# Register a Databricks Unity Catalog Connection The connection API is a REST API which allows users to register a Databricks Unity Catalog connection[^1] to Immuta with a single set of credentials rather than configuring an integration and creating data sources separately. Then Immuta can manage and enforce access controls on your data through that connection. To manage your connection, see the [Manage a connection reference guide](https://documentation.immuta.com/saas/developer-guides/api-intro/connections-api/how-to-guides/manage-a-connection). ## **Requirements** * **Immuta user** with the `APPLICATION_ADMIN` Immuta permission * [**Databricks service principal**](#user-content-fn-2)[^2] with the following privileges. For instructions on setting up this user, see the [Creating Databricks service principal section](#setting-up-the-required-databricks-service-principal): * `USE CATALOG` and `MANAGE` on all catalogs containing securables you want registered as Immuta data sources. * `USE SCHEMA` on all schemas containing securables you want registered as Immuta data sources. * [`MODIFY`](#user-content-fn-3)[^3] and `SELECT` on all securables you want registered as Immuta data sources. * Workspace admin on the workspace configured as the host for the integration. * Additional privileges are required for query audit: * `USE CATALOG` on the `system` catalog * `USE SCHEMA` on the `system.access` and `system.query` schemas * `SELECT` on the following system tables: * `system.access.table_lineage` * `system.access.column_lineage` * `system.access.audit` * `system.query.history` * **Databricks user to run the script to register the connection** with the following privileges: * [Metastore admin and account admin](#user-content-fn-4)[^4] * `CREATE CATALOG` privilege on the Unity Catalog metastore to create an Immuta-owned catalog and tables See the [Databricks documentation](https://docs.databricks.com/en/data-governance/unity-catalog/manage-privileges/privileges.html) for more details about Unity Catalog privileges and securable objects. #### **Prerequisites** * Unity Catalog [metastore created](https://docs.databricks.com/data-governance/unity-catalog/create-metastore.html) and attached to a Databricks workspace. * Unity Catalog enabled on your Databricks cluster or SQL warehouse. All SQL warehouses have Unity Catalog enabled if your workspace is attached to a Unity Catalog metastore. Immuta recommends linking a SQL warehouse to your Immuta tenant rather than a cluster for both performance and availability reasons. ## Step 1: Generate the script `POST` `/integrations/scripts/create` 1. Using the example request, update the **``** with your connection details. 2. Copy the `config` object to use later in the setup process. 3. Run the request. 4. Copy the returned script and use it in the next step. Find descriptions of the editable attributes in the table below and of the full payload in the [Integration configuration payload reference guide](https://documentation.immuta.com/saas/developer-guides/integrations-api/reference-guides/integration-configuration-payload#databricks-unity-catalog-configuration-objects). {% tabs %} {% tab title="PAT" %}

curl -X 'POST' \
   'https://<your-immuta-url>/integrations/scripts/create' \
   -H 'accept: application/json' \
   -H 'Content-Type: application/json' \
   -H 'Authorization: <your-bearer-token>' \
   -d '{
   "type": "Databricks",
   "autoBootstrap": false,
   "config": {
     "workspaceUrl": "<www.your-workspace.cloud.databricks.com>",
     "httpPath": "<sql/protocolv1/o/0/your-path>",
     "authenticationType": "token",
     "token": "<service-principal-pat>",
     "catalog": "<new-catalog>",
     "groupPattern": { "deny": "<your-exemption-group>" },
     "audit": {"enabled": true}
   }
   }'

curl -X 'POST' \
   'https://<your-immuta-url>/integrations/scripts/create' \
   -H 'accept: application/json' \
   -H 'Content-Type: application/json' \
   -H 'Authorization: <your-bearer-token>' \
   -d '{
   "type": "Databricks",
   "autoBootstrap": false,
   "config": {
     "workspaceUrl": "<www.your-workspace.cloud.databricks.com>",
     "httpPath": "<sql/protocolv1/o/0/your-path>",
     "authenticationType": "oAuthM2M",
     "oAuthClientConfig": {
       "useCertificate": false,
       "clientId": "<your-client-ID>",
       "clientSecret": "<your-client-secret>",
       "scope": "all-apis",
       "authorityUrl": "<your.authority.com>"
     },
     "catalog": "<new-catalog>",
     "groupPattern": { "deny": "<your-exemption-group>" },
     "audit": {"enabled": true}
   }
   }'

