登录
下载
技能 编程开发 Databricks 企业角色权限控制

Databricks 企业角色权限控制

v20260311
databricks-enterprise-rbac
配置 Databricks 企业级 SSO、Unity Catalog 权限、集群策略与 SQL 仓库权限,用于实现团队角色访问控制与组织治理。
Databricks 角色控制 SSO 统一目录 安全 访问管理
获取技能
140 次下载
概览

Databricks Enterprise RBAC

Overview

Implement access control across Databricks using Unity Catalog privileges, workspace-level entitlements, and SCIM-provisioned groups. Unity Catalog enforces a three-level namespace (catalog.schema.table) with privilege inheritance, so granting USAGE on a catalog cascades to its schemas.

Prerequisites

  • Databricks Premium or Enterprise tier with Unity Catalog enabled
  • Account-level admin access for SCIM and group management
  • Identity Provider supporting SAML 2.0 and SCIM 2.0

Instructions

Step 1: Create Account-Level Groups via SCIM

# Provision groups that map to IdP teams
databricks account groups create --json '{
  "displayName": "data-engineers",
  "entitlements": [{"value": "workspace-access"}, {"value": "databricks-sql-access"}]
}'

databricks account groups create --json '{
  "displayName": "data-analysts",
  "entitlements": [{"value": "workspace-access"}, {"value": "databricks-sql-access"}]
}'

Step 2: Grant Unity Catalog Privileges

-- Data Engineers: full ETL access to bronze/silver, read gold
GRANT USAGE ON CATALOG analytics TO `data-engineers`;
GRANT CREATE, MODIFY, SELECT ON SCHEMA analytics.bronze TO `data-engineers`;
GRANT CREATE, MODIFY, SELECT ON SCHEMA analytics.silver TO `data-engineers`;
GRANT SELECT ON SCHEMA analytics.gold TO `data-engineers`;

-- Analysts: read-only on curated gold tables
GRANT USAGE ON CATALOG analytics TO `data-analysts`;
GRANT SELECT ON SCHEMA analytics.gold TO `data-analysts`;

Step 3: Apply Cluster Policies

{
  "name": "analyst-serverless-only",
  "definition": {
    "cluster_type": { "type": "fixed", "value": "sql" },
    "autotermination_minutes": { "type": "range", "maxValue": 30 },
    "num_workers": { "type": "range", "maxValue": 4 }
  }
}

Assign the policy to data-analysts so they cannot spin up expensive GPU clusters.

Step 4: Configure SQL Warehouse Permissions

databricks permissions update sql/warehouses WAREHOUSE_ID --json '[
  {"group_name": "data-analysts", "permission_level": "CAN_USE"},
  {"group_name": "data-engineers", "permission_level": "CAN_MANAGE"}
]'

Step 5: Audit with System Tables

SELECT event_time, user_identity.email, action_name, request_params
FROM system.access.audit
WHERE action_name LIKE '%Grant%' OR action_name LIKE '%Revoke%'
  AND event_date > current_date() - INTERVAL 30 DAYS
ORDER BY event_time DESC;

Error Handling

Issue Cause Solution
PERMISSION_DENIED on table Missing USAGE on parent catalog/schema Grant USAGE at each namespace level
SCIM sync fails Expired bearer token Regenerate account-level PAT
Cluster start blocked No matching cluster policy Assign a permissive policy to the group
Cannot see SQL warehouse Missing CAN_USE grant Add warehouse permission for the group

Examples

Basic usage: Apply databricks enterprise rbac to a standard project setup with default configuration options.

Advanced scenario: Customize databricks enterprise rbac for production environments with multiple constraints and team-specific requirements.

Output

  • Configuration files or code changes applied to the project
  • Validation report confirming correct implementation
  • Summary of changes made and their rationale

Resources

  • Official logging documentation
  • Community best practices and patterns
  • Related skills in this plugin pack
信息
Category 编程开发
Name databricks-enterprise-rbac
版本 v20260311
大小 3.99KB
Source jeremylongshore/claude-code-plugins-plus-skills
更新时间 2026-03-12
语言
简体中文
English