Foundation model Unity Catalog permissions
Foundation model Unity Catalog permissions is in preview. Reach out to your Databricks account team to enable this feature.
This page describes when and how account admins use foundation model Unity Catalog permissions to restrict which Databricks-hosted foundation models your organization can access. Admins can block specific models account-wide or grant model access to specific groups or users. The enforcement applies consistently across pay-per-token, provisioned throughput, and batch inference (AI Functions) workloads.
When to use foundation model Unity Catalog permissions
Use this feature only when legally required to restrict which specific models are open, such as:
- Export-controlled model families
- Vendor-restricted or region-restricted models
- Corporate policies prohibiting specific foundation models
For day-to-day governance, use:
system.billingfor cost tracking and attribution- AI Gateway for rate limits and request-level usage tracking
- Private Service Connect or private networking for secure connectivity
- Egress and network controls for restricting outbound traffic
How foundation model Unity Catalog permissions work
Foundation model Unity Catalog permissions use Unity Catalog permissions on the system.ai schema and individual model objects. By default, all users have EXECUTE permission on the system.ai schema, which opens all Databricks-hosted foundation models to users.
To restrict which models are open to users, admins remove the default EXECUTE permission from the schema and then selectively grant it on approved individual models. The system enforces permissions consistently across:
- Pay-per-token endpoints — automatically enforced
- Batch inference (AI Functions) — automatically enforced
- Provisioned throughput endpoints — require manual deletion of disallowed endpoints
The following sections provide step-by-step instructions for how to enforce model restrictions.
Requirements
- Unity Catalog must be enabled for your account.
- Account admin or Unity Catalog admin privileges.
- The feature must be enabled for your account. Reach out to your Databricks account team to enable it.
Step 1: Remove EXECUTE permission from the schema
Removing EXECUTE from the system.ai schema clears all default access to models. No user can invoke any model until permissions are explicitly re-granted.
- Go to Catalog. Select the system catalog, then the ai schema. Click the Permissions tab.
- Revoke
EXECUTEfrom All Users (or from all groups).
After you remove EXECUTE from the schema, pay-per-token and batch inference (AI Functions) calls to all models stop immediately. Provisioned throughput endpoints continue serving until manually deleted.
Step 2: Grant EXECUTE on approved models
For each model your organization approves, selectively grant EXECUTE privilege.
- In Catalog Explorer, under the system catalog, select ai > models, then your target model.
- Click the Permissions tab.
- Grant
EXECUTEto All Users, or to specific groups.
Repeat for each approved model. This creates an allow-list of permitted models.
Step 3: Remove disallowed provisioned throughput endpoints
Delete all provisioned throughput endpoints that serve a disallowed model. Active endpoints continue serving until removed.
Pay-per-token and batch inference (AI Functions) endpoints automatically enforce the new permissions. Provisioned throughput endpoints do not, so you must manually delete the disallowed endpoints.
Limitations
- Agent Bricks Knowledge Assistant: Knowledge Assistant does not support foundation model Unity Catalog permissions. Contact your Databricks account team before enabling this feature if you actively use Knowledge Assistant.