Databricks: Managing Access to Managed Tables in Unity Catalog

We will be using the Databricks Databricks: Managing Access to Groups Starter Kit as a base and modify it to work with the Databricks Unity Catalog.

Before you start

  1. Make sure you have:

  2. Make sure you setup:

    1. A Connection to a repo by following Connect a Repo

Step 1: Configure a Managed Table Grant

Unity Catalog allows you to configure fine-grained access to securable objects such as:

  1. Metastore

  2. Catalogs

  3. Schemas (Databases)

  4. Tables

  5. Views

  6. Storage Credentials

  7. Storage Locations

  8. Delta Sharing Share Grants

Permission grants for securable objects are hierarchical. This means, for example, granting access to a Catalog or Schema automatically grants the privilege to current and all future objects within the Catalog or Schema, with the exception of Metastore grants.

For our use case, let's manage access to a Managed Table.

main.tf
resource "abbey_grant_kit" "databricks_pii_group" {
  ...

  output = {
    ...

    append = <<-EOT
-      resource "databricks_group_member" "group_member_{{ .data.system.abbey.identities.databricks.tf_resource_id }}" {
-        group_id  = ${databricks_group.pii_group.id}
-        member_id = {{ .data.system.abbey.identities.databricks.tf_resource_id }}
+      resource "databricks_grant" "grant_pii_table" {
+        table = "main.reporting.pii_customers"
+
+        grant {
+          principal  = ${databricks_group.pii_group.id}
+          privileges = ["MODIFY", "SELECT"]
+        }
      }
    EOT
  }
}

Instead of using the databricks_group_member resource, we want to use the databricks_grant resource and specify a table alongside a grant attribute. We're able to reuse our databricks_group.pii_group.id as the principal. This resource was configured in the Databricks Databricks: Managing Access to Groups guide.

For more ideas on how you can manage other securable objects, visit the official Databricks Terraform Provider documentation on Grants.

Step 2: Deploy Your Starter Kit

Follow instructions from the Databricks Databricks: Managing Access to Groups to deploy your newly configured Grant Kit with Unity Catalog.

Next Steps

To learn more about what Privacy Policy you can configure, try one of our Tutorials.

For more information on how Abbey works, visit the Key Concepts or Grant Kits page.

Last updated