<?xml version="1.0" encoding="UTF-8"?>
<rss xmlns:content="http://purl.org/rss/1.0/modules/content/" xmlns:dc="http://purl.org/dc/elements/1.1/" xmlns:rdf="http://www.w3.org/1999/02/22-rdf-syntax-ns#" xmlns:taxo="http://purl.org/rss/1.0/modules/taxonomy/" version="2.0">
  <channel>
    <title>topic Re: Permissions on job with SQL task in Data Engineering</title>
    <link>https://community.databricks.com/t5/data-engineering/permissions-on-job-with-sql-task/m-p/162382#M55070</link>
    <description>&lt;P&gt;Hello &lt;a href="https://community.databricks.com/t5/user/viewprofilepage/user-id/210897"&gt;@balajij8&lt;/a&gt;,&lt;/P&gt;&lt;P&gt;thank you for your answer.&lt;/P&gt;&lt;P&gt;Today I did testing with setup:&lt;/P&gt;&lt;UL&gt;&lt;LI&gt;Job Creator: GCP SA&lt;/LI&gt;&lt;LI&gt;Job RunAs: SP&lt;/LI&gt;&lt;LI&gt;Query Owner: Personal account&lt;/LI&gt;&lt;LI&gt;Permissions: CAN_MANAGE for all users for both Query and Job&lt;/LI&gt;&lt;/UL&gt;&lt;P&gt;Both personal account and GCP SA were able to get the job output with RunAsMode.OWNER. Both got permissions error with RunAsMode.VIEWER.&lt;/P&gt;&lt;P&gt;Based on &lt;A href="https://docs.databricks.com/gcp/en/security/auth/access-control/#job-acls" target="_blank"&gt;https://docs.databricks.com/gcp/en/security/auth/access-control/#job-acls&lt;/A&gt;, I would assume both should have permissions to view results.&lt;/P&gt;&lt;P&gt;My setup only allows me to authenticate as GCP SA, create Job with RunAs SP and create Query. That is pretty much all. And best would be to create the Query on the fly. Changing owner requires admin permissions.&lt;/P&gt;</description>
    <pubDate>Thu, 09 Jul 2026 18:57:06 GMT</pubDate>
    <dc:creator>stravi001</dc:creator>
    <dc:date>2026-07-09T18:57:06Z</dc:date>
    <item>
      <title>Permissions on job with SQL task</title>
      <link>https://community.databricks.com/t5/data-engineering/permissions-on-job-with-sql-task/m-p/162279#M55055</link>
      <description>&lt;P&gt;Hello,&lt;/P&gt;&lt;P&gt;I am authenticated as GCP service account. I have to create query, run job as service principle and get result.&lt;/P&gt;&lt;P&gt;I'm both cases, I set permissions CAN_MANAGE for group "users" for both query and job. When I create the query with RunAsMode.OWNER, it gets limited permissions of invoker SP, but I can then access output of the task. When I create query with RunAsMode.VIEWER it gets required permissions of RunAs SP, but I am not able to access output of the task. I get error: insufficient privileges to access object queryExecutionSessions/*. As I understand from the roles description, it should have permissions with CAN_MANAGE.&lt;/P&gt;&lt;P&gt;Thank you for help.&lt;/P&gt;</description>
      <pubDate>Wed, 08 Jul 2026 18:52:15 GMT</pubDate>
      <guid>https://community.databricks.com/t5/data-engineering/permissions-on-job-with-sql-task/m-p/162279#M55055</guid>
      <dc:creator>stravi001</dc:creator>
      <dc:date>2026-07-08T18:52:15Z</dc:date>
    </item>
    <item>
      <title>Re: Permissions on job with SQL task</title>
      <link>https://community.databricks.com/t5/data-engineering/permissions-on-job-with-sql-task/m-p/162329#M55063</link>
      <description>&lt;P&gt;To make my question simpler. I have created Query with my personal account. I have set run as mode to viewer. I run it in task under SP, it succeeds, but I (as query owner) am not able to see output of that task, telling me I have no permissions for the query.&lt;/P&gt;</description>
      <pubDate>Thu, 09 Jul 2026 08:12:00 GMT</pubDate>
      <guid>https://community.databricks.com/t5/data-engineering/permissions-on-job-with-sql-task/m-p/162329#M55063</guid>
      <dc:creator>stravi001</dc:creator>
      <dc:date>2026-07-09T08:12:00Z</dc:date>
    </item>
    <item>
      <title>Re: Permissions on job with SQL task</title>
      <link>https://community.databricks.com/t5/data-engineering/permissions-on-job-with-sql-task/m-p/162365#M55067</link>
