<?xml version="1.0" encoding="UTF-8"?>
<rss xmlns:content="http://purl.org/rss/1.0/modules/content/" xmlns:dc="http://purl.org/dc/elements/1.1/" xmlns:rdf="http://www.w3.org/1999/02/22-rdf-syntax-ns#" xmlns:taxo="http://purl.org/rss/1.0/modules/taxonomy/" version="2.0">
  <channel>
    <title>article Unity Catalog with automatic enablement (Part 2 - AWS) in Technical Blog</title>
    <link>https://community.databricks.com/t5/technical-blog/unity-catalog-with-automatic-enablement-part-2-aws/ba-p/117237</link>
    <description>&lt;P&gt;&lt;LI-TOC indent="15" liststyle="disc" maxheadinglevel="2"&gt;&lt;/LI-TOC&gt;&lt;/P&gt;
&lt;H2&gt;&lt;SPAN&gt;Introduction&lt;/SPAN&gt;&lt;/H2&gt;
&lt;P&gt;&lt;SPAN&gt;In &lt;A href="https://community.databricks.com/t5/technical-blog/unity-catalog-with-automatic-enablement-part-1-azure/ba-p/117220" target="_self"&gt;part one&lt;/A&gt;&amp;nbsp;of this article we introduced the ability to automatically enable Unity Catalog (UC) on new Azure Databricks workspaces and details on exactly what happens during this process. This article will take a deep dive into the same Unity Catalog &lt;/SPAN&gt;&lt;A href="https://docs.databricks.com/aws/en/data-governance/unity-catalog/manage-metastore#enable-a-metastore-to-be-automatically-assigned-to-new-workspaces" target="_blank" rel="noopener"&gt;&lt;SPAN&gt;Workspace Automatic Enablement&lt;/SPAN&gt;&lt;/A&gt;&lt;SPAN&gt; process when using Databricks workspaces on AWS and highlight the differences.&lt;/SPAN&gt;&lt;/P&gt;
&lt;P&gt;&lt;SPAN&gt;Much like the previous there is an assumption the reader has an understanding of what &lt;/SPAN&gt;&lt;A href="https://docs.databricks.com/aws/en/data-governance/unity-catalog" target="_blank" rel="noopener"&gt;&lt;SPAN&gt;Unity Catalog is&lt;/SPAN&gt;&lt;/A&gt;&lt;SPAN&gt; and how &lt;/SPAN&gt;&lt;A href="https://docs.databricks.com/aws/en/data-governance/unity-catalog/get-started" target="_blank" rel="noopener"&gt;&lt;SPAN&gt;to set it up on AWS&lt;/SPAN&gt;&lt;/A&gt;&lt;SPAN&gt;, along with how its &lt;/SPAN&gt;&lt;A href="https://docs.databricks.com/aws/en/data-governance/unity-catalog/manage-privileges/" target="_blank" rel="noopener"&gt;&lt;SPAN&gt;securables (data objects) and permissions&lt;/SPAN&gt;&lt;/A&gt;&lt;SPAN&gt; are managed.&lt;/SPAN&gt;&lt;/P&gt;
&lt;H2&gt;&lt;SPAN&gt;What is a Workspace Catalog?&lt;/SPAN&gt;&lt;/H2&gt;
&lt;P data-unlink="true"&gt;&lt;SPAN&gt;When a workspace is created with Unity Catalog automatically enabled a workspace catalog is created assigned to that workspace. If there is no existing Unity Catalog metastore in the cloud region that the workspace is being created in then a metastore will also be created with the defaults described below. To the Workspace Administrator and Workspace User groups this should look almost identical to how it is done on Azure, with the underlying cloud infrastructure details mostly abstracted away. &lt;/SPAN&gt;&lt;/P&gt;
