cancel
Showing results forย 
Search instead forย 
Did you mean:ย 
Warehousing & Analytics
Engage in discussions on data warehousing, analytics, and BI solutions within the Databricks Community. Share insights, tips, and best practices for leveraging data for informed decision-making.
cancel
Showing results forย 
Search instead forย 
Did you mean:ย 

Create multiple SQL warehouse with custom access control

jay99
New Contributor II

We set up the SQL warehouse IAM role in the settings option. This is applied to all warehouses. How do I create sql warehouses with multiple IAM roles to maintain access control.

4 REPLIES 4

Hana
New Contributor II

I think I am trying to do the same thing, apologies if I've jumped on this and it's not (let me know and will remove this and start a new thread). 

I have created muliple SQL Warehouses and assigned different Entra group permissions to each SQL Warehouse.  Each of those groups have access to their own catalog schema (entra group permissions granted here too - Entra Group A has permissions to Catalog Schema A. Entra group B to Catalog Schema B etc).  However, these schema's have views over the same source table.  I have granted read permissions for each entra group to this source table location (ADLS2).  The problem I have is when a user belongs to more than 1 group. 

For example user Steve belongs to Entra Group A and Entra Group B.  Group A has been granted permission to SQL Warehouse A and this is how Steve is connecting to the data in Power BI.  However, because he is in both Group A and Group B, he can see both catalog schema's.  The risk is that Steve saves data for Group B in the Power BI dashboard which should only have Group A data in.

How can I restricted the access from SQL Warehouse A to only see Catalog Schema A?  Or is there another approach I should be taking?

Walter_C
Databricks Employee
Databricks Employee

Does the user has permissions to Write on both catalog schemas? Or do he has only write access on Schema A and Select on Schema B? Is this using Unity Catalog right?

In regards original question you can only select one instance profile for the warehouses

Hana
New Contributor II

Hi, Yes I am using unity catalog.  

Permissions are as follows:

Catalog Privilages: 

Entra Group A = USE_CATALOG

Entra Group B = USE_CATALOG

Schema Privilages:

Entra Group A = USE_SCHEMA and SELECT on Schema A

Entra Group B = USE_SCHEMA and SELECT on Schema B 

External Location Privilages:

Entra Group A = READ_FILES on main table location

Entra Group B = READ_FILES on (the same) main table location

Then there is a SQL (serverless) Warehouse for each entra group

Entra Group A = Can Use on SQL Warehouse A

Entra Group B - Can Use on SQL Warehouse B

Steve belongs to both Entra group A and B, but when he uses SQL Warehouse A, I only want him to be able to see the data that is returned from the view created in Schema A.

Walter_C
Databricks Employee
Databricks Employee

Unfortunately there is no way to restrict the access the compute has, the restrictions are being performed via the users permissions. Only option here will be to submit a feature request through https://docs.databricks.com/en/resources/ideas.html#ideas 

Connect with Databricks Users in Your Area

Join a Regional User Group to connect with local Databricks users. Events will be happening in your city, and you wonโ€™t want to miss the chance to attend and share knowledge.

If there isnโ€™t a group near you, start one and help create a community that brings people together.

Request a New Group