      <description>&lt;P&gt;What you are encountering is the expected behavior due to how Databricks isolates execution sessions and handles credential delegation between Jobs and SQL objects.&lt;/P&gt;&lt;P&gt;When you set a query to RunAsMode.VIEWER (Run as viewer), the query executes using the credentials of the Job's "Run as" service principal. Consequently, the resulting execution session (queryExecutionSessions) is owned entirely by that executing service principal. The&amp;nbsp;&lt;STRONG&gt;&lt;FONT size="3"&gt;CAN_MANAGE&lt;/FONT&gt;&lt;/STRONG&gt;&lt;SPAN&gt;&amp;nbsp;&lt;/SPAN&gt;permission on the query object itself only grants you the ability to modify the query definition, it does not implicitly grant you access to another principal's execution session. Hence, you cannot view the output result.&lt;/P&gt;&lt;P&gt;With&lt;SPAN&gt;&amp;nbsp;&lt;/SPAN&gt;&lt;STRONG&gt;RunAsMode.OWNER&lt;SPAN&gt;&amp;nbsp;&lt;/SPAN&gt;&lt;/STRONG&gt;(Run as owner), the query executes using your credentials, which grants you access to your own session outputs and limits the permissions to your personal access level rather than the service principal's.&lt;/P&gt;&lt;H2 id="toc-hId--1269971376"&gt;&lt;FONT size="3"&gt;You can follow below&lt;/FONT&gt;&lt;/H2&gt;&lt;P&gt;&lt;STRONG&gt;&lt;U&gt;If you want to simplify the permissions model and avoid cross-principal execution session errors entirely&lt;/U&gt;&lt;SPAN&gt;&amp;nbsp;&lt;/SPAN&gt;-&lt;/STRONG&gt;You can&amp;nbsp;unify the execution identity across the full cycle. Set the Service Principal as the Query Owner, configure the Query with RunAsMode.OWNER, and set the Job's "Run as" identity to that Service Principal. You can then manage data access directly via Unity Catalog. This ensures the Service Principal is always accessing its own execution sessions, and you act solely as the API caller triggering the job.&lt;/P&gt;&lt;P&gt;&lt;STRONG&gt;&lt;U&gt;SQL File Task&lt;/U&gt;&lt;SPAN&gt;&amp;nbsp;&lt;/SPAN&gt;-&lt;/STRONG&gt;&amp;nbsp;You can switch the Job task type from a SQL Query task to a SQL File task. By storing the SQL statements directly in a file within the Workspace, you bypass the RunAsMode complexity completely. The SQL File task will strictly use the Job's "Run as" identity, streamlining the permission model.&lt;/P&gt;&lt;P&gt;More details&lt;SPAN&gt;&amp;nbsp;&lt;/SPAN&gt;&lt;A href="https://docs.databricks.com/aws/en/jobs/privileges/#sql-tasks-and-permissions" rel="nofollow noopener noreferrer" target="_blank"&gt;here&lt;/A&gt;&lt;/P&gt;</description>
      <pubDate>Thu, 09 Jul 2026 12:47:09 GMT</pubDate>
      <guid>https://community.databricks.com/t5/data-engineering/permissions-on-job-with-sql-task/m-p/162365#M55067</guid>
      <dc:creator>balajij8</dc:creator>
      <dc:date>2026-07-09T12:47:09Z</dc:date>
    </item>
    <item>
      <title>Re: Permissions on job with SQL task</title>
      <link>https://community.databricks.com/t5/data-engineering/permissions-on-job-with-sql-task/m-p/162382#M55070</link>
      <description>&lt;P&gt;Hello &lt;a href="https://community.databricks.com/t5/user/viewprofilepage/user-id/210897"&gt;@balajij8&lt;/a&gt;,&lt;/P&gt;&lt;P&gt;thank you for your answer.&lt;/P&gt;&lt;P&gt;Today I did testing with setup:&lt;/P&gt;&lt;UL&gt;&lt;LI&gt;Job Creator: GCP SA&lt;/LI&gt;&lt;LI&gt;Job RunAs: SP&lt;/LI&gt;&lt;LI&gt;Query Owner: Personal account&lt;/LI&gt;&lt;LI&gt;Permissions: CAN_MANAGE for all users for both Query and Job&lt;/LI&gt;&lt;/UL&gt;&lt;P&gt;Both personal account and GCP SA were able to get the job output with RunAsMode.OWNER. Both got permissions error with RunAsMode.VIEWER.&lt;/P&gt;&lt;P&gt;Based on &lt;A href="https://docs.databricks.com/gcp/en/security/auth/access-control/#job-acls" target="_blank"&gt;https://docs.databricks.com/gcp/en/security/auth/access-control/#job-acls&lt;/A&gt;, I would assume both should have permissions to view results.&lt;/P&gt;&lt;P&gt;My setup only allows me to authenticate as GCP SA, create Job with RunAs SP and create Query. That is pretty much all. And best would be to create the Query on the fly. Changing owner requires admin permissions.&lt;/P&gt;</description>
