Unity Catalog (how security works)

• Securables: metastore → catalogs → schemas → tables/views/functions/materialized views → volumes/external locations → credentials. Privileges inherit downward (grant at catalog ⇒ applies to all current/future objects in its schemas). (Microsoft Learn, Databricks Documentation)

---

How to secure tables (and “hide” them)

1. Grant only what’s needed on the parents
   If a user doesn’t have USE CATALOG (on the catalog) and USE SCHEMA (on the schema), they can’t even see the objects inside. Grant these only to people who should browse that area. (Microsoft Learn)
2. Grant table-level access explicitly
   Give SELECT to read, MODIFY to write (append/update/delete), and keep MANAGE limited to data stewards. Example policy-by-group:

-- grant browse-only on the container
GRANT USE CATALOG ON CATALOG finance TO `analyst_ro`;
GRANT USE SCHEMA  ON SCHEMA  finance.curated TO `analyst_ro`;

-- allow read but not write
GRANT SELECT ON ALL TABLES IN SCHEMA finance.curated TO `analyst_ro`;

-- writers (still need USE privileges above)
GRANT MODIFY ON ALL TABLES IN SCHEMA finance.curated TO `etl_rw`;

(You can also grant at catalog level to cascade.) (Databricks Documentation)

3. To “hide” tables
   Don’t grant USE CATALOG / USE SCHEMA on the parents. Note: in many workspaces the main catalog is browseable by default—use your own catalogs and control USE precisely. (Microsoft Learn)
4. Fine-grained (when users share a schema):

• Row filters and column masks (per table) to enforce row/column-level security.
• Dynamic views for read-only, filtered projections. (Databricks Documentation)

---

What permissions exist? (most-used, by object)

• Catalog: USE CATALOG, CREATE SCHEMA, plus cascade grants like SELECT, MODIFY, EXECUTE, MANAGE if given at catalog scope.
• Schema: USE SCHEMA, CREATE TABLE/VIEW/FUNCTION/MATERIALIZED VIEW/VOLUME, SELECT, MODIFY, EXECUTE, MANAGE.
• Table/View/MV: SELECT, MODIFY, REFRESH (MV), MANAGE.
• Function/Procedure/Model: EXECUTE.
• Volume: READ VOLUME, WRITE VOLUME.
  (Full matrix lives in docs.) (Microsoft Learn)

What is MANAGE?

Lets a principal view & change privileges, transfer ownership, drop/rename the object. It’s not included in ALL PRIVILEGES, and holders still need USE CATALOG/USE SCHEMA to reach the object. Think “privilege admin for this object.” (Databricks Documentation)

---

How to manage privileges on objects

• SQL (works everywhere)

-- show, grant, revoke
SHOW GRANTS ON TABLE finance.curated.sales;
GRANT SELECT ON TABLE finance.curated.sales TO `analyst_ro`;
REVOKE SELECT ON TABLE finance.curated.sales FROM `analyst_ro`;

• Catalog Explorer (UI): Data → pick object → Permissions tab → Grant/Revoke.
• CLI and Terraform (databricks_grant) for automation / IaC. (Microsoft Learn, Terraform Registry)

---

What is Data Access Control in Databricks?

Three systems, used together:

1. Unity Catalog for data objects (tables/views/functions/volumes/etc.).
2. Workspace ACLs for notebooks, repos, clusters/SQL warehouses, etc.
3. Account RBAC for account-level resources (users/groups/SPs, workspaces). (Databricks Documentation, Microsoft Learn)

---

Different ways to provide privileges in UC

• SQL GRANT/REVOKE, Catalog Explorer (UI), Databricks CLI, Terraform. Use inheritance to keep policies DRY (grant at catalog/schema when possible). (Databricks Documentation, Microsoft Learn)

---

Securing files behind tables

• Use storage credentials + external locations for governed access to cloud storage, then build tables/volumes on top.
• For files (non-tabular), use Volumes with READ VOLUME / WRITE VOLUME. (Microsoft Learn)

---

Row/column-level security (copy-paste starters)

Column mask (show full SSN only to auditors):

CREATE OR REPLACE FUNCTION governance.mask_ssn(ssn STRING) RETURNS STRING
RETURN CASE WHEN is_account_group_member('auditors') THEN ssn ELSE concat('XXX-XX-', right(ssn,4)) END;

ALTER TABLE finance.curated.customers
ALTER COLUMN ssn SET MASK governance.mask_ssn;

Row filter (only see own region):

CREATE OR REPLACE FUNCTION governance.row_is_my_region(rgn STRING) RETURNS BOOLEAN
RETURN rgn = current_user_region();  -- your UDF/lookup

ALTER TABLE finance.curated.orders
SET ROW FILTER governance.row_is_my_region ON (region);

Docs include ABAC-based (tag) policies if you prefer central governance. (Databricks Documentation)

---

End-to-end “secure by default” checklist

1. Model data: catalogs per domain/env; schemas for bronze/silver/gold.
2. Least privilege: grant USE only where browsing is allowed; SELECT/MODIFY only to the right groups; MANAGE to stewards. (Microsoft Learn)
3. Govern files: external locations + volumes; avoid direct keys on clusters. (Microsoft Learn)
4. Fine-grained controls: row filters, masks, or dynamic views. (Databricks Documentation)
5. Automate via Terraform/CLI; audit with system tables & lineage (Catalog Explorer). (Terraform Registry)