Links
Comment on page

Databricks: Managing Access to Managed Tables in Unity Catalog

In this tutorial, you'll learn how to configure Grant Kits to automate access and revocation to a securable object in the Databricks Unity Catalog. This use case allows you to model fine-grained access for your Databricks deployment.
We will be using the Databricks Databricks: Managing Access to Groups Starter Kit as a base and modify it to work with the Databricks Unity Catalog.

Before you start

  1. 1.
    Make sure you have:
  2. 2.
    Make sure you setup:
    1. 2.
      A Connection to a repo by following Connect a Repo​
    2. 3.
      Your account to enable Databricks Unity Catalog​

Step 1: Configure a Managed Table Grant

Unity Catalog allows you to configure fine-grained access to securable objects such as:
  1. 1.
    Metastore
  2. 2.
    Catalogs
  3. 3.
    Schemas (Databases)
  4. 4.
    Tables
  5. 5.
    Views
  6. 6.
    Storage Credentials
  7. 7.
    Storage Locations
  8. 8.
    Delta Sharing Share Grants
Permission grants for securable objects are hierarchical. This means, for example, granting access to a Catalog or Schema automatically grants the privilege to current and all future objects within the Catalog or Schema, with the exception of Metastore grants.
For our use case, let's manage access to a Managed Table.
main.tf
1
resource "abbey_grant_kit" "databricks_pii_group" {
2
...
3
​
4
output = {
5
...
6
​
7
append = <<-EOT
8
- resource "databricks_group_member" "group_member_{{ .data.system.abbey.identities.databricks.tf_resource_id }}" {
9
- group_id = ${databricks_group.pii_group.id}
10
- member_id = {{ .data.system.abbey.identities.databricks.tf_resource_id }}
11
+ resource "databricks_grant" "grant_pii_table" {
12
+ table = "main.reporting.pii_customers"
13
+
14
+ grant {
15
+ principal = ${databricks_group.pii_group.id}
16
+ privileges = ["MODIFY", "SELECT"]
17
+ }
18
}
19
EOT
20
}
21
}
Instead of using the databricks_group_member resource, we want to use the databricks_grant resource and specify a table alongside a grant attribute. We're able to reuse our databricks_group.pii_group.id as the principal. This resource was configured in the Databricks Databricks: Managing Access to Groups guide.
For more ideas on how you can manage other securable objects, visit the official Databricks Terraform Provider documentation on Grants.

Step 2: Deploy Your Starter Kit

Follow instructions from the Databricks Databricks: Managing Access to Groups to deploy your newly configured Grant Kit with Unity Catalog.

Next Steps

To learn more about what Resources you can configure, try one of our Tutorials.
For more information on how Abbey works, visit the Key Concepts or Grant Kits page.