&lt;P&gt;&lt;span class="lia-inline-image-display-wrapper lia-image-align-inline" image-alt="uc-by-default-aws-overview.png" style="width: 800px;"&gt;&lt;img src="https://community.databricks.com/t5/image/serverpage/image-id/16407i126F28AC3047A20C/image-size/large?v=v2&amp;amp;px=999" role="button" title="uc-by-default-aws-overview.png" alt="uc-by-default-aws-overview.png" /&gt;&lt;/span&gt;&lt;/P&gt;
&lt;P&gt;&lt;SPAN&gt;The workspace catalog on AWS has the following properties:&lt;/SPAN&gt;&lt;/P&gt;
&lt;UL&gt;
&lt;LI style="font-weight: 400;" aria-level="1"&gt;&lt;SPAN&gt;The name of the workspace catalog will match the workspace name&lt;/SPAN&gt;&lt;/LI&gt;
&lt;LI style="font-weight: 400;" aria-level="1"&gt;&lt;SPAN&gt;Will be owned by a system owned group called &lt;/SPAN&gt;&lt;FONT face="courier new,courier"&gt;&lt;SPAN&gt;_workspace_admins_${workspace_name}_${workspace_id}&lt;/SPAN&gt;&lt;/FONT&gt;&lt;/LI&gt;
&lt;LI style="font-weight: 400;" aria-level="1"&gt;&lt;SPAN&gt;Will have its storage root located in the S3 workspace root bucket in a dedicated folder called &lt;/SPAN&gt;&lt;FONT face="courier new,courier"&gt;&lt;SPAN&gt;unity-catalog&lt;/SPAN&gt;&lt;/FONT&gt;&lt;/LI&gt;
&lt;LI style="font-weight: 400;" aria-level="1"&gt;&lt;SPAN&gt;A system owned group called &lt;/SPAN&gt;&lt;FONT face="courier new,courier"&gt;&lt;SPAN&gt;_workspace_users_${workspace_name}_${workspace_id}&lt;/SPAN&gt;&lt;/FONT&gt;&lt;SPAN&gt; which has &lt;/SPAN&gt;&lt;FONT face="courier new,courier"&gt;&lt;SPAN&gt;USE_CATALOG&lt;/SPAN&gt;&lt;/FONT&gt;&lt;SPAN&gt; rights on the workspace catalog. This user also has enough rights to create objects in the default schema of the workspace catalog.&lt;/SPAN&gt;&lt;/LI&gt;
&lt;/UL&gt;
&lt;P&gt;&lt;SPAN&gt;The workspace catalog is made up of three &lt;/SPAN&gt;&lt;A href="https://docs.databricks.com/aws/en/data-governance/unity-catalog/manage-privileges/privileges" target="_blank" rel="noopener"&gt;&lt;SPAN&gt;Unity Catalog securables&lt;/SPAN&gt;&lt;/A&gt;&lt;SPAN&gt;:&lt;/SPAN&gt;&lt;/P&gt;
&lt;UL&gt;
&lt;LI style="font-weight: 400;" aria-level="1"&gt;&lt;STRONG&gt;Credential&lt;/STRONG&gt;&lt;SPAN&gt;: the biggest difference in AWS is there needs to be an extra IAM role provision for the UC storage credential that will be used for the workspace catalog (details below). The name of the UC credential will match the workspace name.&lt;/SPAN&gt;&lt;/LI&gt;
&lt;LI style="font-weight: 400;" aria-level="1"&gt;&lt;STRONG&gt;External location&lt;/STRONG&gt;&lt;SPAN&gt;: this adds the &lt;/SPAN&gt;&lt;FONT face="courier new,courier"&gt;&lt;SPAN&gt;unity-catalog&lt;/SPAN&gt;&lt;/FONT&gt;&lt;SPAN&gt;&amp;nbsp;folder in the S3 workspace root bucket as a valid path in Unity Catalog. The name of this external location is also the Workspace name. The path is &lt;/SPAN&gt;&lt;FONT face="courier new,courier"&gt;&lt;SPAN&gt;s3://${workspace_root}/unity-catalog/${workspace_id}&lt;/SPAN&gt;&lt;/FONT&gt;&lt;/LI&gt;
&lt;LI style="font-weight: 400;" aria-level="1"&gt;&lt;STRONG&gt;Catalog&lt;/STRONG&gt;&lt;SPAN&gt;: this is the Workspace catalog that has a storage root pointing to the &lt;/SPAN&gt;&lt;FONT face="courier new,courier"&gt;&lt;SPAN&gt;unity-catalog&lt;/SPAN&gt;&lt;/FONT&gt;&lt;SPAN&gt; folder on the external location. The name of this external location is also the workspace name&lt;/SPAN&gt;&lt;/LI&gt;
