cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Help
Warehousing & Analytics
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 

Grant Unity Catalog Access without Workspace Access

Go to solution
shanebo425
New Contributor II

3 weeks ago

We have created a Unity Catalog instance on top of our Lakehouse (built entirely with Azure Databricks). We are using Power BI to develop and serve our analytics and reporting needs. I've granted the "Account Users" group the appropriate privileges for the given catalog/schema being used by Power BI (SELECT, USE SCHEMA, USE CATALOG, BROWSE, EXECUTE, and READ VOLUME) and our Azure Databricks account is linked to our Microsoft Entra, so all of our Entra users are synced to the "Account Users" group at the Account level (we use Entra authentication in Power BI). However, it seems our users cannot access the data in the Power BI reports without also being added to the Azure Databricks Workspace, which we don't want as these are non-technical users and we don't want them potentially creating their own notebooks or playing with ML experiments, etc.

Is there a way to grant access to Unity Catalog data WITHOUT giving users access to the Databricks workspace? I would think that since the metastore is managed at the Account level (as are the users who are added to the "Account Users" group which is an Account level group, not a workspace group) that granting the Account Users group access to the schema (which can be shared across multiple workspaces if those workspaces belong to the same metastore) should be sufficient, but any user who attempts to access the Power BI reports that ISN'T a member of the actual workspace receives a "Microsoft ThriftExtension(14) exception: Unauthorized/Forbidden error response". If there is a work around for this, please let me know so I can properly configure these users.

0 Kudos
1 ACCEPTED SOLUTION

Accepted Solutions

Go to solution
gmiguel
Contributor

3 weeks ago

Hi @shanebo425 ,

You can set this at Workspace level for Groups/Users/Service Principals.

Go to Workspace Settings -> Identity and Access -> Groups/Users/SPs Manage -> Select the group or user or SP -> Entitlements -> Enable Databricks SQL access

gmiguel_0-1714597777291.png

I hope it helps.

 

 

 

View solution in original post

0 Kudos
4 REPLIES 4

Go to solution
gmiguel
Contributor

3 weeks ago

Hi @shanebo425 ,

Have you tried to give them Databricks SQL access only? If the connection from PBI to UC is through a Sql Warehouse, it should work properly on PBI.

0 Kudos

Go to solution
shanebo425
New Contributor II
In response to gmiguel

3 weeks ago

Hi @gmiguel - I'm not aware of a way to give them SQL access only. Where would I look for this setting? The connection I have setup right now is to a SQL Warehouse cluster housed in Azure Databricks.

0 Kudos

Go to solution
gmiguel
Contributor

3 weeks ago

Hi @shanebo425 ,

You can set this at Workspace level for Groups/Users/Service Principals.

Go to Workspace Settings -> Identity and Access -> Groups/Users/SPs Manage -> Select the group or user or SP -> Entitlements -> Enable Databricks SQL access

gmiguel_0-1714597777291.png

I hope it helps.

 

 

 

0 Kudos

Go to solution
shanebo425
New Contributor II

3 weeks ago

Thanks for explaining this! This doesn't do exactly what I was hoping—it doesn't block all access to the workspace. Users can still login and access their own workspace and run SQL queries, explore the catalog, etc. But they ARE blocked from accessing Jobs, Workflows, Compute resources, and ML artefacts (including models and service endpoints). I was hoping to block them from accessing the workspace at all but that doesn't seem to be an option. I'll mark your solution as accepted as I think it's as close as I am going to get. Thanks again!

0 Kudos
Announcements