In this tutorial, you'll learn how to configure Grant Kits to automate access and revocation to a securable object in the Databricks Unity Catalog. This use case allows you to model fine-grained access for your Databricks deployment.

We will be using the Databricks Databricks: Managing Access to Groups Starter Kit as a base and modify it to work with the Databricks Unity Catalog.

Before you start

1. Make sure you have:

   • An Abbey account

   • An Abbey API Token

   • A Databricks account

2. Make sure you setup:

   1. A Databricks Starter Kit by following Get a Starter Kit

   2. A Connection to a repo by following Connect a Repo

   3. Your account to enable Databricks Unity Catalog

Step 1: Configure a Managed Table Grant

Unity Catalog allows you to configure fine-grained access to securable objects such as:

1. Metastore

2. Catalogs

3. Schemas (Databases)

4. Tables

5. Views

6. Storage Credentials

7. Storage Locations

8. Delta Sharing Share Grants

Permission grants for securable objects are hierarchical. This means, for example, granting access to a Catalog or Schema automatically grants the privilege to current and all future objects within the Catalog or Schema, with the exception of Metastore grants.

For our use case, let's manage access to a Managed Table.

resource "abbey_grant_kit" "databricks_pii_group" {
  ...

  output = {
    ...

    append = <<-EOT
-      resource "databricks_group_member" "group_member_{{ .data.system.abbey.identities.databricks.tf_resource_id }}" {
-        group_id  = ${databricks_group.pii_group.id}
-        member_id = {{ .data.system.abbey.identities.databricks.tf_resource_id }}
+      resource "databricks_grant" "grant_pii_table" {
+        table = "main.reporting.pii_customers"
+
+        grant {
+          principal  = ${databricks_group.pii_group.id}
+          privileges = ["MODIFY", "SELECT"]
+        }
      }
    EOT
  }
}

Instead of using the databricks_group_member resource, we want to use the databricks_grant resource and specify a table alongside a grant attribute. We're able to reuse our databricks_group.pii_group.id as the principal. This resource was configured in the Databricks Databricks: Managing Access to Groups guide.

Step 2: Deploy Your Starter Kit

Follow instructions from the Databricks Databricks: Managing Access to Groups to deploy your newly configured Grant Kit with Unity Catalog.

Next Steps

To learn more about what Privacy Policy you can configure, try one of our Tutorials.

For more information on how Abbey works, visit the Key Concepts or Grant Kits page.