&lt;/UL&gt;
&lt;P&gt;&lt;SPAN&gt;All three of these UC securables are &lt;/SPAN&gt;&lt;A href="https://docs.databricks.com/aws/en/catalogs/binding" target="_blank" rel="noopener"&gt;&lt;SPAN&gt;bound&lt;/SPAN&gt;&lt;/A&gt;&lt;SPAN&gt; to the workspace and not by default available to any other workspace sharing the metastore.&lt;/SPAN&gt;&lt;/P&gt;
&lt;H2&gt;&lt;SPAN&gt;How Automatic Workspace Assignment Works&lt;/SPAN&gt;&lt;/H2&gt;
&lt;P&gt;&lt;SPAN&gt;In order to automatically enable a workspace for Unity Catalog there are several requirements that must be met. Automatic enablement of Unity Catalog for AWS requires two main prerequisites:&lt;/SPAN&gt;&lt;/P&gt;
&lt;UL&gt;
&lt;LI style="font-weight: 400;" aria-level="1"&gt;&lt;SPAN&gt;If a metastore exists it must be enabled for automatic assignment&lt;/SPAN&gt;&lt;/LI&gt;
&lt;LI style="font-weight: 400;" aria-level="1"&gt;&lt;SPAN&gt;A UC storage credential IAM role allowing access to the S3 workspace root bucket must be created&lt;/SPAN&gt;&lt;/LI&gt;
&lt;/UL&gt;
&lt;P&gt;&lt;SPAN&gt;The first requirement is identical enabling automatic assignment on Azure Databricks. As shown in part one of this article only Databricks Accounts created after 9 November 2023 are automatically set up for &lt;/SPAN&gt;&lt;A href="https://docs.databricks.com/aws/en/data-governance/unity-catalog/get-started#enablement" target="_blank" rel="noopener"&gt;&lt;SPAN&gt;Automatic Workspace Assignment&lt;/SPAN&gt;&lt;/A&gt;&lt;SPAN&gt;.&amp;nbsp;&lt;/SPAN&gt;&lt;/P&gt;
&lt;P&gt;&lt;SPAN&gt;&lt;span class="lia-inline-image-display-wrapper lia-image-align-inline" image-alt="uc-by-default-flow-aws.png" style="width: 825px;"&gt;&lt;img src="https://community.databricks.com/t5/image/serverpage/image-id/16408i1969309A215C722D/image-size/large?v=v2&amp;amp;px=999" role="button" title="uc-by-default-flow-aws.png" alt="uc-by-default-flow-aws.png" /&gt;&lt;/span&gt;&lt;/SPAN&gt;&lt;/P&gt;
&lt;P&gt;&lt;SPAN&gt;When creating a workspace in a region where Automatic Workspace Assignment is enabled on the Account but there is no metastore then a metastore will be created for you in the same way as it in Azure. The properties of this metastore are:&lt;/SPAN&gt;&lt;/P&gt;
&lt;UL&gt;
&lt;LI style="font-weight: 400;" aria-level="1"&gt;&lt;SPAN&gt;The metastore will be called &lt;/SPAN&gt;&lt;FONT face="courier new,courier"&gt;&lt;SPAN&gt;metastore_aws_${cloud_region}&lt;/SPAN&gt;&lt;/FONT&gt;&lt;/LI&gt;
&lt;LI style="font-weight: 400;" aria-level="1"&gt;&lt;SPAN&gt;The metastore will have no metastore owner (it will show &lt;/SPAN&gt;&lt;FONT face="courier new,courier"&gt;&lt;SPAN&gt;System user&lt;/SPAN&gt;&lt;/FONT&gt;&lt;SPAN&gt;)&lt;/SPAN&gt;&lt;/LI&gt;
&lt;LI style="font-weight: 400;" aria-level="1"&gt;&lt;SPAN&gt;The metastore will be created without a storage root location&lt;/SPAN&gt;&lt;/LI&gt;
&lt;LI style="font-weight: 400;" aria-level="1"&gt;&lt;SPAN&gt;Delta sharing will be disabled&lt;/SPAN&gt;&lt;/LI&gt;
&lt;LI style="font-weight: 400;" aria-level="1"&gt;&lt;SPAN&gt;Automatic Workspace Assignment will be enabled&lt;/SPAN&gt;&lt;/LI&gt;
