Service User Privilege for Databricks Unity Catalog Connector¶
Overview¶
When you are using the connector for Databricks Unity Catalog, you need to provide the service user with the necessary privileges to manage the permissions of the Databricks users.
Depending on the level of privilege of the service user, the connector can perform the operations on the Databricks Unity Catalog. Here are the different levels of privilege that can be provided to the service user:
| Privilege Level | Manage Users | Manage All Permissions | Manage Catalogs | Manage Storage Credentials | Manage External Locations |
|---|---|---|---|---|---|
| Account Admin + Metastore Admin |  Yes | Yes | Yes | Yes | Yes |
| Metastore Admin (Recommended) |  No | Yes | Yes | Yes | Yes |
| Custom Privileges | No | No | Yes (1) | Yes (2) | Yes (3) |
- Catalog Level Privileges: Only for the catalogs that the service user has access to.
- Storage Credentials Privileges: Only for the storage credentials that the service user has access to.
- External Locations Privileges: Only for the external locations that the service user has access to.
Connectors Capabilities¶
Manage Users and Groups¶
If you don't want Privacera to manage the users and groups, then you can skip this privilege.
The connector can manage the users in the Databricks Unity Catalog. Privacera's Connector can provision the users and groups in the Databricks Unity Catalog based on the users, groups and roles in the Privacera Platform. In Privacera, the users and groups are synchronized from the corporate directory, while roles are managed in the Privacera.
To manage the users and groups in the Databricks Unity Catalog, the service user must have the ACCOUNT ADMIN privilege.
Manage Permissions of All Catalogs, Storage Credentials and External Locations¶
To manage the permissions of all the catalogs in the Databricks Unity Catalog, the service user must have the METASTORE ADMIN privilege. It is recommended to provide the METASTORE ADMIN privilege to the service user, so Privacera can manage the permissions of all the catalogs in the Databricks Unity Catalog.
Mange Permissions of selective Catalogs¶
If you have provided the METASTORE ADMIN privilege to the service user, then you can skip this privilege.
To manage the permissions of selective catalogs in the Databricks Unity Catalog, the service user must have the following privileges:
Replace CATALOG_TO_MANAGE with the name of the catalog that you want to manage. And replace PRIVACEA_SERVICE_USER with the name of the service user.
| SQL | |
|---|---|
Manage Permissions for storage credentials and external locations¶
If you have provided the METASTORE ADMIN privilege to the service user, then you can skip this privilege.
If you want to manage the permissions for the storage credentials and external locations in the Databricks Unity Catalog, then the service user must have the following privileges:
Manage on storage credential¶
| SQL | |
|---|---|
Manage on external location¶
| SQL | |
|---|---|