Create and manage attribute-based access control (ABAC) policies

Beta

This feature is in Beta.

This page describes how to configure row filter and column mask policies in Unity Catalog. For more information on attribute-based access control (ABAC) and policies, see Unity Catalog attribute-based access control (ABAC). To apply tags to objects, see Tag policies and Apply tags to Unity Catalog securable objects.

Enable ABAC

The ABAC beta is enabled at the workspace level. Databricks cannot enforce ABAC on read operations to shared catalogs unless ABAC is also enabled in each workspace that accesses those catalogs.

To create and manage ABAC policies, both the ABAC and tag policies betas must be enabled.

To enable the ABAC beta, do the following:

1. As a workspace admin, click your username in the top bar of the Databricks workspace.
2. From the menu, select Previews.
3. Set the Attribute Based Access Control toggle to On.

To enable the tag policies beta, see Enable tag policies.

Create a policy on an object

Permissions required: MANAGE on the object or the owner of the object.

Catalog Explorer

1. In your Databricks workspace, click Catalog.

2. Select the object that determines the policy scope, such as a catalog, schema, or table.

3. Click the Policies tab.

4. Click New policy.

5. In General, enter a name and description for your policy.

6. In Principals:

   • In Applied to…, search for and select the principals that the policy will govern.
   • In Except for…, search for and select any principals to exclude from the policy. For example, you might exclude a user who belongs to a group the policy applies to.

   

7. In Type & target:

   • In Policy type, select Row Filter or Column Mask.
   • In Policy target, select the scope of the policy. This can be a broad scope, such as an entire catalog or schema, or a narrower scope, such as specific tables or columns within it.
   • In Table level condition, specify the condition matching the tables to which this policy applies. For example, hasTag("tag") or hasTagValue("tag", "value").

8. In Function, select a function for this policy to use and enter required parameters.

   

9. Click Create policy.

SQL

The following is the general syntax for creating a policy:

SQL

CREATE POLICY <policy_name>
ON <securable_type> <securable_name>
COMMENT '<policy_description>'
-- One of the following:
  ROW FILTER <udf_name>
  | COLUMN MASK <udf_name> ON COLUMN <target_column>
TO <principal_name>[, <principal_name>, ...]
[EXCEPT <principal_name>[, <principal_name>, ...]]
FOR TABLES
[WHEN has_tag('<key>') OR has_tag_value('<key>', '<value>')]
MATCH COLUMNS has_tag('<key>') OR has_tag_value('<key>', '<value>') AS <alias>
USING COLUMNS <alias>[, <alias>, ...];

This example defines a row filter policy that excludes rows for European customers from queries by US-based analysts:

SQL

CREATE POLICY hide_eu_customers
ON SCHEMA prod.customers
COMMENT 'Hide rows with European customers from sensitive tables'
ROW FILTER non_eu_region
TO us_analysts
FOR TABLES
MATCH COLUMNS
  hasTag('geo_region') AS region
USING COLUMNS (region);

This example defines a column mask policy that hides social security numbers from US analysts, except for those with in the admins group:

SQL

CREATE POLICY mask_SSN
ON SCHEMA prod.customers
COMMENT 'Mask social security numbers'
COLUMN MASK mask_SSN
TO us_analysts
EXCEPT admins
FOR TABLES
MATCH COLUMNS
  hasTagValue('pii', 'ssn') AS ssn
ON COLUMN ssn;

important

Tag data can be replicated globally. Do not use tag names or values that could compromise the security of your resources. For example, do not use tag names that contain personal or sensitive information.

Edit a policy

Permissions required: MANAGE on the object or the owner of the object.

Catalog Explorer

1. In your Databricks workspace, click Catalog.
2. Select the object that determines the policy scope, such as a catalog, schema, or table.
3. Click the Policies tab.
4. Select the policy and make edits.
5. Click Update policy.

SQL

SQL

REPLACE POLICY <policy_name>
ON <securable_type> <securable_name>
COMMENT '<policy_description>'
-- One of the following:
  ROW FILTER <udf_name>
  | COLUMN MASK <udf_name> ON COLUMN <target_column>
TO <principal_name>[, <principal_name>, ...]
[EXCEPT <principal_name>[, <principal_name>, ...]]
FOR TABLES
[WHEN has_tag('<key>') OR has_tag_value('<key>', '<value>')]
MATCH COLUMNS has_tag('<key>') OR has_tag_value('<key>', '<value>') AS <alias>
USING COLUMNS <alias>[, <alias>, ...];

Delete a policy

Permissions required: MANAGE on the object or the owner of the object.

Catalog Explorer

1. In your Databricks workspace, click Catalog.
2. Select the object that determines the policy scope, such as a catalog, schema, or table.
3. Click the Policies tab.
4. Select the policy.
5. Click Delete policy.

SQL

SQL

DROP POLICY <policy_name> ON <securable_type> <securable_name>