&lt;/UL&gt;
&lt;P&gt;&lt;SPAN&gt;If required a &lt;A href="https://docs.databricks.com/aws/en/data-governance/unity-catalog/manage-privileges/admin-privileges#assign-metastore-admin" target="_blank" rel="noopener"&gt;Metastore Owner&lt;/A&gt; can be allocated by an Account Administrator.&lt;/SPAN&gt;&lt;/P&gt;
&lt;P&gt;&lt;SPAN&gt;In order to automatically enable all new workspaces in a region for Unity Catalog on an existing metastore in that region the checkbox in &lt;FONT face="courier new,courier"&gt;Workspace assignment&lt;/FONT&gt; under the metastore settings in the Catalog section of the Account Console has to be checked.&lt;/SPAN&gt;&lt;/P&gt;
&lt;P&gt;&lt;SPAN&gt;&lt;span class="lia-inline-image-display-wrapper lia-image-align-inline" image-alt="uc-by-default-aws-metastore-tick.png" style="width: 613px;"&gt;&lt;img src="https://community.databricks.com/t5/image/serverpage/image-id/16412i27504B007FDA0296/image-size/large?v=v2&amp;amp;px=999" role="button" title="uc-by-default-aws-metastore-tick.png" alt="uc-by-default-aws-metastore-tick.png" /&gt;&lt;/span&gt;&lt;/SPAN&gt;&lt;/P&gt;
&lt;P&gt;&lt;SPAN&gt;The second prerequisite is specific to Databricks on AWS. The &lt;/SPAN&gt;&lt;A href="https://docs.databricks.com/aws/en/data-governance/unity-catalog/get-started#enablement" target="_blank" rel="noopener"&gt;&lt;SPAN&gt;documentation&lt;/SPAN&gt;&lt;/A&gt;&lt;SPAN&gt; states:&lt;/SPAN&gt;&lt;/P&gt;
&lt;P class="lia-indent-padding-left-30px"&gt;&lt;I&gt;&lt;SPAN&gt;Your workspace gets the workspace catalog only if the workspace creator provided an appropriate IAM role and storage location during workspace provisioning.&lt;/SPAN&gt;&lt;/I&gt;&lt;/P&gt;
&lt;P data-unlink="true"&gt;&lt;SPAN&gt;We will go into detail on how this IAM role works in the section on &lt;/SPAN&gt;&lt;SPAN&gt;AWS Infrastructure&lt;/SPAN&gt;&amp;nbsp;&lt;SPAN&gt; below.&lt;/SPAN&gt;&lt;/P&gt;
&lt;P&gt;&lt;SPAN&gt;Like Azure, when a metastore is assigned to a workspace a default catalog name is set for all users of that workspace. If the workspace is created via the UI and automatically enabled for UC then the default catalog will be the workspace catalog. If the workspace is created via an API (currently supported via the &lt;A href="https://docs.databricks.com/aws/en/admin/workspace/quick-start" target="_blank" rel="noopener"&gt;Quickstart CloudFormation template&lt;/A&gt;) the default catalog will be the &lt;FONT face="courier new,courier"&gt;hive_metastore&lt;/FONT&gt;.&lt;/SPAN&gt;&lt;/P&gt;
&lt;H2&gt;&lt;SPAN&gt;AWS infrastructure deployed during automatic enablement&lt;/SPAN&gt;&lt;/H2&gt;
&lt;P&gt;&lt;SPAN&gt;When provisioning a Databricks Workspace on AWS there have always been the following required items of supporting AWS infrastructure:&lt;/SPAN&gt;&lt;/P&gt;
&lt;UL&gt;
&lt;LI style="font-weight: 400;" aria-level="1"&gt;&lt;STRONG&gt;S3 workspace root bucket&lt;/STRONG&gt;&lt;SPAN&gt;: This is an S3 bucket used for workspace storage, including DBFS and the workspace filesystem.&lt;/SPAN&gt;&lt;/LI&gt;