      <pubDate>Thu, 09 Jul 2026 18:57:06 GMT</pubDate>
      <guid>https://community.databricks.com/t5/data-engineering/permissions-on-job-with-sql-task/m-p/162382#M55070</guid>
      <dc:creator>stravi001</dc:creator>
      <dc:date>2026-07-09T18:57:06Z</dc:date>
    </item>
    <item>
      <title>Re: Permissions on job with SQL task</title>
      <link>https://community.databricks.com/t5/data-engineering/permissions-on-job-with-sql-task/m-p/162403#M55071</link>
      <description>&lt;P&gt;Hi&amp;nbsp;&lt;a href="https://community.databricks.com/t5/user/viewprofilepage/user-id/244187"&gt;@stravi001&lt;/a&gt;&amp;nbsp;&lt;/P&gt;&lt;P&gt;What you are encountering on the &lt;STRONG&gt;SQL Query&lt;/STRONG&gt; task is the expected behavior. You can use&amp;nbsp;&lt;STRONG&gt;SQL File task&lt;/STRONG&gt; as its behavior is more closely aligned with standard Job ACLs and completely skips the RunAsMode permission complexity.&lt;/P&gt;&lt;H3&gt;&lt;U&gt;&lt;FONT size="3"&gt;SQL File Task&lt;/FONT&gt;&lt;/U&gt;&lt;/H3&gt;&lt;P&gt;&lt;FONT size="3"&gt;You can switch the Job task type from a &lt;STRONG&gt;SQL Query&lt;/STRONG&gt; task to a &lt;STRONG&gt;SQL File&lt;/STRONG&gt; task.&lt;/FONT&gt;&lt;FONT size="3"&gt;By storing the SQL statements directly in a file you bypass the &lt;/FONT&gt;RunAsMode&lt;FONT size="3"&gt; complexity.&amp;nbsp;&lt;/FONT&gt;&lt;FONT size="3"&gt;The SQL File task strictly uses the Job's &lt;STRONG&gt;Run as&lt;/STRONG&gt; identity, which securely streamlines your permission model.&amp;nbsp;More details &lt;A href="https://docs.databricks.com/aws/en/jobs/privileges/#sql-tasks-and-permissions" target="_blank" rel="noopener"&gt;here&lt;/A&gt;.&lt;/FONT&gt;&lt;/P&gt;&lt;H3&gt;&lt;U&gt;&lt;FONT size="3"&gt;SQL Query Task&lt;/FONT&gt;&lt;/U&gt;&lt;/H3&gt;&lt;P&gt;&lt;FONT size="3"&gt;You can ask the Account Admin need to grant the &lt;STRONG&gt;Service Principal User&lt;/STRONG&gt; role as below and validate once&lt;/FONT&gt;&lt;/P&gt;&lt;UL&gt;&lt;LI&gt;&lt;P&gt;&lt;FONT size="3"&gt;&lt;STRONG&gt;To -&lt;/STRONG&gt;&amp;nbsp;The GCP SA and/or personal accounts (if both need to access the results).&lt;/FONT&gt;&lt;/P&gt;&lt;/LI&gt;&lt;LI&gt;&lt;P&gt;&lt;FONT size="3"&gt;&lt;STRONG&gt;On (Target) -&lt;/STRONG&gt;&amp;nbsp;The RunAs SP (the service principal configured in the job's &lt;STRONG&gt;Run as&lt;/STRONG&gt; field).&lt;/FONT&gt;&lt;/P&gt;&lt;/LI&gt;&lt;/UL&gt;</description>
      <pubDate>Fri, 10 Jul 2026 03:36:15 GMT</pubDate>
      <guid>https://community.databricks.com/t5/data-engineering/permissions-on-job-with-sql-task/m-p/162403#M55071</guid>
      <dc:creator>balajij8</dc:creator>
      <dc:date>2026-07-10T03:36:15Z</dc:date>
    </item>
    <item>
      <title>Re: Permissions on job with SQL task</title>
      <link>https://community.databricks.com/t5/data-engineering/permissions-on-job-with-sql-task/m-p/162499#M55074</link>
      <description>&lt;P&gt;Hello &lt;a href="https://community.databricks.com/t5/user/viewprofilepage/user-id/210897"&gt;@balajij8&lt;/a&gt;,&lt;/P&gt;&lt;P&gt;I tried to use SQL File Task and was able to achieve the result. Only issue was, that I was not able to get output using WorkspaceClient.jobs.get_run_output(). It worked will direct call of /api/2.2/jobs/runs/get-output endpoint.&lt;/P&gt;&lt;P&gt;Thank you for help&lt;/P&gt;</description>
      <pubDate>Fri, 10 Jul 2026 10:52:46 GMT</pubDate>
      <guid>https://community.databricks.com/t5/data-engineering/permissions-on-job-with-sql-task/m-p/162499#M55074</guid>
      <dc:creator>stravi001</dc:creator>
      <dc:date>2026-07-10T10:52:46Z</dc:date>
    </item>
  </channel>
</rss>

