Skip to content

Creating and Managing Principals in Databricks SQL

This section describes how to create and manage principals in Databricks SQL.

The Databricks SQL Connector allows you to create and manage principals—users, groups, and roles—in Databricks SQL. These principals can be granted permissions to access resources within Databricks SQL. This feature is optional and can be configured to manage only users, only groups, only roles or all three types of principals.

Setup

By default, the settings for creating principals in Databricks SQL are configured as follows:

  • User Creation: true (enabled)
  • User Deletion: false (disabled for safety)
  • Group Creation: true (enabled)
  • Group Deletion: true (enabled)
  • Group Member Management: true (enabled)

However, it is recommended to explicitly define these values as either true or false in the connector configuration file. Explicit configuration ensures consistent behavior, even if the default values change in future releases. These configuration properties control whether the Privacera Databricks SQL connector is permitted to create, delete, and manage users and groups in Databricks SQL.

  • Set the value to true to allow the connector to perform the corresponding operation.
  • Set the value to false to prevent the connector from performing the operation.

Security Recommendation

For production environments, consider setting deletion properties to false to prevent accidental removal of principals. Group member management can be safely enabled to maintain group memberships without structural changes.

By default, principal names are converted to lowercase when created. However, the connector provides configuration options to control case sensitivity and name normalization.

Persist Case Sensitivity:

  • When case sensitivity is retained (true): Principal names (users, groups, roles) are stored and managed exactly as provided, preserving the original casing—including both uppercase and lowercase letters.

  • When case sensitivity is not retained (false, default behavior): Principal names are automatically converted to lowercase when stored and managed in Databricks SQL.

Case Conversion Options:

  • lower (default): Principal names (users, groups, roles) are converted to lowercase.
  • upper: Principal names are converted to uppercase.
  • none: Principal names are preserved exactly as provided, without any case conversion.
Case conversion properties apply only when case sensitivity is not persisted:

  • Self Managed (YAML Configuration) deployments:

    • CONNECTOR_DATABRICKS_SQL_ANALYTICS_USER_NAME_PERSIST_CASE_SENSITIVITY
    • CONNECTOR_DATABRICKS_SQL_ANALYTICS_GROUP_NAME_PERSIST_CASE_SENSITIVITY
    • CONNECTOR_DATABRICKS_SQL_ANALYTICS_ROLE_NAME_PERSIST_CASE_SENSITIVITY

  • PrivaceraCloud deployments:

    • Disable the following in Access Management → ADVANCED tab of the Databricks SQL application:
      • Persist case sensitivity of user names
      • Persist case sensitivity of group names
      • Persist case sensitivity of role names

Warning

  • Replace the example values with your actual values.

  1. SSH to the instance where Privacera Manager is installed.

  2. Run the following command to open the .yml file to be edited.

    If you have multiple connectors, then replace instance1 with the appropriate connector instance name.

    Bash
    1
    vi ~/privacera/privacera-manager/config/custom-vars/connectors/databricks-sql-analytics/instance1/vars.connector.databricks.sql.analytics.yml

  3. Set the following properties for enabling/disabling the connector to create and manage principals in the Databricks SQL:

    User Management:

    YAML
    1
2
    CONNECTOR_DATABRICKS_SQL_ANALYTICS_CREATE_USER: "true"
CONNECTOR_DATABRICKS_SQL_ANALYTICS_DELETE_USERS: "false"

    User Management Properties

    Property Descriptions:

    • CREATE_USER - Controls whether the connector can create new users in Databricks SQL
    • DELETE_USERS - Controls whether the connector can delete users from Databricks SQL

    Configuration Options:

    • Set to true to enable the operation
    • Set to false to disable the operation

    Recommended Settings:

    • For production: Set DELETE_USERS: "false" to prevent accidental user deletions
    • For development: Both properties can be set to "true" for full functionality

    Group Management:

    YAML
    1
2
3
    CONNECTOR_DATABRICKS_SQL_ANALYTICS_CREATE_GROUP: "true"
CONNECTOR_DATABRICKS_SQL_ANALYTICS_DELETE_GROUP: "true"
CONNECTOR_DATABRICKS_SQL_ANALYTICS_MANAGE_GROUP_MEMBERS: "true"

    Version Requirement

    Group management properties are available from release version 9.0.36.1 and later.

