Skip to content

Creating and Managing Principals in Databricks Unity Catalog

This section describes how to create and manage principals in Unity Catalog.

The Unity Catalog Connector allows you to create and manage principals in Unity Catalog. Principals are users and groups in the Unity Catalog that can be granted permissions to access resources in the Unity Catalog. This feature is optional and can be configured to manage only users, only groups, or both.

When creating groups, the connector provides an option to add a specific prefix to the group name with a specific string. This helps to identify the groups created by the connector. The setup section documents the property for setting this prefix.

Prerequisites

For creating and managing principals in the Unity Catalog, the service user must have ACCOUNT ADMIN privilege.

Setup

The default value for creating and managing principals in the Unity Catalog is true. However, it is recommended to explicitly set the value to true or false in the connector configuration file. This ensures if the default value changes in the future, the connector will continue to work as expected.

While creating the principals, by default the names are made lowercase. There are options to retain the case of the principal names.

  • When case sensitivity is retained (true): The principal names (users, groups, roles) are stored and managed exactly as provided, preserving uppercase and lowercase letters.

  • When case sensitivity is not retained (false, default behavior): Principal names are automatically converted to lowercase in the Unity Catalog.

The property CONNECTOR_DATABRICKS_UNITY_CATALOG_MANAGE_GROUP_MEMBERS determines whether the Privacera connector manages group membership in Databricks Unity Catalog.

  • When set to true: The connector automatically adds and removes users from account groups in Unity Catalog based on Privacera's configuration.

  • When set to false: The connector does not manage group memberships. Any modifications to group memberships must be performed manually or through another process.

    Note

    Even if this property is set to true, Privacera can only manage group memberships if the provided personal access token has account admin privileges.

  1. SSH to the instance where Privacera Manager is installed.

  2. Run the following command to open the .yml file to be edited.

    If you have multiple connectors, then replace instance1 with the appropriate connector instance name.

    Bash
    1
    vi ~/privacera/privacera-manager/config/custom-vars/connectors/databricks-unity-catalog/instance1/vars.connector.databricks.unity.catalog.yml

  3. Set the following properties for enabling/disabling the connector to create principals in the Unity Catalog:

    Bash
    1
2
3
    CONNECTOR_DATABRICKS_UNITY_CATALOG_CREATE_USER: "true"
CONNECTOR_DATABRICKS_UNITY_CATALOG_CREATE_GROUP: "true"
CONNECTOR_DATABRICKS_UNITY_CATALOG_MANAGE_GROUP_MEMBERS: "true"

  4. To customize the group name prefix, set the following property:

    Understanding Group and Role Mapping

    In Unity Catalog, only groups are supported. To distinguish between Privacera groups and roles, you can configure custom prefixes.

    • Privacera Groups: Mapped to Unity Catalog groups with the GROUP_ROLE_PREFIX.
    • Privacera Roles: Mapped to Unity Catalog groups with ROLE_ROLE_PREFIX (since Unity Catalog does not support roles directly).
    Bash
    1
2
    CONNECTOR_DATABRICKS_UNITY_CATALOG_GROUP_ROLE_PREFIX: "priv_group_dev"
CONNECTOR_DATABRICKS_UNITY_CATALOG_ROLE_ROLE_PREFIX: "priv_role_dev"

  5. To retain the case of the principal names, set the following properties:

    Bash
    1
2
3
    CONNECTOR_DATABRICKS_UNITY_CATALOG_USER_NAME_PERSIST_CASE_SENSITIVITY: "true"
CONNECTOR_DATABRICKS_UNITY_CATALOG_GROUP_NAME_PERSIST_CASE_SENSITIVITY: "true"
CONNECTOR_DATABRICKS_UNITY_CATALOG_ROLE_NAME_PERSIST_CASE_SENSITIVITY: "true"

  6. Once the properties are configured, run the following commands to update your Privacera Manager platform instance:

    Step 1 - Setup which generates the helm charts. This step usually takes few minutes.

    Bash
    1
2
    cd ~/privacera/privacera-manager
./privacera-manager.sh setup
    Step 2 - Apply the Privacera Manager helm charts.
    Bash
    1
2
    cd ~/privacera/privacera-manager
./pm_with_helm.sh upgrade
    Step 3 - Post-installation step which generates Plugin tar ball, updates Route 53 DNS and so on.

    Bash
    1
2
    cd ~/privacera/privacera-manager
./privacera-manager.sh post-install

  1. In PrivaceraCloud portal, navigate to Settings -> Applications.

  2. On the Connected Applications screen, select Databricks Unity Catalog.

  3. Click the pen icon or the Account Name to modify the settings.

  4. On the Edit Application screen, go to Access Management -> ADVANCED tab

  5. For creating and managing principals in the Unity Catalog, enable the following options:

    • Create account users in Databricks Unity Catalog by Privacera
    • Create account groups in Databricks Unity Catalog by Privacera
    • Manage the group members of account groups in Databricks Unity Catalog by Privacera

  6. To customize the group name prefix, enter the prefix in the Group Name Prefix field.

    • Prefix of Databricks Unity Catalog roles for portal groups: priv_group_dev
    • Prefix of Databricks Unity Catalog roles for portal roles: priv_role_dev

  7. To retain the case of the principal names, enable the following options:

    • Persist case sensitivity of user names
    • Persist case sensitivity of group names
    • Persist case sensitivity of role names

  8. Click SAVE to apply the changes.

Comments