Configure Databricks permissions

Before you set up the Databricks data source for Data Access, configure the underlying data source with the required permissions to allow Data Access to synchronize data objects, accounts, and access controls.

Although you can use individual user credentials to run a Data Access synchronization, we highly recommend that you create a dedicated Databricks service principal.

Steps

In the Databricks account console, click User management > Service principals > Add service principal, and then add a service principal.
Create an OAuth secret for the service principal, and then record the client ID and secret for later use.
Assign an account admin role to the service principal so that the principal can read all users and groups in the account.
Important When you configure Databricks in Data Access, you can use the Account Level Access option to control whether Data Access requires full administrative access. By default, the Account Level Access option is enabled, meaning that administrative access is required.
- If Data Access requires administrative access: Follow the current step.
- If Data Access does not require administrative access: Skip the current step, and then go to the next step. However, when you configure Databricks in Data Access, you need to manually define your Metastore Workspace Pairs by providing a list of entries, where each entry maps one metastore ID to one or more workspace deployment names. Disabling account-level access also prevents you from managing workspace-level access.
Assign a workspace admin role to the service principal for each workspace that you want to synchronize with Data Access.

Grant the service principal the required privileges on your catalogs by using one of the following options.

Option Description

Metastore admin (preferred option)

Option	Description
Metastore admin (preferred option)	Assign the service principal as a metastore admin for each metastore that is included in the synchronization. This allows Data Access to automatically grant itself the required privileges on each catalog, including `USE CATALOG`, `USE SCHEMA`, `MANAGE`, and `CREATE FUNCTION`. These privileges are granted at the catalog level and propagate to all schemas and tables underneath. They are also granted selectively. For example, `CREATE FUNCTION` is granted only when a column mask or row filter needs to be created.
Explicit MANAGE privilege	An administrator grants the `MANAGE` privilege to the service principal on each catalog of each metastore that Data Access manages. This still allows Data Access to automatically grant itself the required privileges on those catalogs. If the service principal does not have the `MANAGE` privilege for a catalog, is not the catalog owner, and is not a metastore admin, Data Access skips the catalog with a warning and excludes it from the synchronization.

Assign the service principal as a metastore admin for each metastore that is included in the synchronization. This allows Data Access to automatically grant itself the required privileges on each catalog, including USE CATALOG, USE SCHEMA, MANAGE, and CREATE FUNCTION. These privileges are granted at the catalog level and propagate to all schemas and tables underneath. They are also granted selectively. For example, CREATE FUNCTION is granted only when a column mask or row filter needs to be created.

Explicit MANAGE privilege

An administrator grants the MANAGE privilege to the service principal on each catalog of each metastore that Data Access manages. This still allows Data Access to automatically grant itself the required privileges on those catalogs. If the service principal does not have the MANAGE privilege for a catalog, is not the catalog owner, and is not a metastore admin, Data Access skips the catalog with a warning and excludes it from the synchronization.

What's next

Create Edge connection for Databricks