLS logic.

GunaR · yesterday

Thank you for the response @CharlotteMarti2 .

I am on the same lines, Unfortunately I don't see an option in the Genie API to set the context/metadata fields. https://docs.databricks.com/api/workspace/genie/startconversation

Databricks Community

RLS in Genie Space

Join Us as a Local Community Builder!

Free Edition Hackathon

Big Book of Data Engineering - Get how-tos, code snippets and real-world examples

Level Up with Databricks Specialist Sessions

🌟 Community Pulse: Your Weekly Roundup! October 31 – November 06, 2025

⭐ Setup Spark with Hadoop Anywhere : A DBR aligned local Spark+HDFS+Hive stack on Docker⭐