Skip to main content
Last updated on

policies command group

note

This information applies to Databricks CLI versions 0.205 and above. The Databricks CLI is in Public Preview.

Databricks CLI use is subject to the Databricks License and Databricks Privacy Notice, including any Usage Data provisions.

The policies command group within the Databricks CLI allows you to manage Attribute-Based Access Control (ABAC) policies in Unity Catalog. ABAC provides high leverage governance for enforcing compliance policies. With ABAC policies, access is controlled in a hierarchical and scalable manner, based on data attributes rather than specific resources. Callers must have the MANAGE privilege on a securable to view, create, update, or delete ABAC policies.

databricks policies create-policy

Create an ABAC policy on a securable. The new policy applies to the securable and all its descendants.

databricks policies create-policy TO_PRINCIPALS FOR_SECURABLE_TYPE POLICY_TYPE [flags]

Arguments

TO_PRINCIPALS

    List of user or group names that the policy applies to.

FOR_SECURABLE_TYPE

    Type of securables that the policy should take effect on. Supported values: CATALOG, CLEAN_ROOM, CONNECTION, CREDENTIAL, EXTERNAL_LOCATION, EXTERNAL_METADATA, FUNCTION, METASTORE, PIPELINE, PROVIDER, RECIPIENT, SCHEMA, SHARE, STAGING_TABLE, STORAGE_CREDENTIAL, TABLE, VOLUME

POLICY_TYPE

    Type of the policy. Supported values: POLICY_TYPE_COLUMN_MASK, POLICY_TYPE_ROW_FILTER

Options

--comment string

    Optional description of the policy.

--json JSON

    The inline JSON string or the @path to the JSON file with the request body.

--name string

    Name of the policy.

--on-securable-fullname string

    Full name of the securable on which the policy is defined.

--on-securable-type SecurableType

    Type of the securable on which the policy is defined. Supported values: CATALOG, CLEAN_ROOM, CONNECTION, CREDENTIAL, EXTERNAL_LOCATION, EXTERNAL_METADATA, FUNCTION, METASTORE, PIPELINE, PROVIDER, RECIPIENT, SCHEMA, SHARE, STAGING_TABLE, STORAGE_CREDENTIAL, TABLE, VOLUME

--when-condition string

    Optional condition when the policy should take effect.

Global flags

Examples

The following example creates a row filter policy:

Bash
databricks policies create-policy "data-engineers" TABLE POLICY_TYPE_ROW_FILTER --name "pii-filter" --on-securable-type TABLE --on-securable-fullname "main.default.customers"

databricks policies delete-policy

Delete an ABAC policy defined on a securable.

databricks policies delete-policy ON_SECURABLE_TYPE ON_SECURABLE_FULLNAME NAME [flags]

Arguments

ON_SECURABLE_TYPE

    Required. The type of the securable to delete the policy from.

ON_SECURABLE_FULLNAME

    Required. The fully qualified name of the securable to delete the policy from.

NAME

    Required. The name of the policy to delete.

Options

Global flags

Examples

The following example deletes a policy:

Bash
databricks policies delete-policy TABLE main.default.customers pii-filter

databricks policies get-policy

Get the policy definition on a securable.

databricks policies get-policy ON_SECURABLE_TYPE ON_SECURABLE_FULLNAME NAME [flags]

Arguments

ON_SECURABLE_TYPE

    Required. The type of the securable to retrieve the policy for.

ON_SECURABLE_FULLNAME

    Required. The fully qualified name of the securable to retrieve the policy for.

NAME

    Required. The name of the policy to retrieve.

Options

Global flags

Examples

The following example gets a policy:

Bash
databricks policies get-policy TABLE main.default.customers pii-filter

databricks policies list-policies

List all policies defined on a securable. Optionally, the list can include inherited policies defined on the securable's parent schema or catalog.

databricks policies list-policies ON_SECURABLE_TYPE ON_SECURABLE_FULLNAME [flags]

Arguments

ON_SECURABLE_TYPE

    Required. The type of the securable to list policies for.

ON_SECURABLE_FULLNAME

    Required. The fully qualified name of the securable to list policies for.

Options

--include-inherited

    Optional. Whether to include inherited policies from parent securables.

--max-results int

    Optional. Maximum number of results to return.

--page-token string

    Optional. Page token from a previous list call.

Global flags

Examples

The following example lists policies on a table:

Bash
databricks policies list-policies TABLE main.default.customers

The following example lists policies including inherited ones:

Bash
databricks policies list-policies TABLE main.default.customers --include-inherited

databricks policies update-policy

Update an ABAC policy on a securable.

databricks policies update-policy ON_SECURABLE_TYPE ON_SECURABLE_FULLNAME NAME TO_PRINCIPALS FOR_SECURABLE_TYPE POLICY_TYPE [flags]

Arguments

ON_SECURABLE_TYPE

    Required. The type of the securable to update the policy for.

ON_SECURABLE_FULLNAME

    Required. The fully qualified name of the securable to update the policy for.

NAME

    Required. The name of the policy to update.

TO_PRINCIPALS

    List of user or group names that the policy applies to.

FOR_SECURABLE_TYPE

    Type of securables that the policy should take effect on. Supported values: CATALOG, CLEAN_ROOM, CONNECTION, CREDENTIAL, EXTERNAL_LOCATION, EXTERNAL_METADATA, FUNCTION, METASTORE, PIPELINE, PROVIDER, RECIPIENT, SCHEMA, SHARE, STAGING_TABLE, STORAGE_CREDENTIAL, TABLE, VOLUME

POLICY_TYPE

    Type of the policy. Supported values: POLICY_TYPE_COLUMN_MASK, POLICY_TYPE_ROW_FILTER

Options

--comment string

    Optional description of the policy.

--json JSON

    The inline JSON string or the @path to the JSON file with the request body.

--name string

    Name of the policy.

--on-securable-fullname string

    Full name of the securable on which the policy is defined.

--on-securable-type SecurableType

    Type of the securable on which the policy is defined.

--update-mask string

    Optional. Field mask specifying which fields to update.

--when-condition string

    Optional condition when the policy should take effect.

Global flags

Examples

The following example updates a policy:

Bash
databricks policies update-policy TABLE main.default.customers pii-filter "data-engineers,data-scientists" TABLE POLICY_TYPE_ROW_FILTER

Global flags

--debug

  Whether to enable debug logging.

-h or --help

    Display help for the Databricks CLI or the related command group or the related command.

--log-file string

    A string representing the file to write output logs to. If this flag is not specified then the default is to write output logs to stderr.

--log-format format

    The log format type, text or json. The default value is text.

--log-level string

    A string representing the log format level. If not specified then the log format level is disabled.

-o, --output type

    The command output type, text or json. The default value is text.

-p, --profile string

    The name of the profile in the ~/.databrickscfg file to use to run the command. If this flag is not specified then if it exists, the profile named DEFAULT is used.

--progress-format format

    The format to display progress logs: default, append, inplace, or json

-t, --target string

    If applicable, the bundle target to use

On this page