Manage Permissions List¶
This section provides configuration details for managing Unity Catalog permissions using the Permission Management feature. This feature was introduced to support newly added permissions and allows you to explicitly control whether these permissions should be managed by the connector or excluded from management until policies are defined.
Prerequisites¶
- Review the list of supported permissions for each Unity Catalog resource:
- Legacy permissions (previously managed by the connector by default).
- Newly supported permissions (now supported and managed via inclusion).
Note
By default, the connector excludes all newly supported permissions and takes no action on them until they are explicitly included using the Inclusion Property.
Setup¶
The permission management feature provides two types of configuration properties that can be set via vars.connector.databricks.unity.catalog.yml under custom-vars.
- Inclusion Property: For newly supported permissions.
- Exclusion Property: For all supported permissions (both legacy and newly supported).
Inclusion Property¶
-
The Inclusion Property allows to enable the connector to manage newly supported permissions for specific Unity Catalog resources. If not included, the connector will skip managing those permissions.
-
Example:
This property only applies to newly supported permissions that are excluded by default.
-
Available Properties
Property Description CONNECTOR_DATABRICKS_UNITY_CATALOG_CATALOG_CUSTOM_INCLUDE_PERMISSIONS_LIST Comma-separated list of newly supported permissions for the CATALOG resource that are to be managed by the Connector CONNECTOR_DATABRICKS_UNITY_CATALOG_SCHEMA_CUSTOM_INCLUDE_PERMISSIONS_LIST Comma-separated list of newly supported permissions for the SCHEMA resource that are to be managed by the Connector CONNECTOR_DATABRICKS_UNITY_CATALOG_TABLE_CUSTOM_INCLUDE_PERMISSIONS_LIST Comma-separated list of newly supported permissions for the TABLE resource that are to be managed by the Connector CONNECTOR_DATABRICKS_UNITY_CATALOG_VIEW_CUSTOM_INCLUDE_PERMISSIONS_LIST Comma-separated list of newly supported permissions for the VIEW resource that are to be managed by the Connector CONNECTOR_DATABRICKS_UNITY_CATALOG_MATERIALIZED_VIEW_CUSTOM_INCLUDE_PERMISSIONS_LIST Comma-separated list of newly supported permissions for the MATERIALIZED VIEW resource that are to be managed by the Connector CONNECTOR_DATABRICKS_UNITY_CATALOG_COLUMN_CUSTOM_INCLUDE_PERMISSIONS_LIST Comma-separated list of newly supported permissions for the COLUMN resource that are to be managed by the Connector CONNECTOR_DATABRICKS_UNITY_CATALOG_FUNCTION_CUSTOM_INCLUDE_PERMISSIONS_LIST Comma-separated list of newly supported permissions for the FUNCTION resource that are to be managed by the Connector CONNECTOR_DATABRICKS_UNITY_CATALOG_EXTERNAL_LOCATION_CUSTOM_INCLUDE_PERMISSIONS_LIST Comma-separated list of newly supported permissions for the EXTERNAL LOCATION resource that are to be managed by the Connector CONNECTOR_DATABRICKS_UNITY_CATALOG_STORAGE_CREDENTIAL_CUSTOM_INCLUDE_PERMISSIONS_LIST Comma-separated list of newly supported permissions for the STORAGE CREDENTIAL resource that are to be managed by the Connector CONNECTOR_DATABRICKS_UNITY_CATALOG_VOLUME_CUSTOM_INCLUDE_PERMISSIONS_LIST Comma-separated list of newly supported permissions for the VOLUME resource that are to be managed by the Connector
Exclusion Property¶
- The Exclusion Property allows to exclude any permissions (both legacy and newly supported) from being managed by the connector. This property takes precedence over the Inclusion Property.
-
You can specify permissions to exclude for each resource individually. To exclude all permissions for a resource, use
*. -
Example:
-
Exclude All Example:
The Exclusion property has the highest precedence. If a permission is listed under both Inclusion and Exclusion, the connector will not manage that permission.
