Granting to Groups for Databricks Unity Catalog
Databricks is pushing toward group-based grants as the scalable way to manage Unity Catalog access. To align with this direction and avoid running into Databricks privilege limits as environments grow, Immuta is changing how we instrument grants behind the scenes by transitioning from direct user grants to group grants for group-based access paths.
This is a back-end update that does not have any consumer-facing impact. However, there is one significant administrative change, which is that granting to groups requires Immuta to have workspace admin privileges.
Current model: direct user grants
Databricks access control is based on principals (users, service principals, and groups) rather than database roles. In our current Databricks integration, Immuta effectively manages access at the user level.
Users may already have Unity Catalog privileges granted outside of Immuta.
Immuta does not have a reliable way to distinguish which specific Databricks privileges on Immuta-managed data were created by Immuta versus granted out of band.
When Immuta needs to grant access via an Immuta group, individual Databricks grants are generated for every Databricks user in that group.
New model: group grants
Under the new model, Immuta will treat group-based access as group-based privileges in Databricks.
For manual group grants and automatic subscription policies, Immuta will generate one Databricks grant per group (instead of one per user).
Immuta will also manage the group’s membership so the right users inherit access via the group.
Immuta requires the ability to create and manage Databricks groups and memberships, which requires workspace admin privileges.
What behavior stays the same:
Manual subscriptions to individual users will continue to result in direct user grants.
No UI changes, no workflow changes, no concept changes. This is purely a back-end shift in how Immuta issues Databricks grants.
Moving to group grants dramatically reduces the number of privilege entries per securable object. Databricks limits still apply, but the group grants model makes it easier to stay within these limits.
Direct group memberships: A principal can be a member of up to 1,500 groups
Unity Catalog privileges per object: 4,000 privileges for parent objects and 1,000 privileges for non-parent objects
Groups per account: Limit of 5,000 groups
Grant the Immuta service principal workspace admin permissions
This new model requires the Immuta service principal to be a Unity Catalog workspace admin in order to create and manage groups. To grant the Immuta service principal workspace admin permissions,
In your Databricks workspace, navigate to Settings.
Under Identity and access, click Users and find the Immuta service principal you created.
Under that user’s Entitlements, switch the Admin access toggle to On.
Last updated
Was this helpful?