This guide outlines the prerequisites and configuration steps required to enable SaaS Authorization Management for Databricks using PlainID.
Prerequisites
PlainID POP Service Principal
Ensure that you have a PlainID POP Service Principal. This must be assigned to PlainID and granted sufficient privileges to perform all Orchestration-related operations in Databricks.
To create a PlainID POP Service Principal:
- Create a dedicated PlainID POP Service Principal in Databricks. It must have the appropriate privileges for both LEARN and MANAGE modes.
- This Service Principal will own any Databricks functions created by PlainID in Manage Mode.
- It should have sufficient access to support Policy Discovery, Orchestration, and Management.
For more information, see Service Principals in Databricks.
Required Privileges
To support PlainID integration, you must configure a Databricks Service Principal. All required privileges should be granted either directly to the service principal or to a group it is a member of.
Privileges in Databricks are hierarchical and inherited. Granting privileges to a Service Principal automatically applies to all existing and future objects in the top-level scope.
Privileges for Learn Mode
To use Learn mode, use the following privileges in Databricks:
| Privilege | Purpose |
|---|---|
SYSTEM.Information_Schema: SELECT |
To enable full metadata access, grant SELECT privileges on the following under SYSTEM.Information_Schema:catalogs, schemata, catalog_privileges, schema_privileges, table_privileges, routine_privileges, views, routines, parameters, row_filters, column_masks, tables, and columns |
SYSTEM CATALOG: USECATALOG: USE(On Catalog) |
Grants the ability to reference objects within the catalog. |
CATALOG: BROWSE (On Catalog) |
Grants the ability to view object metadata (via Catalog Explorer, schema browser, search results, lineage graph, information_schema, REST API). Required if using SCHEMA: USENote: This privilege is currently in Public Preview. |
SYSTEM.Information_Schema SCHEMA: USESCHEMA: USE (On Schema) |
Grants the ability to reference objects (Tables, Views, functions, etc.) within the catalog. Required if using TABLE: SELECT Recommended: Use SCHEMA: USE on the Catalog level if you wish to grant permissiosn to all Schemas under the Catalog. |
TABLE: SELECT, VIEW: SELECT |
Grants the ability to query/read data from the Table or View. Note: This privilege is required on Tables/Views used as Identity Sources and for connecting functions to row filtering or column masking. Recommended Use SCHEMA: SELECT on the schema level if you wish to grant permissions to all Tables/Views under the schema. |
Additional Privileges for Manage Mode
In Manage Mode, a POP Service Principal must also be granted the following additional privileges in addition to Learn Mode privileges:
| Privilege | Purpose |
|---|---|
FUNCTION: CREATE (On Schema) |
Grants the ability to create a function in the schema. |
TABLE: MODIFY, VIEW: MODIFY |
Grants the ability to modify, drop, or update the signature of functions on securable objects (for relevant tables). Recommended: Use SCHEMA: MODIFY on the Schema level if you wish to grant permissions to all Tables/Views under the schema. |
TABLE: MANAGE, VIEW: MANAGE |
Grants the ability to assign/unassign functions on securable objects (for relevant schemas). Note: Manage is currently in Public Preview Recommended: Use SCHEMA: MANAGE on the Schema level if you wish to grant permissions to all Tables/Views under the schema. |
Refer to the official Databricks documentation for more information on Unity Catalog privileges.
Creating a Databricks Policy Orchestration Point (POP)
Once the POP Service Principal is configured with the required privilege. Ensure you have the following:
- An Orchestration Workspace. To create one, refer to Managing Workspaces.
- A Databricks POP. Refer to Managing POPs to create one.
To learn about switching modes, refer to our Orchestration Workspace documentation.
Connection Settings
To connect Databricks to PlainID, define the following connection fields:
| Connection Field | Description |
|---|---|
| Discover Views | To Discover Views, enable Discover Views to include Views along with Tables in the discovery process. (Default is false) |
| Authentication Method | Use a Service Principal for Databricks integration. |
| Host | The Host URL is the base address of your Databricks workspace, used for API access and integrations. (eg., https:// |
| Client ID | A unique identifier for the service principal. |
| Client Secret | A confidential credential associated with the Client ID, used to authenticate and authorize the service principal. |
| Warehouse ID | Unique identifier for a SQL warehouse in Databricks. (e.g., 1234abcd-56ef-78gh-90ij-123456klmno) |
Function Discovery in PlainID
PlainID requires visibility into relevant functions to support policy discovery.
Only functions used for row filtering or column masking are discovered, and only if the Databricks POP service principal is either the Owner or has the EXECUTE privilege on them.
Authentication Method
Access to Databricks resources with a service principal
PlainID leverages service principal authentication to establish a secure integration with Databricks. A service principal is a non-human identity used for automation and programmatic access, enabling tools to interact with Databricks CLI commands or REST API calls using scoped credentials while ensuring fine-grained access control.
For more information, see Service Principals in Databricks.