04-29-2024 11:07 AM
We have created a Unity Catalog instance on top of our Lakehouse (built entirely with Azure Databricks). We are using Power BI to develop and serve our analytics and reporting needs. I've granted the "Account Users" group the appropriate privileges for the given catalog/schema being used by Power BI (SELECT, USE SCHEMA, USE CATALOG, BROWSE, EXECUTE, and READ VOLUME) and our Azure Databricks account is linked to our Microsoft Entra, so all of our Entra users are synced to the "Account Users" group at the Account level (we use Entra authentication in Power BI). However, it seems our users cannot access the data in the Power BI reports without also being added to the Azure Databricks Workspace, which we don't want as these are non-technical users and we don't want them potentially creating their own notebooks or playing with ML experiments, etc.
Is there a way to grant access to Unity Catalog data WITHOUT giving users access to the Databricks workspace? I would think that since the metastore is managed at the Account level (as are the users who are added to the "Account Users" group which is an Account level group, not a workspace group) that granting the Account Users group access to the schema (which can be shared across multiple workspaces if those workspaces belong to the same metastore) should be sufficient, but any user who attempts to access the Power BI reports that ISN'T a member of the actual workspace receives a "Microsoft ThriftExtension(14) exception: Unauthorized/Forbidden error response". If there is a work around for this, please let me know so I can properly configure these users.
05-01-2024 02:16 PM
Hi @shanebo425 ,
You can set this at Workspace level for Groups/Users/Service Principals.
Go to Workspace Settings -> Identity and Access -> Groups/Users/SPs Manage -> Select the group or user or SP -> Entitlements -> Enable Databricks SQL access
I hope it helps.
04-29-2024 11:39 AM
Hi @shanebo425 ,
Have you tried to give them Databricks SQL access only? If the connection from PBI to UC is through a Sql Warehouse, it should work properly on PBI.
05-01-2024 01:44 PM
Hi @gmiguel - I'm not aware of a way to give them SQL access only. Where would I look for this setting? The connection I have setup right now is to a SQL Warehouse cluster housed in Azure Databricks.
05-01-2024 02:16 PM
Hi @shanebo425 ,
You can set this at Workspace level for Groups/Users/Service Principals.
Go to Workspace Settings -> Identity and Access -> Groups/Users/SPs Manage -> Select the group or user or SP -> Entitlements -> Enable Databricks SQL access
I hope it helps.
05-01-2024 05:08 PM
Thanks for explaining this! This doesn't do exactly what I was hoping—it doesn't block all access to the workspace. Users can still login and access their own workspace and run SQL queries, explore the catalog, etc. But they ARE blocked from accessing Jobs, Workflows, Compute resources, and ML artefacts (including models and service endpoints). I was hoping to block them from accessing the workspace at all but that doesn't seem to be an option. I'll mark your solution as accepted as I think it's as close as I am going to get. Thanks again!
Join a Regional User Group to connect with local Databricks users. Events will be happening in your city, and you won’t want to miss the chance to attend and share knowledge.
If there isn’t a group near you, start one and help create a community that brings people together.
Request a New Group