&lt;LI style="font-weight: 400;" aria-level="1"&gt;&lt;STRONG&gt;IAM cross account role&lt;/STRONG&gt;&lt;SPAN&gt;: This allows Databricks to launch EC2 instances for cluster nodes in the customer compute plane AWS account. The S3 workspace root bucket includes a bucket policy to allow this cross account access.&lt;/SPAN&gt;&lt;/LI&gt;
&lt;/UL&gt;
&lt;P&gt;&lt;SPAN&gt;When setting up a workspace for automatic UC enablement we also need to provide another IAM role to be used as the UC storage credential for the workspace catalog storage. This role allows UC to access the &lt;/SPAN&gt;&lt;FONT face="courier new,courier"&gt;&lt;SPAN&gt;unity-catalog&lt;/SPAN&gt;&lt;/FONT&gt;&lt;SPAN&gt; folder in the S3 workspace root and to put the workspace catalog storage root in that folder.&lt;/SPAN&gt;&lt;/P&gt;
&lt;P&gt;&lt;SPAN&gt;&lt;span class="lia-inline-image-display-wrapper lia-image-align-inline" image-alt="uc-by-default-aws-infrapng.png" style="width: 999px;"&gt;&lt;img src="https://community.databricks.com/t5/image/serverpage/image-id/16413iC34B978385954F19/image-size/large?v=v2&amp;amp;px=999" role="button" title="uc-by-default-aws-infrapng.png" alt="uc-by-default-aws-infrapng.png" /&gt;&lt;/span&gt;&lt;/SPAN&gt;&lt;/P&gt;
&lt;P&gt;&lt;SPAN&gt;This storage credential IAM role is a standard &lt;A href="https://docs.databricks.com/aws/en/connect/unity-catalog/cloud-storage/storage-credentials" target="_blank" rel="noopener"&gt;Unity Catalog self-assuming IAM role&lt;/A&gt;, as outlined in the documentation for creating storage credentials in UC. The attached IAM policy on that role grants access to the unity-catalog folder on the UC workspace root bucket. The trust role with the self-assuming policy setup is the same as any other UC storage credential IAM role. This &lt;A href="https://medium.com/databricks-platform-sme/a-storage-configuration-mystery-f3b47acd8815" target="_blank" rel="noopener"&gt;Medium post covers&lt;/A&gt; the details.&lt;/SPAN&gt;&lt;/P&gt;
&lt;LI-CODE lang="javascript"&gt;{
    "Version": "2012-10-17",
    "Id": "databricks-uc-dbfs-bucket-access",
    "Statement": [
        {
            "Action": [
                "s3:DeleteObject",
                "s3:GetBucketLocation",
                "s3:GetObject",
                "s3:ListBucket",
                "s3:PutObject"
            ],
            "Resource": [
                "arn:aws:s3:::anzps-uc-by-default",
                "arn:aws:s3:::anzps-uc-by-default/unity-catalog/*"
            ],
            "Effect": "Allow"
        },
        {
            "Action": [
                "sts:AssumeRole"
            ],
            "Effect": "Allow",
            "Resource": [
                "arn:aws:iam::332745928618:role/anzps-uc-by-default-workspace-cred"
            ]
        }
    ]
}&lt;/LI-CODE&gt;
&lt;P&gt;&lt;SPAN&gt;When provisioning the workspace there are now steps in the S3 workspace storage provisioning to provide your Unity Catalog UC storage credential IAM role ARN. You can also see the generated bucket policy explicitly denies the workspace cross account role used to access the workspace root bucket for use in compute and DBFS denies access to the &lt;FONT face="courier new,courier"&gt;unity-catalog&lt;/FONT&gt; folder, which ensures all access to that folder must be via Unity Catalog.&lt;/SPAN&gt;&lt;/P&gt;
