Hi @Ralph_RevoData , Certainly! Ensuring better security by default is crucial, especially to prevent inadvertent information leaks.
Let’s explore how you can configure query access control in Databricks to limit query access permissions:
Query Permissions:
- Databricks provides five permission levels for queries:
- No Permissions: No access to the query.
- Can View: View query details (e.g., query text, results).
- Can Run: Execute the query.
- Can Edit: Modify the query.
- Can Manage: Control query permissions (e.g., add/delete queries).
- Each permission level grants specific abilities related to query management.
Sharing Settings:
- When creating or managing a query, you can configure sharing settings:
- Run as Viewer: The viewer’s credentials are used to execute the query. The viewer must have at least “Can Use” permissions on the warehouse.
- Run as Owner: The owner’s credentials are used to execute the query.
- By default, queries are often set to “Run as Owner,” which can be risky if not handled carefully.
Best Practices to Raise Security:
- Folder Organization: Organize queries into folders. Queries within a folder inherit the folder’s permissions settings.
- Permissions by Folder: For example, if a user has “Can Run” permission on a folder, they automatically have the same permission on queries within that folder.
- Configure Permissions Early: Set permissions during query creation or immediately after saving. Avoid relying on manual changes later.
Avoiding Forgetfulness:
- To prevent forgetting to change permissions, consider the following steps:
- Create a Template: Create a template query with the desired permissions (e.g., “Run as Viewer”).
- Clone from Template: Whenever you create a new query, clone it from the template. This ensures consistent permissions.
- Automate: If possible, automate query creation and permissions setup using scripts or APIs.
Remember that security practices vary based on your organization’s policies and requirements. By following these guidelines, you can enhance security and minimize the risk of information leaks. 🛡️