メインコンテンツまでスキップ

ABAC_POLICY_DEFINITIONS

Applies to: check marked yes Databricks SQL check marked yes Databricks Runtime check marked yes Unity Catalog only

Preview

This feature is in Public Preview.

INFORMATION_SCHEMA.ABAC_POLICY_DEFINITIONS returns one row per attribute-based access control (ABAC) policy attached to a securable object in the local catalog. Each row contains the policy definition, including its scope, policy type, target conditions, applicable principals, and the condition used to enforce the policy. This view returns the same policy details as DESCRIBE POLICY for every policy in the catalog.

You can see only policies for which you have MANAGE on the catalog, schema, or table where the policy is attached. This matches the access pattern of DESCRIBE POLICY.

This relation is an extension of the SQL Standard Information Schema.

Definition

The ABAC_POLICY_DEFINITIONS relation contains the following columns:

Name

Data type

Nullable

Description

POLICY_ID

STRING

No

Unique identifier of the policy.

POLICY_NAME

STRING

No

Name of the policy.

POLICY_TYPE

STRING

No

The policy type. For example, ROW_FILTER, COLUMN_MASK, or GRANT (Beta).

CATALOG_NAME

STRING

Yes

Name of the catalog the policy is attached to, or that contains the schema or table the policy is attached to.

SCHEMA_NAME

STRING

Yes

Name of the schema the policy is attached to, or that contains the table the policy is attached to. NULL for catalog-attached policies.

SECURABLE_NAME

STRING

Yes

Name of the securable object the policy is attached to. NULL for catalog-attached and schema-attached policies.

ON_SECURABLE_TYPE

STRING

No

Type of the securable object the policy is attached to. For example, CATALOG, SCHEMA, TABLE, or MODEL.

TO_PRINCIPALS

ARRAY<STRING>

No

Principals (users, groups, or service principals) the policy applies to. Empty array [] when none are set.

EXCEPT_PRINCIPALS

ARRAY<STRING>

No

Principals excluded from policy application. Empty array [] when none are excluded.

FOR_SECURABLE_TYPE

STRING

No

Type of the securable object the policy targets when evaluated. For example, TABLE.

PRIVILEGES

ARRAY<STRING>

Yes

Privileges granted by the policy. NULL for ROW_FILTER and COLUMN_MASK policies.

WHEN_CONDITION

STRING

Yes

Conditional expression under which the policy applies. For example, a boolean expression that matches tables based on their governed tags.

MATCH_COLUMNS

ARRAY<STRING>

Yes

Columns referenced by the policy. NULL for GRANT policies.

CREATED_BY

STRING

No

Principal who created the policy.

Examples

SQL
-- List every GRANT policy in the current catalog.
> SELECT *
FROM information_schema.abac_policy_definitions
WHERE policy_type = 'GRANT';

-- Find all row filters and column masks attached to securable objects in a schema.
> SELECT policy_name, policy_type, on_securable_type, securable_name, when_condition, match_columns
FROM information_schema.abac_policy_definitions
WHERE policy_type IN ('ROW_FILTER', 'COLUMN_MASK')
AND catalog_name = 'my_catalog'
AND schema_name = 'my_schema';
このページの見出し