&lt;P&gt;&lt;SPAN&gt;&lt;span class="lia-inline-image-display-wrapper lia-image-align-inline" image-alt="uc-by-default-aws-workspace-provisioning.png" style="width: 999px;"&gt;&lt;img src="https://community.databricks.com/t5/image/serverpage/image-id/16414i991D4FDBE9B150C3/image-size/large?v=v2&amp;amp;px=999" role="button" title="uc-by-default-aws-workspace-provisioning.png" alt="uc-by-default-aws-workspace-provisioning.png" /&gt;&lt;/span&gt;&lt;/SPAN&gt;&lt;/P&gt;
&lt;H2&gt;&lt;SPAN&gt;System-owned groups and permissions&lt;/SPAN&gt;&lt;/H2&gt;
&lt;P&gt;&lt;SPAN&gt;The system owned groups that are provisioned with the workspace work the same way they do in Azure, and just like in Azure these groups do not appear in most surfaces in the Workspace UI, Account Console or APIs and can not be used to grant Unity Catalog privileges to other securables. The membership of these groups is kept in sync with all the users who have been pushed to the workspace as either the &lt;FONT face="courier new,courier"&gt;ADMIN&lt;/FONT&gt; or &lt;FONT face="courier new,courier"&gt;USER&lt;/FONT&gt; role &lt;A href="https://docs.databricks.com/aws/en/admin/users-groups/best-practices#assign-groups-workspace-permissions" target="_blank" rel="noopener"&gt;using Identity Federation&lt;/A&gt;. These groups have enough permissions for the Workspace Administrators to manage the workspace catalog and for Workspace Users to start using UC in the workspace catalog &lt;FONT face="courier new,courier"&gt;default&lt;/FONT&gt; schema.&lt;/SPAN&gt;&lt;/P&gt;
&lt;P&gt;&amp;nbsp;&lt;/P&gt;
&lt;TABLE border="1" width="100%"&gt;
&lt;TBODY&gt;
&lt;TR&gt;
&lt;TD width="33.333333333333336%"&gt;&lt;STRONG&gt;Group&lt;/STRONG&gt;&lt;/TD&gt;
&lt;TD width="33.333333333333336%"&gt;&lt;STRONG&gt;Name&lt;/STRONG&gt;&lt;/TD&gt;
&lt;TD width="33.333333333333336%"&gt;&lt;STRONG&gt;Unity Catalog Grants&lt;/STRONG&gt;&lt;/TD&gt;
&lt;/TR&gt;
&lt;TR&gt;
&lt;TD width="33.333333333333336%"&gt;
&lt;P&gt;&lt;SPAN&gt;Workspace Admin&lt;/SPAN&gt;&lt;/P&gt;
&lt;/TD&gt;
&lt;TD width="33.333333333333336%"&gt;
&lt;P&gt;&lt;FONT face="courier new,courier"&gt;&lt;SPAN&gt;_workspace_admins_${workspace_name}_${workspace_id}&lt;/SPAN&gt;&lt;/FONT&gt;&lt;/P&gt;
&lt;/TD&gt;
&lt;TD width="33.333333333333336%"&gt;
&lt;P&gt;&lt;FONT face="courier new,courier"&gt;&lt;SPAN&gt;OWNER&lt;/SPAN&gt;&lt;/FONT&gt;&lt;SPAN&gt; on credential, external location and workspace catalog in addition to the metastore level rights listed in the next section&lt;/SPAN&gt;&lt;/P&gt;
&lt;/TD&gt;
&lt;/TR&gt;
&lt;TR&gt;
&lt;TD width="33.333333333333336%"&gt;
&lt;P&gt;&lt;SPAN&gt;Workspace Users&lt;/SPAN&gt;&lt;/P&gt;
&lt;/TD&gt;
&lt;TD width="33.333333333333336%"&gt;
&lt;P&gt;&lt;FONT face="courier new,courier"&gt;&lt;SPAN&gt;_workspace_users_${workspace_name}_${workspace_id}&lt;/SPAN&gt;&lt;/FONT&gt;&lt;/P&gt;
&lt;/TD&gt;
&lt;TD width="33.333333333333336%"&gt;
