Databricks RBAC Explained with Real Example (User A vs User B)
Role-Based Access Control (RBAC) in Databricks is one of the most important concepts for enterprise security. In this blog, we will explain RBAC step-by-step using a real-world example where User A can access a table and cluster but User B cannot.
What is RBAC in Databricks?
RBAC (Role-Based Access Control) means:
- Users do NOT get permissions directly
- Users are added to groups (roles)
- Permissions are granted to groups
- Users inherit permissions via group membership
Databricks enforces RBAC at multiple layers:
Identity → Workspace → Compute → Data (Unity Catalog)
Scenario Setup
Users
| User | |
|---|---|
| User A | alice@company.com |
| User B | bob@company.com |
Groups
| Group | Description |
|---|---|
| dbx-finance-team | Finance users |
| dbx-ml-team | ML users |
Resources
| Type | Name |
|---|---|
| Workspace | finance-prod |
| Cluster | finance-cluster |
| Catalog | finance |
| Schema | finance.gold |
| Table | finance.gold.transactions |
Step 0: Identity Setup (Azure AD → Databricks)
Azure Active Directory is the source of truth.
alice → member of dbx-finance-team bob → member of dbx-ml-team
Using SCIM provisioning, users and groups are automatically created in Databricks.
Step 1: Workspace Access (First Gate)
Users must be assigned to a workspace to even enter it.
Workspace: finance-prod
| Group | Role |
|---|---|
| dbx-finance-team | User |
| dbx-platform-admins | Admin |
dbx-ml-team is NOT assigned
Result
| User | Workspace Access |
|---|---|
| Alice | ✅ Allowed |
| Bob | ❌ Blocked |
Step 2: Cluster Access (Second Gate)
Cluster: finance-cluster
| Group | Permission |
|---|---|
| dbx-finance-team | CAN_ATTACH_TO |
| dbx-platform-admins | CAN_MANAGE |
The default users group is removed.
Result
| User | Cluster Visibility |
|---|---|
| Alice | ✅ Can see and use |
| Bob | ❌ Cannot see |
Step 3: Data Access Using Unity Catalog
Unity Catalog enforces fine-grained RBAC for data.
Permissions Granted
GRANT USE CATALOG ON CATALOG finance TO `dbx-finance-team`; GRANT USE SCHEMA ON SCHEMA finance.gold TO `dbx-finance-team`; GRANT SELECT ON TABLE finance.gold.transactions TO `dbx-finance-team`;
No permissions are granted to dbx-ml-team.
Step 4: Execution Trace (What Actually Happens)
User A (Alice)
SELECT * FROM finance.gold.transactions;
Permission evaluation:
Workspace access → YES Cluster access → YES USE CATALOG → YES USE SCHEMA → YES SELECT TABLE → YES
Result: ✅ Query succeeds
User B (Bob)
SELECT * FROM finance.gold.transactions;
Permission evaluation:
Workspace access → NO ❌
Result: ❌ Query fails immediately
Error Messages Bob Might See
PERMISSION_DENIED: User does not have USE CATALOG privilegeor
Cluster not foundor
User is not authorized to access workspace
Key Mental Model
USER ↓ GROUP ↓ WORKSPACE ↓ CLUSTER ↓ UNITY CATALOG ↓ TABLE
Access is denied at the first missing permission.
Why This RBAC Model Is Secure
- Strong isolation between teams
- No accidental data exposure
- Centralized governance
- Easy onboarding and offboarding
- Fully auditable
No comments:
Post a Comment