databricksazure-databricksdatabricks-unity-catalog

Manage privileges in Unity Catalog Azure

I have a Group in Azure for which I would like to manage access . Databricks Documentation
https://docs.databricks.com/aws/en/data-governance/unity-catalog/manage-privileges/?language=SQL

The group is called AzUser-DataHub-SAPupportAnalyst however I can't seem to use the Syntax

GRANT SELECT ON default.department TO `AzUser-DataHub-SAPupportAnalyst`;

I can give it to a Principal but because this an AD Group this cannot be resolved .

Any pointers?

Solution

  • I have a Group in Azure for which I would like to manage access . Databricks Documentation https://docs.databricks.com/aws/en/data-governance/unity-catalog/manage-privileges/?language=SQL The group is called AzUser-DataHub-SAPupportAnalyst however I can't seem to use the Syntax GRANT SELECT ON default.department TO AzUser-DataHub-SAPupportAnalyst; I can give it to a Principal but because this an AD Group this cannot be resolved .

    *In Azure Databricks, ensure that the Azure AD group (e.g., AzUser-DataHub-SAPupportAnalyst) is synchronized correctly with Unity Catalog. Ensure that your Unity Catalog is configured to properly recognize Azure AD groups. This should happen automatically if Azure AD is connected to Databricks.

    *Azure AD Group Sync: Make sure that the group AzUser-DataHub-SAPupportAnalyst exists in Azure Active Directory and that it is synced to your Databricks workspace. In some cases, it may not be properly synced or recognized.To check this, go to the Admin Console in Azure Databricks and verify that the group is available under the User & Groups section. you can check the Documentation

    *you can give a try using following command

    GRANT [privilege-type] ON [securable-type] [securable-name] TO [principal];

    [privilege-type] is a Unity Catalog privilege type. See Privilege types. [securable-type]: The type of securable object, such as CATALOG or TABLE. See Securable objects [securable-name]: The name of the securable. If the securable type is METASTORE, do not provide the securable name. It is assumed to be the metastore attached to the workspace. [principal] is a user, service principal (represented by its applicationId value), or group. You must enclose users, service principals, and group names that include special characters in backticks ( ).

    *Also you can Grant permissions using the UI Click the table name in Catalog Explorer to open the table details page, and go to the Permissions tab. Click Grant. On the Grant on dialog: Select the users and groups you want to give permission to. Select the privileges you want to grant. For this example, assign the SELECT (read) privilege and click Grant.