Prerequisites for Databricks Unity Catalog¶
Privacera's Databricks Unity Catalog connector uses one of the workspace data warehouses to manage the access permissions. In Databricks the tokens are specific for each workspace, so the connector needs the workspace URL and token of a service principal which was created from the same Databricks workspace. Depending on the capabilities you want to enable in the connector, you need to provide the necessary privileges to the service principal. You can find the details of the privileges required in the Service User Privileges for Databricks Unity Catalog Connector section.
Prerequisites¶
| Prerequisites | Detail |
|---|---|
| Databricks Unity Catalog Workspace URL | Obtain the URL for your Databricks Unity Catalog Workspace. |
| Databricks Unity Catalog Service User and Credentials | This connector requires a service user with appropriate privileges to manage the policies. The below section gives details of level privileges that is needed to meet your requirement. |
| SQL Warehouse | This connector using a running SQL Warehouse to manage the access permission and also to retrieve access audits. |
| Catalog, External Location, and Storage Credentials Identification | Identify the catalogs, external locations, and storage credentials within the Databricks Unity Catalog where you want to manage access control policies using Ranger policies. |
| Principal Identification | Identify the users, groups, and roles within the Databricks Unity Catalog where access control policies will be applied using Ranger policies. |
| OAuth Authentication (optional) | Databricks strongly recommends to use OAuth for authentication. Additional details can be found in the Advanced Configuration section |
| System catalog access | Ensure the service user has access to the system catalog. |
Service User Privileges for Databricks Unity Catalog Connector¶
To manage permissions effectively, the service user must be granted the appropriate privileges. The table below outlines the levels of access required:
Depending on the level of privilege of the service user, the connector can perform the operations on the Databricks Unity Catalog. Here are the different levels of privilege that can be provided to the service user:
| Privilege Level | Manage Users | Manage All Permissions | Manage Catalogs | Manage Storage Credentials | Manage External Locations |
|---|---|---|---|---|---|
| Account Admin + Metastore Admin |  Yes | Yes | Yes | Yes | Yes |
| Metastore Admin (Recommended) |  No | Yes | Yes | Yes | Yes |
| Custom Privileges | No | No | Yes (1) | Yes (2) | Yes (3) |
- Catalog Level Privileges: Only for the catalogs that the service user has access to.
- Storage Credentials Privileges: Only for the storage credentials that the service user has access to.
- External Locations Privileges: Only for the external locations that the service user has access to.
Connectors Capabilities¶
Below are some of the capabilities of the connector and the privileges required to perform the operations:
Manage Users and Groups¶
If you don't want Privacera to manage the users and groups, then you can skip this privilege.
The connector can manage the users in the Databricks Unity Catalog. Privacera's Connector can provision the users and groups in the Databricks Unity Catalog based on the users, groups and roles in the Privacera Platform. In Privacera, the users and groups are synchronized from the corporate directory, while roles are managed in the Privacera.
To manage the users and groups in the Databricks Unity Catalog, the service user must have the ACCOUNT ADMIN privilege.
Manage Permissions of All Catalogs, Storage Credentials and External Locations¶
To manage the permissions of all the catalogs in the Databricks Unity Catalog, the service user must have the METASTORE ADMIN privilege. It is recommended to provide the METASTORE ADMIN privilege to the service user, so Privacera can manage the permissions of all the catalogs in the Databricks Unity Catalog.
Mange Permissions of selective Catalogs¶
If you have provided the METASTORE ADMIN privilege to the service user, then you can skip this privilege.
To manage the permissions of selective catalogs in the Databricks Unity Catalog, the service user must have the following privileges:
Replace CATALOG_TO_MANAGE with the name of the catalog that you want to manage. And replace PRIVACEA_SERVICE_USER with the name of the service user.
| SQL | |
|---|---|
Manage Permissions for storage credentials and external locations¶
If you have provided the METASTORE ADMIN privilege to the service user, then you can skip this privilege.
If you want to manage the permissions for the storage credentials and external locations in the Databricks Unity Catalog, then the service user must have the following privileges:
Manage on storage credential¶
| SQL | |
|---|---|
Manage on external location¶
| SQL | |
|---|---|
- Prev topic: Access Management
- Next topic: Setup