Databricks Native Policy Support

New
  • Published on Oct 5, 2025
  • 3 minute(s) read
Prev Next

This guide outlines the supported functions for implementing data masking and row-level access control in Databricks when configuring Native Policies in the Platform Authorization Workspace. It covers the creation of policies, the application of functions to tables and columns, and the parameters required for each function. Understanding these constructs ensures proper configuration and enforcement of security policies in your Databricks environment.

Related Articles:

Creating Policies
Managing Policies
Databricks Setup

Masking

Masking functions in Databricks are used to control access to sensitive data by transforming or hiding the values in specific columns. This section explains how to define masking functions, apply them to table columns, and the parameters required to configure them effectively. A parameter function table is also available for more information.

Policy

A masking policy in Databricks is defined as a function that specifies how sensitive data should be masked.

CREATE [OR REPLACE] FUNCTION full_function_name 
([function_parameter [, ...]]) 
RETURNS data_type 
RETURN { expression | query };
Important Guidelines

See Policy Function Parameters for more details on full_function_name and parameter, data_type, and expression or query.

  • The full_function_name is the same name created in the details section.
  • Must start with CREATE FUNCTION or CREATE OR REPLACE FUNCTION
  • Only one function per policy
  • A full function name is required

Columns

Once a masking function is defined, it can be applied to table columns to enforce data masking. This ensures that queries accessing these columns return masked results according to the function logic.

ALTER TABLE <full_table_name> ALTER COLUMN <column_name> 
SET MASK <full_func_name> [USING COLUMNS (<other_column_name>)];
Important Notes
  • Must start with ALTER TABLE
  • Multiple functions can be split using ;
  • Views are not supported

Function Parameters

The table below summarizes the parameters used when creating masking functions in Databricks, including their purpose and expected values.

Parameter Description
full_function_name The full_function_name is the same name created in the details section.
function_parameter List of arguments used in the function
data_type Return type of the function
expression or query SQL expression or query used for masking logic

Row Access

Row access functions in Databricks allow you to implement row-level security by filtering the data returned for a given query based on defined criteria. This section explains how to define row access functions, apply them to tables, configure the necessary parameters. A parameter function table is also available for more information.

Policy

A row access policy is defined as a function that determines which rows a user can access.

CREATE [OR REPLACE] FUNCTION full_function_name 
([function_parameter [, ...]]) 
RETURNS data_type 
RETURN { expression | query };
Important Guidelines

See Policy Function Parameters for more details on full_function_name and parameter, data_type, and expression or query.

  • The full_function_name is the same name created in the details section.
  • Must start with CREATE FUNCTION or CREATE OR REPLACE FUNCTION
  • Only one function per policy
  • A full function name is required

Tables

After defining a row access function, it can be applied to specific tables to enforce row-level filtering. This ensures that only rows meeting the function criteria are returned in query results.

ALTER TABLE <full_table_name> SET ROW FILTER <full_func_name> ON (<column_name>);
Important Guidelines
  • Must start with ALTER TABLE
  • Multiple functions can be split using ;
  • Views are not supported
  • A full table name is required

Function Parameters

The table below provides a concise summary of the parameters required when creating row access functions in Databricks, explaining the role of each in defining access control logic.

Parameter Description
full_function_name The full_function_name is the same name created in the details section.
function_parameter List of arguments used in the function
data_type Return type of the function
expression or query SQL expression or query used for row access logic

Masking and row access functions in Databricks allow precise control over sensitive data at the column and row level. Creating functions, applying them to tables, and following parameter guidelines ensures secure, predictable enforcement of data access rules.