Skip to content

Creating and Managing Principals in Databricks Unity Catalog

This section describes how to create and manage principals in Unity Catalog.

The Unity Catalog Connector allows you to create and manage principals in Unity Catalog. Principals are users and groups in the Unity Catalog that can be granted permissions to access resources in the Unity Catalog. This feature is optional and can be configured to manage only users, only groups, or both.

When creating groups, the connector provides an option to add a specific prefix to the group name with a specific string. This helps to identify the groups created by the connector. The setup section documents the property for setting this prefix.

If you are sharing the same Databricks Unity Catalog with multiple Privacera Connectors, then it is recommended not to enable this feature.

Enabling this feature will create users and groups in the Unity Catalog, which may conflict with other connectors that are also creating users and groups. If you are using multiple connectors, it is recommended to you should use Databricks SCIM support for managing users and groups directly from your identity provider (IdP) to avoid conflicts.

This is applicable while using multiple connectors for the same Databricks Account, regardless if you are using the same MetaStore in UnityCatalog or different MetaStores.

Read Support Multiple Unity Catalog Connectors for MetaStores

Prerequisites

For creating and managing principals in the Unity Catalog, the service user must have ACCOUNT ADMIN privilege.

Setup

The default setting for creating and managing principals in Unity Catalog is true. However, it is recommended to explicitly set this value to either true or false in the connector configuration file. Doing so ensures that the connector behavior remains consistent even if the default value changes in future releases. These configuration properties determine whether the Privacera Unity Catalog connector is allowed to create users and groups in Databricks Unity Catalog.

  • Set the value to true to allow the connector to create the corresponding principal if it does not already exist.
  • When enabled, users or groups created in the Privacera Portal will automatically be created in Unity Catalog as account-level users or groups.

While creating the principals, by default the names are made lowercase. There are options to retain the case of the principal names.

  • When case sensitivity is retained (true): The principal names (users, groups, roles) are stored and managed exactly as provided, preserving uppercase and lowercase letters.

  • When case sensitivity is not retained (false, default behavior): Principal names are automatically converted to lowercase in the Unity Catalog.

  1. SSH to the instance where Privacera Manager is installed.

  2. Run the following command to open the .yml file to be edited.

    If you have multiple connectors, then replace instance1 with the appropriate connector instance name.

    Bash
    1
    vi ~/privacera/privacera-manager/config/custom-vars/connectors/databricks-unity-catalog/instance1/vars.connector.databricks.unity.catalog.yml

  3. Set the following properties for enabling/disabling the connector to create principals in the Unity Catalog:

    Bash
    1
2
    CONNECTOR_DATABRICKS_UNITY_CATALOG_CREATE_USER: "true"
CONNECTOR_DATABRICKS_UNITY_CATALOG_CREATE_GROUP: "true"

  4. To customize the group name prefix, set the following property:

    Understanding Group and Role Mapping

    In Unity Catalog, only groups are supported. To distinguish between Privacera groups and roles, you can configure custom prefixes.

    • Privacera Groups: Mapped to Unity Catalog groups with the GROUP_ROLE_PREFIX.
    • Privacera Roles: Mapped to Unity Catalog groups with ROLE_ROLE_PREFIX (since Unity Catalog does not support roles directly).
    Bash
    1
2
    CONNECTOR_DATABRICKS_UNITY_CATALOG_GROUP_ROLE_PREFIX: "priv_group_dev"
CONNECTOR_DATABRICKS_UNITY_CATALOG_ROLE_ROLE_PREFIX: "priv_role_dev"

  5. To retain the case of the principal names, set the following properties:

    Bash
    1
2
3
    CONNECTOR_DATABRICKS_UNITY_CATALOG_USER_NAME_PERSIST_CASE_SENSITIVITY: "true"
CONNECTOR_DATABRICKS_UNITY_CATALOG_GROUP_NAME_PERSIST_CASE_SENSITIVITY: "true"
CONNECTOR_DATABRICKS_UNITY_CATALOG_ROLE_NAME_PERSIST_CASE_SENSITIVITY: "true"

  6. Once the properties are configured, run the following commands to update your Privacera Manager platform instance:

    Step 1 - Setup which generates the helm charts. This step usually takes few minutes.

    Bash
    1
2
    cd ~/privacera/privacera-manager
./privacera-manager.sh setup
    Step 2 - Apply the Privacera Manager helm charts.
    Bash
    1
2
    cd ~/privacera/privacera-manager
./pm_with_helm.sh upgrade
    Step 3 - Post-installation step which generates Plugin tar ball, updates Route 53 DNS and so on.

    Bash
    1
2
    cd ~/privacera/privacera-manager
./privacera-manager.sh post-install

  1. In PrivaceraCloud portal, navigate to Settings -> Applications.

  2. On the Connected Applications screen, select Databricks Unity Catalog.

  3. Click the pen icon or the Account Name to modify the settings.

  4. On the Edit Application screen, go to Access Management -> ADVANCED tab

  5. For creating and managing principals in the Unity Catalog, enable the following options:

    • Create account users in Databricks Unity Catalog by Privacera
    • Create account groups in Databricks Unity Catalog by Privacera

  6. To customize the group name prefix, enter the prefix in the Group Name Prefix field.

    • Prefix of Databricks Unity Catalog roles for portal groups: priv_group_dev
    • Prefix of Databricks Unity Catalog roles for portal roles: priv_role_dev

  7. To retain the case of the principal names, enable the following options:

    • Persist case sensitivity of user names
    • Persist case sensitivity of group names
    • Persist case sensitivity of role names

  8. Click SAVE to apply the changes.

Comments