Databricks Community

GunaR · 3 weeks ago

I am developing a Conversational BI Solution using Genie. There are users from different roles and we need to restrict the rows returned based on the user's role. Typically RLS. I understand from documentation Genie leverage the RLS setup on the Unity catalog. This approach expects to onboard the users to Databricks workspace, which is not feasible in my case.

The approach is to use the Genie API to customize the chat experience for the users.

My request is, how can we pass the user ID on every conversation and use this to filter the rows using RLS? Or is there any documentation on the best practices?

dkushari · 2 weeks ago

Hi @GunaR - Are you saying these users are not set up in Databricks at all, or are you saying these users are set up in an IDP (such as Azure Entra ID) and then synced with Databricks?

GunaR · 2 weeks ago

Yes, these users are not in Databricks at all. The approach is to expose the custom build chatbot to 500+ users and pass the email ID to custom API, which invoke the Genie API internally. I need to build the mechanism to handle RLS with this approach. Is it feasible?

Jeeva · Saturday

Hi Guna , Same Kind of use I have . Did u able to achieve this?

GunaR · Monday

Not yet, still on-research to achieve without onboarding to Databricks. Will keep posted here if I found any,

bianca_unifeye · yesterday

Hi @GunaR ,

Building a Databricks App integrated with AI/BI Genie could be a clean way to handle this. Apps allow you to expose Genie (or any model endpoint) to external users without onboarding them into the workspace.

You can authenticate users through your existing IDP (e.g., Entra ID, Okta) and pass their identity or email to the Genie API. That context can then be used to enforce row-level and column-level security via Unity Catalog.

This pattern Databricks App + Genie + Unity Catalog is the recommended way to serve governed, chat-style analytics to larger user groups securely.

GunaR · yesterday

Hello @bianca_unifeye Thank you for your response. I am on the same approach. But the Genie API doesn't have option to send the email as request param. https://docs.databricks.com/api/workspace/genie/startconversation

bianca_unifeye · yesterday

@GunaR let me check with my team as I believe we had a workaround this.

Raman_Unifeye · yesterday

Hi @GunaR

This one is a tricky one as the users are not onboarded to databricks workspace. There is a custom solution you will require to build.

- Use Service Principal for the external application to authenitcate with Genie API. This SP will. have broader access to the table(s) data.

- Use a RLS Policy that uses a parametere which is dynamically passed by Genie.

Create a Unity Catalog SQL function that accepts the external User ID as a parameter, looks up their required filter value, and then applies the RLS logic.
Apply the RLS Filter to Your Data Table (ALTER TABLE ... ADD ROW FILTER)

- Genie API: Passing the User ID and Enforcing the Filter

Modify the Genie Space Instructions to pick up the USER_ID from provided query
Pass the User ID in the API Call -When you call the Genie Conversation API (e.g., /api/2.0/genie/spaces/{space_id}/start-conversation), inject the user ID into the prompt or the request body's context. such as "I am the user with ID <USER_ID>. What is total revenue?"

As mentioned, its a custom solution as there is no direct way to pass the external USER_ID to genie directly.

Databricks Community

RLS in Genie Space

Join Us as a Local Community Builder!

Free Edition Hackathon

🚀 Announcing the Databricks Data Intelligence Platform Cheat Sheet

Zerobus Ingest in Action: How to Stream Event Data Directly into Your Lakehouse

Find Sensitive Data at Scale with Data Classification in Unity Catalog

🚀 New: Databricks Interactive Architecture Design Workshops