This Authorizer supports the SaaS Authorization Management pattern. For more details, see the SaaS Authorization Management documentation.
SaaS Authorization Management provides out-of-the-box support for leading vendors such as Databricks. The Platform enables centralized policy management while supporting distributed deployment across an organization’s technology stack.
Integration is achieved through Policy Orchestration, which connects to SaaS vendors using their native APIs. This setup allows PlainID to discover, manage, and synchronize Authorization Policies across systems while leveraging vendor-specific capabilities.
Databricks Overview
Databricks is a cloud-based, unified analytics and AI platform. It enables organizations to process large-scale data using multiple programming languages (e.g., Python, SQL, R).
Databricks includes Unity Catalog, which is a centralized data catalog for all objects within Databricks. PlainID supports Policy Orchestration for Databricks only through the usage of Unit Catalog.
Through integration with PlainID, organizations gain:
- Centralized, business-driven policy management for Databricks and other SaaS platforms.
- Dynamic access control using identity attributes, context, and group membership.
Databricks Authorization Model
Flow Description
In Unity Catalog, access to a securable object (e.g., Table or View) is evaluated through two key mechanisms:
-
Privilege Assignment to Groups
- Access is granted when the requesting user or service principal belongs to a group with the required
SELECT
privilege on the securable object, or on a higher-level container such as a schema or catalog.
- Access is granted when the requesting user or service principal belongs to a group with the required
-
Policy Enforcement
- If row-level or column-level Policies are defined, access is further refined based on the logic embedded in those functions. These Policies dynamically filter rows or mask columns depending on the user’s attributes, group membership, or session context.
Databricks Policies
PlainID enables the use of Databricks Functions to enforce fine-grained, dynamic access policies Databricks Functions are scalar SQL expressions used to enforce data security policies through column masking and row-level filtering based on user context.
Row Filter Functions
Row filters enforce row-level access control by evaluating whether each row in a table should be visible to the querying user. This provides fine-grained access control, ensuring users only see data they’re authorized to view. Row filters return a Boolean value:
TRUE
— include the row in query results.FALSE
— exclude the row from query results.
Column Mask Functions
Column masking enforce column-level data protection by applying a masking function at query execution. The function replaces each reference to the target column with either the original or a masked value, based on the querying user’s identity or attributes context. Masking ensures privacy and compliance by showing masked values to unauthorized users while preserving access for those permitted.
For details on implementing these policies, see Data Access Policies.