-
Available Properties
Property Description CONNECTOR_DATABRICKS_UNITY_CATALOG_CATALOG_CUSTOM_EXCLUDE_PERMISSIONS_LIST Comma-separated list of permissions to be excluded from the CATALOG resource CONNECTOR_DATABRICKS_UNITY_CATALOG_SCHEMA_CUSTOM_EXCLUDE_PERMISSIONS_LIST Comma-separated list of permissions to be excluded from the SCHEMA resource CONNECTOR_DATABRICKS_UNITY_CATALOG_TABLE_CUSTOM_EXCLUDE_PERMISSIONS_LIST Comma-separated list of permissions to be excluded from the TABLE resource CONNECTOR_DATABRICKS_UNITY_CATALOG_VIEW_CUSTOM_EXCLUDE_PERMISSIONS_LIST Comma-separated list of permissions to be excluded from the VIEW resource CONNECTOR_DATABRICKS_UNITY_CATALOG_MATERIALIZED_VIEW_CUSTOM_EXCLUDE_PERMISSIONS_LIST Comma-separated list of permissions to be excluded from the MATERIALIZED VIEW resource CONNECTOR_DATABRICKS_UNITY_CATALOG_COLUMN_CUSTOM_EXCLUDE_PERMISSIONS_LIST Comma-separated list of permissions to be excluded from the COLUMN resource CONNECTOR_DATABRICKS_UNITY_CATALOG_FUNCTION_CUSTOM_EXCLUDE_PERMISSIONS_LIST Comma-separated list of permissions to be excluded from the FUNCTION resource CONNECTOR_DATABRICKS_UNITY_CATALOG_EXTERNAL_LOCATION_CUSTOM_EXCLUDE_PERMISSIONS_LIST Comma-separated list of permissions to be excluded from the EXTERNAL LOCATION resource CONNECTOR_DATABRICKS_UNITY_CATALOG_STORAGE_CREDENTIAL_CUSTOM_EXCLUDE_PERMISSIONS_LIST Comma-separated list of permissions to be excluded from the STORAGE CREDENTIAL resource CONNECTOR_DATABRICKS_UNITY_CATALOG_VOLUME_CUSTOM_EXCLUDE_PERMISSIONS_LIST Comma-separated list of permissions to be excluded from the VOLUME resource
Warning
- Replace the example values with your actual permissions.
-
Navigate to Settings → Applications in the Self-Managed Portal.
-
From the list of Connected Applications, select Databricks Unity Catalog.
-
Click on the application name or the icon to edit. Then, go to the Access Management tab.
-
Under Add New Custom Properties add the following properties to include specific permissions to be managed by the connector:
-
Add the following properties to exclude the permissions to be managed by the connector:
-
Click SAVE to apply the changes.
-
SSH to the instance where Privacera Manager is installed.
-
Run the following command to open the
.ymlfile to be edited.If you have multiple connectors, then replace
instance1with the appropriate connector instance name. -
Uncomment (if commented) and set the following properties to include specific permissions to be managed by the connector:
-
Uncomment (if commented) and set the following properties to exclude the permissions to be managed by the connector:
-
Once the properties are configured, run the following commands to update your Privacera Manager platform instance:
Step 1 - Setup which generates the helm charts. This step usually takes few minutes.
Step 2 - Apply the Privacera Manager helm charts. Step 3 - Post-installation step which generates Plugin tar ball, updates Route 53 DNS and so on.
-
In PrivaceraCloud portal, navigate to Settings -> Applications.
-
On the Connected Applications screen, select Databricks Unity Catalog.
-
Click the pen icon or the Account Name to modify the settings.
-
On the Edit Application screen, go to Access Management -> ADVANCED tab.
-
Under Add New Custom Properties add the following properties to include specific permissions to be managed by the connector:
-
Add the following properties to exclude the permissions to be managed by the connector:
-
Click SAVE to apply the changes.
- Prev topic: Advanced Configuration