    Group Management Properties

    Property Descriptions:

    • CREATE_GROUP - Controls whether the connector can create new groups in Databricks SQL
    • DELETE_GROUP - Controls whether the connector can delete groups from Databricks SQL
    • MANAGE_GROUP_MEMBERS - Controls whether the connector can add/remove members from groups

    Configuration Options:

    • Set to "true" to enable the operation
    • Set to "false" to disable the operation

    Recommended Settings:

    • For production: Set DELETE_GROUP: "false" to prevent accidental group deletions
    • For development: All properties can be set to "true" for full functionality
    • Group member management can be safely enabled in all environments

  4. To customize the role name prefix, set the following property:

    YAML
    1
2
3
    CONNECTOR_DATABRICKS_SQL_ANALYTICS_USER_ROLE_PREFIX: "priv_user_dev"
CONNECTOR_DATABRICKS_SQL_ANALYTICS_GROUP_ROLE_PREFIX: "priv_group_dev"
CONNECTOR_DATABRICKS_SQL_ANALYTICS_ROLE_ROLE_PREFIX: "priv_role_dev"

  5. To retain the case of the principal names, set the following properties:

    YAML
    1
2
3
    CONNECTOR_DATABRICKS_SQL_ANALYTICS_USER_NAME_PERSIST_CASE_SENSITIVITY: "true"
CONNECTOR_DATABRICKS_SQL_ANALYTICS_GROUP_NAME_PERSIST_CASE_SENSITIVITY: "true"
CONNECTOR_DATABRICKS_SQL_ANALYTICS_ROLE_NAME_PERSIST_CASE_SENSITIVITY: "true"

  6. To use the case conversion, set the following properties:

    YAML
    1
2
3
    CONNECTOR_DATABRICKS_SQL_ANALYTICS_USER_NAME_CASE_CONVERSION: "upper"
CONNECTOR_DATABRICKS_SQL_ANALYTICS_GROUP_NAME_CASE_CONVERSION: "upper"
CONNECTOR_DATABRICKS_SQL_ANALYTICS_ROLE_NAME_CASE_CONVERSION: "none"

  7. Once the properties are configured, run the following commands to update your Privacera Manager platform instance:

    Step 1 - Setup which generates the helm charts. This step usually takes few minutes.

    Bash
    1
2
    cd ~/privacera/privacera-manager
./privacera-manager.sh setup
    Step 2 - Apply the Privacera Manager helm charts.
    Bash
    1
2
    cd ~/privacera/privacera-manager
./pm_with_helm.sh upgrade
    Step 3 - Post-installation step which generates Plugin tar ball, updates Route 53 DNS and so on.

    Bash
    1
2
    cd ~/privacera/privacera-manager
./privacera-manager.sh post-install

  1. In PrivaceraCloud portal, navigate to Settings -> Applications.

  2. On the Connected Applications screen, select Databricks SQL.

  3. Click on the icon or the Account Name to modify the settings.

  4. On the Edit Application screen, go to Access Management -> ADVANCED tab

  5. For creating and managing principals in the Databricks SQL, enable the following options:

    User Management: - Create users in Databricks SQL Endpoint by privacera - Delete users in Databricks SQL Endpoint by privacera

    Group Management: - Create groups in Databricks SQL Endpoint by privacera - Delete groups in Databricks SQL Endpoint by privacera - Manage group members in Databricks SQL Endpoint by privacera

  6. To customize the role name prefix, enter the prefix in the Role Name Prefix field.

    • Prefix of Databricks SQL Endpoint roles for portal groups: priv_group_dev
    • Prefix of Databricks SQL Endpoint roles for portal roles: priv_role_dev

  7. To retain the case of the principal names, enable the following options:

    • Persist case sensitivity of user names
    • Persist case sensitivity of group names
    • Persist case sensitivity of role names

  8. To use the case conversion, add the following properties under Add New Custom Properties section:

    Bash
    1
2
3
    ranger.policysync.connector.0.user.name.case.conversion=upper
ranger.policysync.connector.0.group.name.case.conversion=upper
ranger.policysync.connector.0.role.name.case.conversion=none

  9. If the group management options are not available in the UI, you can configure them manually by adding the following properties under Add New Custom Properties section:

    Version Requirement

    Group management properties are available from release version 9.0.36.1 and later.

    Bash
    1
2
3
    ranger.policysync.connector.0.create.service.group=true
ranger.policysync.connector.0.delete.service.group=true
ranger.policysync.connector.0.manage.service.group.members=true

    Custom Properties Configuration

    Property Descriptions:

    • create.service.group=true enables group creation
    • delete.service.group=false disables group deletion for safety
    • manage.service.group.members=true enables group member management

    Recommended Settings:

    • For production: Set delete.service.group=false to prevent accidental deletions
    • For development: All properties can be set to true for full functionality

  10. Click SAVE to apply the changes.

Comments