Manage access requests
This feature is in Public Preview.
The Request access feature allows users to request privileges for securable objects in Unity Catalog. This page explains how to configure access request destinations as an administrator. These destinations determine where access requests are sent when users request access to data objects.
What are access request destinations?
When users request access to an object in Unity Catalog (such as a table or view), the request is sent to one or more configured destinations. Destinations can be any of the following:
-
Email addresses
-
Slack channels
-
Microsoft Teams channels
-
Webhook endpoints
-
A redirect URL (to your organization's external access request system)
Only one redirect URL can be configured per object. If a URL is set, no other destinations can be set and users are redirected to that URL instead of seeing the in-product request form.
How access request destinations work
Access request destinations can be configured on any object in Unity Catalog, including metastores, catalogs, schemas, tables, volumes, views, storage credentials, service credentials, external locations, and connections. If an object has an access request destination configured, users can request access if they have the BROWSE privilege or a direct URL to the object.
When submitting a request, users can request access for one or more principals. This includes themselves, service principals, other users, or groups. The request is routed to the configured destinations.
If multiple destinations are configured, the request is sent to all of them. If no destination is configured, users cannot request access to the object. By default, objects do not have a configured destination. However, as a metastore admin and workspace admin, you can enable default email destinations to deliver access requests to the appropriate owner, even when no destination is explicitly configured.
If a Redirect URL is configured, users are taken to the URL and do not see the access request form. Workspace admins can configure external destinations by following the instructions in Manage notification destinations.
Destination inheritance behavior
When you configure a destination at higher levels of the Unity Catalog object hierarchy, it also applies to all child objects that don't already have a destination. For example, if you configure a destination on a catalog, this destination is inherited by all schemas and objects under the catalog, except for those that already have a destination.
Enable default email destinations
Databricks recommends enabling default email destinations. This ensures that access requests are delivered even when no destination is manually configured. When enabled, requests for catalog objects are sent to the catalog owner’s email address, and requests for objects outside a catalog, such as external locations, are sent to the object owner’s email address.
Enabling default email destinations ensures that access requests are delivered even when no destination is manually configured for an object. This is the fastest way to start receiving and responding to requests across your Unity Catalog metastore.
To enable default destinations, you must be both a metastore admin and workspace admin.
- In the upper-right corner of your workspace, click your profile photo and select Settings.
- Click Notifications.
- Turn on Enable default email destinations for access requests in UC.
Configure access request destinations on an object
To configure access request destinations on an object, you must either be the object owner, have the MANAGE privilege on the object, or be a metastore admin.
The steps in this section show how to configure access request destinations using Catalog Explorer. You can also configure destinations using the Access Request Destinations API.
Configure destinations for existing objects
-
In your Databricks workspace, click
Catalog. -
Select a securable object.
-
Click the
kebab menu and select Manage access request destinations. -
Choose one or more email or external destinations, or configure a redirect URL. If a URL is selected, no other destination types can be added.
-
Click Update.
Configure destinations when creating a catalog
- In your Databricks workspace, click Catalog.
- Click the
plus icon. Then, click Create a catalog. - Enter a name for your catalog, then click Create catalog.
- In the next modal, click Configure catalog.
- Under the Access Requests section, add, modify, or remove destinations as necessary. The email of the catalog owner is included as a destination by default.
- Click Next, then click Save.
Destinations are inherited in the Unity Catalog object hierarchy. When creating a schema within a catalog that has an access request destination, the Create a new schema modal mentions the inherited destinations:
To modify these destinations on the schema, see Configure destinations for existing objects.
Access request examples
The following section shows examples for access requests sent to different destinations.
Email
Access request emails are sent from noreply@databricks.com.
Slack
Webhook (JSON)
{
"requesterName": "<first-name> <last-name> (<email>)",
"objectName": "<catalog>.<schema>.<table>",
"objectType": "Table",
"privileges": "SELECT",
"principalName": "<group-name>",
"onBehalfOf": "<group-name>",
"onBehalfOfType": "Group",
"comment": "My team needs access to run queries on this table.",
"databricksWorkspaceUrl": "https:/<account>.databricks.com/explore/data/<catalog>/<schema>/<table>?o=<table-id>&activeTab=permissions&showGrantModal=true&requestedPrivileges=SELECT&groupId=<group-id>"
}
For information on how to integrate webhooks with common tools, see the following:
Approve an access request
To approve an access request, follow the link sent to your access request notification. The link opens a modal dialog in your workspace that displays the requester, object, and requested privileges.
Next, select one of the following approval methods:
-
Add principal to group(s) to add the requester to one or more existing groups that have at least one of the requested privileges.
-
Grant privileges to principal to give them access the object directly. You can also select privilege presets, such as Data Reader to grant a user a collection of privileges.
