--- title: "Databricks Setup" slug: "databricks-setup" updated: 2025-12-16T12:51:22Z published: 2025-12-16T12:51:22Z --- > ## Documentation Index > Fetch the complete documentation index at: https://docs.plainid.io/llms.txt > Use this file to discover all available pages before exploring further. # Databricks Setup This guide outlines the **prerequisites** and **configuration** steps required to enable SaaS Authorization Management for Databricks using PlainID. --- ## Prerequisites **PlainID POP Service Principal** Ensure that you have a PlainID POP Service Principal. This must be assigned to PlainID and granted sufficient privileges to perform all Orchestration-related operations in Databricks. **To create a PlainID POP Service Principal**: - Create a dedicated **PlainID POP Service Principal** in Databricks. It must have the appropriate privileges for both **LEARN** and **MANAGE** modes. - This Service Principal will own any Databricks functions created by PlainID in Manage Mode. - It should have sufficient access to support Policy Discovery, Orchestration, and Management. > For more information, see [Service Principals in Databricks](https://docs.databricks.com/aws/en/admin/users-groups/service-principals.html). --- ### Required Privileges To support PlainID integration, you must configure a **Databricks Service Principal**. All required privileges should be granted either directly to the service principal or to a group it is a member of. **A group that includes the service principal** must be assigned to the **Databricks workspace** where you intend to manage Policies. > For more information, refer to the [Databricks documentation](https://docs.databricks.com/aws/en/admin/users-groups/manage-groups#assign-a-group-to-a-workspace). Privileges in Databricks are **hierarchical** and **inherited**. Granting privileges to a Service Principal automatically applies to all existing and future objects in the top-level scope. #### Privileges for Learn Mode To use Learn mode, use the following privileges in Databricks: | Privilege | Purpose | | --- | --- | | SYSTEM.Information_Schema: `SELECT` | To enable full metadata access, grant SELECT privileges on the following under SYSTEM.Information_Schema: `catalogs`, `schemata`, `catalog_privileges`, `schema_privileges`, `table_privileges`, `routine_privileges`, `views`, `routines`, `parameters`, `row_filters`, `column_masks`, `tables`, and `columns` | | SYSTEM CATALOG: `USE` CATALOG: `USE` (On Catalog) | Grants the ability to reference objects within the catalog. | | CATALOG: `BROWSE` (On Catalog) | Grants the ability to view object metadata (via Catalog Explorer, schema browser, search results, lineage graph, `information_schema`, REST API). **Required if using SCHEMA: `USE`** *Note: This privilege is currently in Public Preview.* | | SYSTEM.Information_Schema SCHEMA: `USE` SCHEMA: `USE` (On Schema) | Grants the ability to reference objects (Tables, Views, functions, etc.) within the catalog. **Required if using TABLE: `SELECT`** **Recommended**: Use SCHEMA: `USE` on the Catalog level if you wish to grant permissiosn to all Schemas under the Catalog. | | TABLE: `SELECT`, VIEW: `SELECT` | Grants the ability to query/read data from the Table or View. *Note: This privilege is required on Tables/Views used as Identity Sources and for connecting functions to row filtering or column masking.* **Recommended** Use SCHEMA: `SELECT` on the schema level if you wish to grant permissions to all Tables/Views under the schema. | --- #### Additional Privileges for Manage Mode In **Manage Mode**, a POP Service Principal must also be granted the following additional privileges **in addition to [Learn Mode privileges](/v1/docs/databricks-setup#privileges-for-learn-mode)**: | Privilege | Purpose | | --- | --- | | FUNCTION: `CREATE` (On Schema) | Grants the ability to create a function in the schema. | | TABLE: `MODIFY`, VIEW: `MODIFY` | Grants the ability to modify, drop, or update the signature of functions on securable objects (for relevant tables). **Recommended**: Use SCHEMA: `MODIFY` on the Schema level if you wish to grant permissions to all Tables/Views under the schema. | | TABLE: `MANAGE`, VIEW: `MANAGE` | Grants the ability to assign/unassign functions on securable objects (for relevant schemas). *Note: `Manage` is currently in Public Preview* **Recommended**: Use SCHEMA: `MANAGE` on the Schema level if you wish to grant permissions to all Tables/Views under the schema. | Refer to the official Databricks documentation for more information on [Unity Catalog privileges](https://docs.databricks.com/aws/en/data-governance/unity-catalog/manage-privileges/privileges). --- ## Creating a Databricks Policy Orchestration Point (POP) Once the POP Service Principal is configured with the required privilege. Ensure you have the following: - An **Orchestration Workspace**. To create one, refer to [Managing Workspaces](/v1/docs/managing-workspaces). - A Databricks POP. Refer to [Managing POPs](/v1/docs/managing-pops) to create one. To learn about switching modes, refer to our [Orchestration Workspace](https://docs.plainid.io/v1/docs/orchestration-workspace) documentation. --- ## Connection Settings To connect Databricks to PlainID, define the following connection fields: | **Connection Field** | **Description** | | --- | --- | | **Discover Views** | To Discover Views, enable Discover Views to include Views along with Tables in the discovery process. (Default is false) | | **Authentication Method** | Use a Service Principal for Databricks integration. | | **Secret Store** | Choose a Secret Store where your credentials are stored. The default is **PlainID Internal Store**. Fields below are modified based on the chosen Store. For more information about **External Secret Stores** like **HashiCorp**, **Azure KeyVault**, or **AWS IAM for RDS or SM**, refer to [About Secret Stores](/v1/docs/about-secret-stores). | | **Host** | The Host URL is the base address of your Databricks workspace, used for API access and integrations. (eg., https://.cloud.databricks.com or https://.azuredatabricks.net (for Azure)). | | **Client ID** | A unique identifier for the service principal. | | **Client Secret** | A confidential credential associated with the Client ID, used to authenticate and authorize the service principal. Only for use with the **PlainID Internal Store**. | | **Secret Key** | The Secret Key of the External Secret Store. Only for use with **[External Secret Stores](/v1/docs/about-secret-stores)**. *Note: If opting to use a Secret Key, ensure that your Client Secret is set in your External Secret Store.* | | **Warehouse ID** | Unique identifier for a SQL warehouse in Databricks. (e.g., 1234abcd-56ef-78gh-90ij-123456klmno) | --- ## Function Discovery in PlainID PlainID requires visibility into relevant functions to support policy discovery. Only functions that are applied to Tables used for **row filtering** or **column masking** are discovered, and only if the **Databricks POP service principal** is either the **Owner** or has the **EXECUTE privilege** on them. --- ## Authentication Method ### Access to Databricks resources with a service principal PlainID leverages service principal authentication to establish a secure integration with Databricks. A service principal is a non-human identity used for automation and programmatic access, enabling tools to interact with Databricks CLI commands or REST API calls using scoped credentials while ensuring fine-grained access control. > For more information, see [Service Principals in Databricks](https://docs.databricks.com/aws/en/admin/users-groups/service-principals.html).