Databricks

141402 · ‎06-20-2023

Hi everybody,

I am curious if there is a way to raise the security level by default. Specifically if it is possible to configure the default setting to limit the access of the query, rather than granting it open, as right now from my side the default setting is "run as owner", regardless the folder where the query is saved and, only after is saved, it's possible to change the credentials to "viewer's".

I'm interested in avoiding any forgetfulness on this "change" step, as it could lead to an information leak.

Best

Anonymous · ‎06-20-2023

Hi @jasmine.canti

Great to meet you, and thanks for your question!

Let's see if your peers in the community have an answer to your question. Thanks.

Ralph_RevoData · ‎11-06-2023

I would like this too. Or perhaps the ability to change this programmatically in bulk. The CLI, SDK and Rest Endpoints don't appear to work and will not let me change this.

Kaniz · ‎11-28-2023

Hi @Ralph_RevoData , Certainly! Ensuring better security by default is crucial, especially to prevent inadvertent information leaks.

Let’s explore how you can configure query access control in Databricks to limit query access permissions:

Query Permissions:

Databricks provides five permission levels for queries:
- No Permissions: No access to the query.
- Can View: View query details (e.g., query text, results).
- Can Run: Execute the query.
- Can Edit: Modify the query.
- Can Manage: Control query permissions (e.g., add/delete queries).
Each permission level grants specific abilities related to query management.

Sharing Settings:

When creating or managing a query, you can configure sharing settings:
- Run as Viewer: The viewer’s credentials are used to execute the query. The viewer must have at least “Can Use” permissions on the warehouse.
- Run as Owner: The owner’s credentials are used to execute the query.
By default, queries are often set to “Run as Owner,” which can be risky if not handled carefully.

Best Practices to Raise Security:

Folder Organization: Organize queries into folders. Queries within a folder inherit the folder’s permissions settings.
Permissions by Folder: For example, if a user has “Can Run” permission on a folder, they automatically have the same permission on queries within that folder.
Configure Permissions Early: Set permissions during query creation or immediately after saving. Avoid relying on manual changes later.

Avoiding Forgetfulness:

To prevent forgetting to change permissions, consider the following steps:
- Create a Template: Create a template query with the desired permissions (e.g., “Run as Viewer”).
- Clone from Template: Whenever you create a new query, clone it from the template. This ensures consistent permissions.
- Automate: If possible, automate query creation and permissions setup using scripts or APIs.

Remember that security practices vary based on your organization’s policies and requirements. By following these guidelines, you can enhance security and minimize the risk of information leaks. 🛡️

Databricks

Have "viewer's credential" as default setting in Query access control, instead of "owner's credential"

Unity Catalog Lakeguard: Industry-first and only data governance for multi-user Apache™ Spark cluste

Announcing the General Availability of Databricks Asset Bundles

Register now and save 50% on training at Data + AI Summit!

How to successfully build GenAI applications

Meet DBRX, the New Standard for High-Quality LLMs