&lt;P&gt;&lt;SPAN&gt;Usage (&lt;/SPAN&gt;&lt;FONT face="courier new,courier"&gt;&lt;SPAN&gt;USE_CATALOG&lt;/SPAN&gt;&lt;/FONT&gt;&lt;SPAN&gt;) rights on workspace catalog and&amp;nbsp; usage rights on &lt;/SPAN&gt;&lt;FONT face="courier new,courier"&gt;&lt;SPAN&gt;default&lt;/SPAN&gt;&lt;/FONT&gt;&lt;SPAN&gt; schema (see below)&lt;/SPAN&gt;&lt;/P&gt;
&lt;/TD&gt;
&lt;/TR&gt;
&lt;/TBODY&gt;
&lt;/TABLE&gt;
&lt;P&gt;&lt;SPAN&gt;The following shows the grants on the &lt;/SPAN&gt;&lt;FONT face="courier new,courier"&gt;&lt;SPAN&gt;default&lt;/SPAN&gt;&lt;/FONT&gt;&lt;SPAN&gt; schema for the Workspace Users.&lt;/SPAN&gt;&lt;/P&gt;
&lt;P&gt;&lt;SPAN&gt;&lt;span class="lia-inline-image-display-wrapper lia-image-align-inline" image-alt="uc-by-default-aws-user-grants-default-schema.png" style="width: 702px;"&gt;&lt;img src="https://community.databricks.com/t5/image/serverpage/image-id/16454i9B5CC75648B34B4D/image-size/large?v=v2&amp;amp;px=999" role="button" title="uc-by-default-aws-user-grants-default-schema.png" alt="uc-by-default-aws-user-grants-default-schema.png" /&gt;&lt;/span&gt;&lt;/SPAN&gt;&lt;/P&gt;
&lt;H2&gt;&lt;SPAN&gt;Metastore-level grants for Auto-Enabled Workspace Administrators&lt;/SPAN&gt;&lt;/H2&gt;
&lt;P&gt;&lt;SPAN&gt;The implementation of Unity Catalog Metastore &lt;A href="https://docs.databricks.com/aws/en/data-governance/unity-catalog/manage-privileges/privileges" target="_blank" rel="noopener"&gt;grants&lt;/A&gt; to allow the Workspace Admins group to create other top level objects in Unity Catalog is the same as was shown for the Azure deployment. The screenshot also shows this workspace was deployed using the Account Console meaning the default catalog is the workspace catalog.&lt;/SPAN&gt;&lt;/P&gt;
&lt;P&gt;&lt;SPAN&gt;&lt;span class="lia-inline-image-display-wrapper lia-image-align-inline" image-alt="uc-by-default-aws-metastore-admin-grants.png" style="width: 982px;"&gt;&lt;img src="https://community.databricks.com/t5/image/serverpage/image-id/16455iA8303A30B886EB5B/image-size/large?v=v2&amp;amp;px=999" role="button" title="uc-by-default-aws-metastore-admin-grants.png" alt="uc-by-default-aws-metastore-admin-grants.png" /&gt;&lt;/span&gt;&lt;/SPAN&gt;&lt;/P&gt;
&lt;P&gt;&lt;SPAN&gt;These grants do not include ownership of the metastore, meaning the workspace admin can not delete metastore level UC securables that were created or owned by other identities, including the workspace catalog and securables on other workspaces created with UC by default.&lt;/SPAN&gt;&lt;/P&gt;
&lt;P&gt;&lt;SPAN&gt;These grants also allow the Workspace Administrators to create other catalogs and related underlying securables like credentials and external locations. By default any securable created will be owned by the individual identity that created that securable and ownership allows transfer of ownership to a group.&lt;/SPAN&gt;&lt;/P&gt;
&lt;H2&gt;&lt;SPAN&gt;Best practices for using the workspace catalog&lt;/SPAN&gt;&lt;/H2&gt;
