Access control in Unity Catalog
Access control in Unity Catalog is built on the following complementary models:
- Privileges and ownership control who can access what, using grants on securable objects.
- Attribute-based policies (ABAC) control what data users can access, using governed tags and centralized policies.
- Table-level filtering and masking control what data users can see within tables using table-specific filters and views.
- Workspace-level restrictions control where users can access data, by limiting objects to specific workspaces.
These models work together to enforce secure, fine-grained access across your data environment.
When to use each access control mechanism
Workspace bindings, privileges, and ABAC policies all evaluate access at different levels, and they are designed to be used together. The following table compares them across common access control criteria:
Databricks recommends using attribute-based access control (ABAC) to centralize and scale access control based on governed tags. Use row filters and column masks only when you need per-table logic or haven't adopted ABAC yet.
Mechanism | Applies to | Defined using | Use case |
|---|---|---|---|
Catalogs, schemas, tables | Grants ( | Baseline access and delegation | |
Tagged objects (tables, schemas) | Policies with governed tags and UDFs | Centralized, tag-driven policies and dynamic enforcement | |
Individual tables | UDFs on the table itself | Table-specific filtering or masking | |
Catalogs, external locations, storage credentials | Workspace assignment | Restricting access to objects from specific workspaces |
Permissions model
-
- Permissions concepts
- Understand the Unity Catalog object hierarchy, privilege inheritance, and how access flows from parent to child objects.
-
- Privileges reference
- View detailed descriptions of every privilege in Unity Catalog.
-
- Admin roles
- Learn about account admin, workspace admin, and metastore admin roles and their scopes.
Manage access
-
- Manage privileges
- Grant, revoke, and inspect privileges on Unity Catalog objects using Catalog Explorer and SQL.
-
- Access requests
- Configure destinations for access requests on Unity Catalog securable objects, including email, Slack, Teams, and webhooks.
-
- Workspace-catalog binding
- Restrict which workspaces can access specific catalogs, external locations, and storage credentials.
Fine-grained data access
-
- Attribute-based access control (ABAC)
- Define centralized, tag-driven policies that dynamically filter and mask data across your catalog.
-
- Row filters and column masks
- Apply per-table row and column filters using UDFs to control what data users see at query time.