Configure Databricks permissions
Before setting up the Databricks data source for Data Access, configure the underlying data source with the required permissions to allow Data Access to synchronize data objects, accounts, and access controls.
Although you can use individual user credentials to run a Data Access synchronization, we highly recommend that you create a dedicated Databricks service principal.
Steps
To configure Databricks permissions for Data Access:
- In the Databricks account console, click User management > Service principals > Add service principal, and then add a service principal.
- Create an OAuth secret for the service principal, and then record the client ID and secret for later use.
- Assign an account admin role to the service principal. This allows the principal to read all users, groups, and service principals at the account level, and to manage workspace assignments.Important When adding the Databricks data source to Data Access, you can use the Account Level Access option to control whether Data Access requires full administrative access. By default, the Account Level Access option is enabled, meaning that administrative access is required.
- If Data Access requires administrative access: Complete the current step.
- If Data Access does not require administrative access: Skip the current step, and then go to the next step. However, when adding the data source to Data Access, you need to manually define your Metastore Workspace Pairs by providing a list of entries, where each entry maps one metastore ID to one or more workspace deployment names. Disabling account-level access also prevents Data Access from managing workspace-level access.
- Assign a workspace admin role to the service principal for each workspace that you want to synchronize with Data Access. This allows the principal to manage workspace-level access.
- Grant the service principal the required privileges on your catalogs by using one of the following options.
Option Description Metastore admin (preferred option) Assign the service principal as a metastore admin for each metastore that is included in the synchronization.
This allows Data Access to grant itself the required privileges on each catalog as they are needed. The exact privileges that are granted depend on the operation being performed.
Explicit MANAGE privilege An administrator grants the
MANAGEprivilege to the service principal on each catalog of each metastore that Data Access manages.This still allows Data Access to grant itself the required privileges on those catalogs. If Data Access cannot grant itself the required privileges on a catalog, it skips that catalog with a warning and continues the synchronization for the remaining catalogs. This occurs if Data Access is not the catalog owner, does not have the
MANAGEprivilege, and is not a metastore administrator.