Skip to main content

Discover and govern access to model provider services

Beta

this feature is in Beta. Account admins can manage access to this feature from the account console Previews page. See Manage Databricks previews.

This page describes how to discover model provider services that are available to you and how to govern access to them with Unity Catalog privileges.

Requirements

  • Unity AI Gateway preview enabled for your account. See Manage Databricks previews.
  • To manage a model provider service, you must have the MANAGE privilege on it, or MANAGE on its catalog or schema.

Discover model provider services

A model provider service is a Unity Catalog securable, so it appears in Catalog Explorer under its catalog and schema alongside your other data and AI assets. Use Catalog Explorer to find the model provider services you have access to and inspect their provider type and configuration. The service does not display credentials.

Govern access with Unity Catalog privileges

Grant or revoke access to a model provider service with the same GRANT and REVOKE statements you use for other Unity Catalog securables. To query a model provider service, a user needs EXECUTE on it and USE CATALOG and USE SCHEMA on its catalog and schema.

SQL
-- Grant access to a team
GRANT USE CATALOG ON CATALOG main TO ai_team;
GRANT USE SCHEMA ON SCHEMA main.default TO ai_team;
GRANT EXECUTE ON MODEL PROVIDER SERVICE main.default.openai_prod TO ai_team;

-- Revoke access
REVOKE EXECUTE ON MODEL PROVIDER SERVICE main.default.openai_prod FROM ai_team;

Callers query a model provider service without ever seeing its credentials: Unity AI Gateway attaches the stored credential at request time. Granting EXECUTE therefore lets a team use a provider without distributing its API key.

Rotate or replace the stored credential by updating the model provider service. Editing a model provider service requires MANAGE on it, held either directly or inherited from the parent catalog or schema. Grant MANAGE only to principals you intend to let configure which provider credential the service uses. The service does not return the stored credential in plaintext on read. Updating the service replaces the credential and does not reveal it.

Offer different providers to different teams

To give different teams access to different providers, create a separate model provider service for each and grant EXECUTE accordingly. For example, create one service for a lower-cost provider for general use and another for a premium provider for a smaller group. See Create and manage model provider services.

SQL
-- All users can query the standard provider
GRANT EXECUTE ON MODEL PROVIDER SERVICE ai_platform.default.standard TO `account users`;

-- Only power users can query the premium provider
GRANT EXECUTE ON MODEL PROVIDER SERVICE ai_platform.default.premium TO ai_power_users;

Configure different rate limits on each model provider service to manage capacity and cost. See Configure rate limits for AI services using Unity AI Gateway.

Govern the content of interactions

Unity Catalog privileges determine whether a principal can query a model provider service. To govern how each interaction proceeds — for example, to block a response that contains unsafe content or PII — attach a service policy to the model provider service. Service policies are how you implement guardrails: built-in guardrails cover common risks such as PII, prompt injection, and unsafe content, and custom policies enforce rules specific to your organization.

To learn about service policies and attach one, see:

Next steps