This guide outlines the prerequisites and configuration steps required to enable SaaS Authorization Management for Databricks using PlainID.
Prerequisites
PlainID POP Service Principal
Ensure that you have a PlainID POP Service Principal. This must be assigned to PlainID and granted sufficient privileges to perform all Orchestration-related operations in Databricks.
To create a PlainID POP Service Principal:
- Create a dedicated PlainID POP Service Principal in Databricks. It must have the appropriate privileges for both LEARN and MANAGE modes.
- This Service Principal will own any Databricks functions created by PlainID in Manage Mode.
- It should have sufficient access to support Policy Discovery, Orchestration, and Management.
For more information, see Service Principals in Databricks.
Required Privileges
To support PlainID integration, you must configure a Databricks Service Principal. All required privileges should be granted either directly to the service principal or to a group it is a member of.
A group that includes the service principal must be assigned to the Databricks workspace where you intend to manage Policies.
For more information, refer to the Databricks documentation.
Privileges in Databricks are hierarchical and inherited. Granting privileges to a Service Principal automatically applies to all existing and future objects in the top-level scope.
Privileges for Learn Mode
To use Learn mode, use the following privileges in Databricks:
| Privilege | Purpose |
|---|---|
SYSTEM.Information_Schema: SELECT |
To enable full metadata access, grant SELECT privileges on the following under SYSTEM.Information_Schema:catalogs, schemata, catalog_privileges, schema_privileges, table_privileges, routine_privileges, views, routines, parameters, row_filters, column_masks, tables, and columns |
SYSTEM CATALOG: USECATALOG: USE(On Catalog) |
Grants the ability to reference objects within the catalog. |
CATALOG: BROWSE (On Catalog) |
Grants the ability to view object metadata (via Catalog Explorer, schema browser, search results, lineage graph, information_schema, REST API). Required if using SCHEMA: USENote: This privilege is currently in Public Preview. |
SYSTEM.Information_Schema SCHEMA: USESCHEMA: USE (On Schema) |
Grants the ability to reference objects (Tables, Views, functions, etc.) within the catalog. Required if using TABLE: SELECT Recommended: Use SCHEMA: USE on the Catalog level if you wish to grant permissiosn to all Schemas under the Catalog. |
TABLE: SELECT, VIEW: SELECT |
Grants the ability to query/read data from the Table or View. Note: This privilege is required on Tables/Views used as Identity Sources and for connecting functions to row filtering or column masking. Recommended Use SCHEMA: SELECT on the schema level if you wish to grant permissions to all Tables/Views under the schema. |
Additional Privileges for Manage Mode
In Manage Mode, a POP Service Principal must also be granted the following additional privileges in addition to Learn Mode privileges:
| Privilege | Purpose |
|---|---|
FUNCTION: CREATE (On Schema) |
Grants the ability to create a function in the schema. |
TABLE: MODIFY, VIEW: MODIFY |
Grants the ability to modify, drop, or update the signature of functions on securable objects (for relevant tables). Recommended: Use SCHEMA: MODIFY on the Schema level if you wish to grant permissions to all Tables/Views under the schema. |
TABLE: MANAGE, VIEW: MANAGE |
Grants the ability to assign/unassign functions on securable objects (for relevant schemas). Note: Manage is currently in Public Preview Recommended: Use SCHEMA: MANAGE on the Schema level if you wish to grant permissions to all Tables/Views under the schema. |
Refer to the official Databricks documentation for more information on Unity Catalog privileges.
Creating a Databricks Policy Orchestration Point (POP)
Once the POP Service Principal is configured with the required privilege. Ensure you have the following:
- An Orchestration Workspace. To create one, refer to Managing Workspaces.
- A Databricks POP. Refer to Managing POPs to create one.
To learn about switching modes, refer to our Orchestration Workspace documentation.
Connection Settings
To connect Databricks to PlainID, define the following connection fields:
| Connection Field | Description |
|---|---|
| Discover Views | To Discover Views, enable Discover Views to include Views along with Tables in the discovery process. (Default is false) |
| Authentication Method | Use a Service Principal for Databricks integration. |
| Secret Store | Choose a Secret Store where your credentials are stored. The default is PlainID Internal Store. Fields below are modified based on the chosen Store. For more information about External Secret Stores like HashiCorp, Azure KeyVault, or AWS IAM for RDS or SM, refer to About Secret Stores. |
| Host | The Host URL is the base address of your Databricks workspace, used for API access and integrations. (eg., https:// |
| Client ID | A unique identifier for the service principal. |
| Client Secret | A confidential credential associated with the Client ID, used to authenticate and authorize the service principal. Only for use with the PlainID Internal Store. |
| Secret Key | The Secret Key of the External Secret Store. Only for use with External Secret Stores. Note: If opting to use a Secret Key, ensure that your Client Secret is set in your External Secret Store. |
| Warehouse ID | Unique identifier for a SQL warehouse in Databricks. (e.g., 1234abcd-56ef-78gh-90ij-123456klmno) |
Function Discovery in PlainID
PlainID requires visibility into relevant functions to support policy discovery.
Only functions used for row filtering or column masking are discovered, and only if the Databricks POP service principal is either the Owner or has the EXECUTE privilege on them.
Authentication Method
Access to Databricks resources with a service principal
PlainID leverages service principal authentication to establish a secure integration with Databricks. A service principal is a non-human identity used for automation and programmatic access, enabling tools to interact with Databricks CLI commands or REST API calls using scoped credentials while ensuring fine-grained access control.
For more information, see Service Principals in Databricks.