cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Help
Get Started Discussions
Start your journey with Databricks by joining discussions on getting started guides, tutorials, and introductory topics. Connect with beginners and experts alike to kickstart your Databricks experience.
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 

Automate run as workflow parameter to default to current user

ivvande
New Contributor II

‎01-24-2025 12:11 AM - edited ‎01-24-2025 12:19 AM

I am trying to run a workflow within Databricks. I have 2 workflows, workflow one which always runs as the service principal, as all data gets accessed and wrangled within this workflow, and workflow 2 which always defaults to the last run account. In workflow 2 we expect users to set the 'run as' parameter to themselves, as there is a security check built into the workflow that only allows the user to see data they are authorized to see. 

The issue I am facing is that the the run as parameter stays on the user who last made a change to the workflow. This creates the risk that another user can run the workflow with the previous users account. 

Is there a way to set the run as parameter to always default to the current user?

 

ivvande_0-1737706760905.png

 

 

0 Kudos
4 REPLIES 4

Isi
Contributor III

‎01-24-2025 01:00 AM

Hey,

I’d like to share my thoughts on this, as I believe the situation might be more complex than it seems, and I feel you might be using a workaround to address a problem that could be tackled differently.

If the core issue revolves around who can view specific data, you could leverage built-in catalog tools and permission settings to control data access at a more granular level. Instead of relying on the ‘run as’ parameter, you could implement access controls using catalog-level permissions, ensuring that users can only read the data they are authorized to see.

Additionally, if you need to generate results after data wrangling, a more scalable approach would be to create dynamic views, allowing only specific users (through groups) to have visibility over certain data. This can be achieved using a SQL view with conditional logic, such as:

 

CREATE OR REPLACE VIEW filtered_data AS 
SELECT * 
FROM raw_data 
WHERE 
  CASE 
    WHEN current_user IN ('user1', 'user2') THEN sensitive_column 
    ELSE NULL 
  END;

 

 

Unlike manual adjustments in the workflow execution settings, which can introduce operational risks and dependencies on user actions, catalog-level permissions ensure consistent data governance and security across all workloads.

If you find this answer helpful, feel free to mark it as resolved or give it a 👍!

🙂

0 Kudos

saurabh18cs
Honored Contributor

‎01-24-2025 02:58 AM

Hi, how are you expecting to achieve this? Do you want users who are manually triggering this workflow first update to their run_as? or you want to make this happen programatically?

0 Kudos

ivvande
New Contributor II
In response to saurabh18cs

‎01-24-2025 03:53 AM

Users will only trigger this workflow if they need to enquire if a specific change has happened, so it will always be triggered manually by different users

0 Kudos

saurabh18cs
Honored Contributor
In response to ivvande

‎01-24-2025 04:30 AM

I would say then you have to look for some sort of automation in front which will trigger this workflow and update runas to this current user. Or if users are asked to change them manually before every run which is very tricky right.

look for devops pipline or easier python script to do this for your user.

0 Kudos

Join Us as a Local Community Builder!

Passionate about hosting events and connecting people? Help us grow a vibrant local community—sign up today to get started!

Sign Up Now
Announcements