Databricks Community

MathieuDB

As data landscapes grow increasingly complex, traditional role-based access control (RBAC) is hitting its limits. Data engineers are facing “role explosion” scenarios where managing hundreds of roles across thousands of tables becomes a nightmare. Enter Attribute-Based Access Control (ABAC) in Databricks Unity Catalog — a game-changing approach that’s currently in beta and revolutionizing how we think about data governance.

If you’ve ever struggled with managing granular permissions across your lakehouse or found yourself creating countless roles just to handle different access patterns, ABAC might be the solution you’ve been waiting for.

What is ABAC and Why Should Data Engineers Care?

Attribute-Based Access Control (ABAC) is a dynamic access control model that makes authorization decisions based on attributes of users, resources, actions, and environmental conditions — rather than static role assignments. In the context of Databricks Unity Catalog, ABAC allows you to create sophisticated, tag-driven policies that automatically adapt to changing conditions without requiring constant policy updates.

Think of it this way: instead of creating separate roles for “US_Sales_Manager,” “EU_Sales_Manager,” and “APAC_Sales_Manager,” you create a single policy that grants access based on user location attributes and data classification tags. The system dynamically evaluates these attributes at query time.

The Problem with Traditional RBAC

Traditional RBAC works well for simple scenarios, but it breaks down quickly as complexity grows. Consider these common challenges:

Role explosion: As your organization scales, you need exponentially more roles to handle different combinations of permissions
Maintenance overhead: Every organizational change requires updating multiple role definitions
Limited granularity: RBAC typically works at table or schema level, making row or column-level access control cumbersome
Static nature: Roles don’t adapt to changing business contexts or time-sensitive access needs

How ABAC Works in Unity Catalog

ABAC in Unity Catalog operates through three core components that work together to enforce dynamic access control:

Databricks ABAC architecture and workflow diagram

1. Governed Tags

Governed tags are the foundation of ABAC in Unity Catalog. These are centrally managed metadata attributes that you apply to data assets like catalogs, schemas, tables, and even individual columns. Unlike regular tags, governed tags are:

Centrally defined: Created at the account level through tag policies
Value-restricted: Only predefined values can be assigned
Permission-controlled: Only authorized users can assign or modify them

Example tag policy creation:

-- Tag policy defines allowed values
-- Tag key: "data_classification" 
-- Allowed values: "public", "internal", "confidential", "restricted"

2. Policies

Policies are the rules that determine access based on tag values and user attributes. Unity Catalog supports two types of ABAC policies:

Row Filter Policies: Control which rows users can see based on data content or user attributes Column Mask Policies: Control what values users see in specific columns, potentially masking or redacting sensitive information

3. User-Defined Functions (UDFs)

UDFs contain the business logic for your access control policies. They can incorporate complex conditions, user context, and environmental factors. These functions are evaluated at query time to make real-time access decisions.

Real-World Implementation Example

Let’s walk through a practical ABAC implementation. Imagine you’re building a students analytics platform where:

Government officials email addresses should be completely hidden
Phone numbers should be masked for all users

Step 1: Enable ABAC (Beta Feature)

First, enable the required beta features:

Account admin enables “Tag policies” in account console
Workspace admin enables “Attribute Based Access Control” in workspace previews

Step 2: Checkout demo repository

Import this repository inside your Databricks workspace:

https://github.com/mathieupelletier-db/abac-demo

Step 3: Create PII dataset

Run 00 — Setup Notebook

This will create a students tables that contains sensitive information. At this point, you can also enable data classification that will automatically apply appropriate tags on the data (email, phone number, ssn, …).

name,email,phone,job,address,username,url,hobby
Aaliyah Popova,aaliyah.popova4783@aol.edu,(95) 94215-7906,jeweler,97 Lincoln Street,null,null,Podcasting
Konstantin Becker,konstantin.becker@gmail.com,0475 4429797,developer,826 Webster Street,null,null,Quilting
Mieko Mitsubishi,mieko_mitsubishi@msn.org,+27 61 222 4762,account manager,1309 Southwest 71st Terrace,null,null,Metal detecting
Kazuo Sun,kazuosun@hotmail.net,0304 2215930,air traffic controller,736 Sicard Street Southeast,null,null,Amateur radioStep
Tu Sasaki,tu_sasaki@outlook.gov,+86 16450 8250,mechanic,2140 East 56th Avenue,null,null,Ice skating
Katsumi Sasaki,katsumi.sasaki@msn.gov,+27 76 181 5878,veterinarian,6880 Ramos Lane,@katsumi.sasaki,mail.ksasaki.com,Related
Dolores Tang,dolorestang@gmail.gov,+86 11251 2534,doctor,30 Curtis Road,null,null,Gardening

Step 4: Test ABAC functionalities

Run 01 — Apply tags and policies Notebook

Output:

0,1,2,3,4,5,6,7
Aaliyah Popova,aaliyah.popova4783@aol.edu,***-**-****,jeweler,97 Lincoln Street,null,null,Podcasting
Konstantin Becker,konstantin.becker@gmail.com,***-**-****,developer,826 Webster Street,null,null,Quilting
Mieko Mitsubishi,mieko_mitsubishi@msn.org,***-**-****,account manager,1309 Southwest 71st Terrace,null,null,Metal detecting
Kazuo Sun,kazuosun@hotmail.net,***-**-****,air traffic controller,736 Sicard Street Southeast,null,null,Amateur radio

Key Benefits for Data Engineers

Scalability Without Complexity

ABAC eliminates role explosion by using attributes instead of creating individual roles for every access pattern. A single policy can govern access across hundreds of tables, automatically applying the right controls based on tags and user context.

Dynamic Adaptation

Unlike static roles, ABAC policies adapt automatically to changing conditions. When you tag new tables or modify user attributes, the access controls adjust without manual policy updates.

Centralized Governance

All access logic is centralized through tag policies and UDFs, making it easier to audit, modify, and maintain your governance model. Changes to business rules require updates in one place rather than across multiple role definitions.

Fine-Grained Control

ABAC supports row-level filtering and column-level masking based on complex business logic. You can implement conditional access that considers time, location, user attributes, and data sensitivity levels simultaneously.

Getting Started: Best Practices

1. Start Small, Think Big

Begin with a pilot implementation on non-critical data to understand the workflow. Identify a specific use case like PII masking or geographic data restrictions.

2. Design Your Tag Taxonomy

Before implementing policies, carefully design your tag taxonomy. Consider:

Data classification levels (public, internal, confidential, restricted)
Geographic regions
Business domains
Regulatory requirements

3. Leverage Hierarchical Inheritance

Apply policies at the highest applicable level (catalog > schema > table) to maximize efficiency and reduce administrative overhead.

4. Monitor and Audit

Use Unity Catalog’s comprehensive audit logging to monitor policy effectiveness and ensure compliance.

Additional Resources

Official documentation: https://learn.microsoft.com/en-us/azure/databricks/data-governance/unity-catalog/abac/