&lt;P&gt;&lt;SPAN&gt;The guidance of using the workspace catalog follows the same given for Azure: the workspace catalog is great for initial enablement but it does also tie your data to the lifecycle of the workspace. The recommendation remains to adhere to &lt;/SPAN&gt;&lt;A href="https://docs.databricks.com/aws/en/data-governance/unity-catalog/best-practices" target="_blank" rel="noopener"&gt;&lt;SPAN&gt;existing best practices&lt;/SPAN&gt;&lt;/A&gt;&lt;SPAN&gt; for creating catalogs, aligning them with SDLC (Software Development Lifecycle), business units, and/or projects. This allows more flexibility to segregate storage away from the workspace and to bind these catalogs to multiple workspaces where required. It also means that the addition or removal of a workspace does not impact the lifecycle of any data stored in Unity Catalog.&lt;/SPAN&gt;&lt;/P&gt;
&lt;P&gt;&lt;SPAN&gt;The metastore permissions granted to the system owned Workspace Admins group give enough permissions to create the required securables (credentials, external locations, catalogs etc) to achieve the required catalog design for your organisation.&lt;/SPAN&gt;&lt;/P&gt;
&lt;H2&gt;&lt;SPAN&gt;Conclusion&lt;/SPAN&gt;&lt;/H2&gt;
&lt;P&gt;&lt;SPAN&gt;The experience of using Unity Catalog with an automatically provisioned workspace catalog on AWS should not look materially different to the Workspace Admins and Users than it would for an Azure Databricks workspace. The underlying cloud infrastructure is mostly abstracted away but at times it can be useful to understand these differences, especially for those planning the initial deployment of a workspace on either cloud. The end result in both is a way to start using Unity Catalog from the first time the workspace is deployed, allowing the workspace users to get all the benefits of the Databricks Data Intelligence Platform.&lt;/SPAN&gt;&lt;/P&gt;
&lt;P&gt;&lt;SPAN&gt;For further information and best practices on how to get the most out of UC, please follow the &lt;A href="https://medium.com/databricks-unity-catalog-sme" target="_blank" rel="noopener"&gt;Databricks Unity Catalog SME page on Medium&lt;/A&gt;. &lt;/SPAN&gt;&lt;/P&gt;</description>
    <pubDate>Tue, 06 May 2025 11:07:46 GMT</pubDate>
    <dc:creator>stevejohansen</dc:creator>
    <dc:date>2025-05-06T11:07:46Z</dc:date>
    <item>
      <title>Unity Catalog with automatic enablement (Part 2 - AWS)</title>
      <link>https://community.databricks.com/t5/technical-blog/unity-catalog-with-automatic-enablement-part-2-aws/ba-p/117237</link>
      <description>&lt;P&gt;&lt;SPAN&gt;In part one we discussed how Unity Catalog (UC) is the foundation for all governance and management of data objects in Databricks Data Intelligence Platform. Since its launch several years ago Unity Catalog has become the best way to experience Databricks. This article covers deployments of Databricks on AWS and will present an overview of exactly what happens when a workspace catalog is automatically provisioned for a new Databricks workspace on AWS and the key differences with Azure Databricks.&lt;/SPAN&gt;&lt;/P&gt;</description>
      <pubDate>Tue, 06 May 2025 11:07:46 GMT</pubDate>
      <guid>https://community.databricks.com/t5/technical-blog/unity-catalog-with-automatic-enablement-part-2-aws/ba-p/117237</guid>
      <dc:creator>stevejohansen</dc:creator>
      <dc:date>2025-05-06T11:07:46Z</dc:date>
    </item>
  </channel>
</rss>

