# Databricks: Managing Access to Managed Tables in Unity Catalog In this tutorial, you'll learn how to configure [#grant-kits](https://docs.abbey.io/how-abbey-works/concepts#grant-kits "mention") to automate access and revocation to a securable object in the [Databricks Unity Catalog](https://docs.databricks.com/data-governance/unity-catalog/index.html). This use case allows you to model fine-grained access for your Databricks deployment. We will be using the Databricks [databricks-managing-access-to-groups](https://docs.abbey.io/getting-started/tutorials/databricks-managing-access-to-groups "mention") Starter Kit as a base and modify it to work with the Databricks Unity Catalog. ## Before you start 1. **Make sure you have:** * An [Abbey account](https://app.abbey.so/sign-up) * An [Abbey API Token](https://docs.abbey.io/admin/managing-api-tokens#creating-new-api-tokens) * A Databricks account 2. **Make sure you setup:** 1. A [Databricks Starter Kit](https://github.com/abbeylabs/abbey-starter-kit-databricks) by following [get-a-starter-kit](https://docs.abbey.io/build-a-grant-kit/get-a-starter-kit "mention") 2. A Connection to a repo by following [connect-a-repo](https://docs.abbey.io/build-a-grant-kit/connect-a-repo "mention") 3. Your account to [enable Databricks Unity Catalog](https://docs.databricks.com/data-governance/unity-catalog/get-started.html#overview-of-unity-catalog-setup) ## Step 1: Configure a Managed Table Grant Unity Catalog allows you to configure fine-grained access to securable objects such as: 1. Metastore 2. Catalogs 3. Schemas (Databases) 4. Tables 5. Views 6. Storage Credentials 7. Storage Locations 8. Delta Sharing Share Grants Permission grants for securable objects are hierarchical. This means, for example, granting access to a Catalog or Schema automatically grants the privilege to current and all future objects within the Catalog or Schema, with the exception of Metastore grants. For our use case, let's manage access to a [Managed Table](https://docs.databricks.com/data-governance/unity-catalog/index.html#tables). {% code title="main.tf" lineNumbers="true" %} ```diff resource "abbey_grant_kit" "databricks_pii_group" { ... output = { ... append = <<-EOT - resource "databricks_group_member" "group_member_{{ .data.system.abbey.identities.databricks.tf_resource_id }}" { - group_id = ${databricks_group.pii_group.id} - member_id = {{ .data.system.abbey.identities.databricks.tf_resource_id }} + resource "databricks_grant" "grant_pii_table" { + table = "main.reporting.pii_customers" + + grant { + principal = ${databricks_group.pii_group.id} + privileges = ["MODIFY", "SELECT"] + } } EOT } } ``` {% endcode %} Instead of using the `databricks_group_member` resource, we want to use the `databricks_grant` resource and specify a `table` alongside a `grant` attribute. We're able to reuse our `databricks_group.pii_group.id` as the principal. This resource was configured in the Databricks [databricks-managing-access-to-groups](https://docs.abbey.io/getting-started/tutorials/databricks-managing-access-to-groups "mention") guide. {% hint style="info" %} For more ideas on how you can manage other securable objects, visit the official [Databricks Terraform Provider documentation on Grants](https://registry.terraform.io/providers/databricks/databricks/latest/docs/resources/grants). {% endhint %} ## Step 2: Deploy Your Starter Kit Follow instructions from the Databricks [databricks-managing-access-to-groups](https://docs.abbey.io/getting-started/tutorials/databricks-managing-access-to-groups "mention") to deploy your newly configured Grant Kit with Unity Catalog. ## Next Steps To learn more about what [resources](https://docs.abbey.io/resources "mention") you can configure, try one of our [Tutorials](https://docs.abbey.io/getting-started/tutorials). For more information on how Abbey works, visit the [concepts](https://docs.abbey.io/how-abbey-works/concepts "mention") or [grant-kits](https://docs.abbey.io/reference/grant-kits "mention") page.