Skip to main content

Create and manage attribute-based access control (ABAC) policies

Beta

This feature is in Beta.

This page describes how to configure row filter and column mask policies in Unity Catalog. For more information on attribute-based access control (ABAC) and policies, see Unity Catalog attribute-based access control (ABAC). To apply tags to objects, see Governed tags and Apply tags to Unity Catalog securable objects.

Enable ABAC

The ABAC beta is enabled at the workspace level. Databricks cannot enforce ABAC on read operations to shared catalogs unless ABAC is also enabled in each workspace that accesses those catalogs.

To enable the ABAC beta, do the following:

  1. As a workspace admin, click your username in the top bar of the Databricks workspace.
  2. From the menu, select Previews.
  3. Set the Attribute Based Access Control toggle to On.

Compute requirements

  • You must use compute on Databricks Runtime 16.4 or above.
  • Serverless compute always works with ABAC.

Compute running older runtimes cannot access tables secured by ABAC. As a temporary workaround, you can configure ABAC to apply only to a specific group. Add the users you want to restrict to that group. Users who are not in the group can still access the tables.

Create a policy on an object

To create a row filter or column mask policy, you must have:

  • The ABAC beta and tag policies beta enabled in your workspace. See Enable ABAC.

  • An existing user-defined function (UDF) that implements the row filter or column mask logic you want to enforce.
    For best practices and examples UDFs, see UDFs for ABAC policies best practices.

  • MANAGE on the object or ownership of the object.

  • Serverless compute always works with ABAC.

  • You must use compute on Databricks Runtime 16.4 or above.

    Compute running older runtimes cannot access tables secured by ABAC. As a temporary workaround, you can configure ABAC to apply only to a specific group. Add the users you want to restrict to that group. Users who are not in the group can still access the tables.

  1. In your Databricks workspace, click Data icon. Catalog.

  2. Select the object that determines the policy scope, such as a catalog, schema, or table.

  3. Click the Policies tab.

  4. Click New policy.

  5. In General, enter a name and description for your policy.

  6. In Principals:

    • In Applied to…, search for and select the principals that the policy will govern.
    • In Except for…, search for and select any principals to exclude from the policy. For example, you might exclude a user who belongs to a group the policy applies to.

    ABAC filled in policy.

  7. In Type & target:

    • In Policy type, select Row Filter or Column Mask.
    • In Policy target, select the scope of the policy. This can be a broad scope, such as an entire catalog or schema, or a narrower scope, such as specific tables or columns within it.
    • In Table level condition, specify the condition matching the tables to which this policy applies. For example, hasTag("tag") or hasTagValue("tag", "value").
  8. In Function, select a function for this policy to use and enter required parameters. To create a new function, see Creating UDFs in Unity Catalog. For best practices and examples functions, see UDFs for ABAC policies best practices.

    ABAC filled in row filter policy.

  9. Click Create policy.

warning

Tag data is stored as plain text and may be replicated globally. Do not use tag names, values, or descriptors that could compromise the security of your resources. For example, do not use tag names, values or descriptors that contain personal or sensitive information.

Edit a policy

Permissions required: MANAGE on the object or the owner of the object.

  1. In your Databricks workspace, click Data icon. Catalog.
  2. Select the object that determines the policy scope, such as a catalog, schema, or table.
  3. Click the Policies tab.
  4. Select the policy and make edits.
  5. Click Update policy.

Delete a policy

Permissions required: MANAGE on the object or the owner of the object.

  1. In your Databricks workspace, click Data icon. Catalog.
  2. Select the object that determines the policy scope, such as a catalog, schema, or table.
  3. Click the Policies tab.
  4. Select the policy.
  5. Click Delete policy.