{% hint style="warning" %} **Create a separate Immuta catalog for each Immuta tenant** If multiple Immuta tenants are connected to your Databricks environment, create a separate **Immuta catalog** for each of those tenants. Having multiple Immuta tenants use the same Immuta catalog causes failures in policy enforcement. {% endhint %} **Payload parameters** | Attribute | Description | Required | | -------------------------------------------------- | ---------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- | -------- | | config.**workspaceUrl** `string` | Your Databricks workspace URL. | **Yes** | | config.**httpPath** `string` | The HTTP path of your Databricks cluster or SQL warehouse. | **Yes** | | config.**oAuthClientConfig** `object` | The `oAuthClientConfig` object represents your OAuth configuration in Databricks Unity Catalog. | **Yes** | | config.oAuthClientConfig.**clientId** `string` | The client identifier of the Immuta service principal you configured. This is the client ID displayed in Databricks when creating the client secret for the service principal. | **Yes** | | config.oAuthClientConfig.**clientSecret** `string` | [Client secret created for the Immuta service principal](https://docs.databricks.com/en/dev-tools/auth/oauth-m2m.html). | **Yes** | | config.oAuthClientConfig.**authorityUrl** `string` | Authority URL of your identity provider. | **Yes** | | config.**catalog** `string` | The name of the Databricks catalog Immuta will create to store internal entitlements and other user data specific to Immuta. This catalog will only be readable for the Immuta service principal and should not be granted to other users. The catalog name may only contain letters, numbers, and underscores and cannot start with a number. | **Yes** | | config.**groupPattern** `object` | This object allows you to exclude an account-level group in Databricks from data policies. See the [Databricks Unity Catalog group pattern object description](https://documentation.immuta.com/saas/developer-guides/api-intro/connection-registration-payloads-reference-guide#databricks-group-pattern-object) for details. | No | | config.**audit** `object` | This object enables Databricks Unity Catalog query audit. | No | | config.audit.**enabled** `boolean` | If `true`, Databricks Unity Catalog query audit is enabled. Set to `true` for the recommended configuration. | No | | {% endtab %} | | | | {% endtabs %} | | | ## Step 2: Run the script in Databricks Unity Catalog The previous step will return a script. Copy the script and run it in your Databricks Unity Catalog environment as a user with the privileges listed in [the requirements section](#requirements). The script will use the service principal that will authenticate using the authentication that you specified. Additionally, the script will create the catalog you specified. ## Step 3: Create the connection in Immuta {% hint style="warning" %} **Databricks Unity Catalog behavior** If you register a connection and a data object has no subscription policy set on it, Immuta will REVOKE access to the data in Databricks for all Immuta users, even if they had been directly granted access to the table in Unity Catalog. If you disable a Unity Catalog data source in Immuta, all existing grants and policies on that object will be removed in Databricks for all Immuta users. All existing grants and policies will be removed, regardless of whether they were set in Immuta or in Unity Catalog directly. If a user is not registered in Immuta, Immuta will have no effect on that user's access to data in Unity Catalog. See the [Databricks Unity Catalog reference guide](https://documentation.immuta.com/saas/configuration/integrations/databricks/databricks-unity-catalog/unity-catalog-overview#user-permissions-immuta-revokes) for more details about permissions Immuta revokes and how to configure this behavior for your connection. {% endhint %} `POST` `/data/connection` Copy the request and update the **``** with your connection details. Note that the connection details here should match the ones used when generating the script. Then submit the request. Find descriptions of the editable attributes in the table below and of the full payload in the [Databricks Unity Catalog connection payload table](https://documentation.immuta.com/saas/developer-guides/api-intro/connection-registration-payloads-reference-guide#databricks-unity-catalog-connection-object). All values should be included and those you should not edit are noted. {% hint style="info" %} **Test run** Opt to test and validate the create connection payload using a dry run: `POST` `/data/connection/test` {% endhint %} {% tabs %} {% tab title="PAT" %}

curl -X 'POST' \
   'https://<your-immuta-url>/data/connection' \
   -H 'accept: application/json' \
   -H 'Content-Type: application/json' \
   -H 'Authorization: <your-bearer-token>' \
   -d '{
   "connectionKey": "<your-connection-key-name>",
   "connection": {
     "technology": "Databricks",
     "hostname": "<www.your-workspace.cloud.databricks.com>",
     "port": <your-Databricks-port>,
     "httpPath": "<your-Databricks-warehouse-path>",
     "authenticationType": "token",
     "token": "<your-service-principal-pat>"
   },
   "settings": {
     "isActive": false
   },
   "options": {
     "forceRecursiveCrawl": true
   },
   "nativeIntegration": {
     "type": "Databricks",
     "autoBootstrap": false,
     "unityCatalog": true,
     "config": {
       "authenticationType": "token",
       "token": "<your-service-principal-pat>",
       "host": "<www.your-workspace.cloud.databricks.com>",
       "port": <your-Databricks-port>,
       "catalog": "<your-immuta-catalog>",
       "audit": { "enabled": true },
       "workspaceIds": ["<your-workspace>", <"another-workspace">],
       "groupPattern": { "deny": "<your-exemption-group>" },
       "jobConfig": {
         "workspaceDirectoryPath": "/Workspace/ImmutaArtifacts",
         "jobClusterId": "undefined"
       }
   }
   }'

Attribute	Description	Required
connectionKey `string`	A unique name for the connection. Avoid the use of periods (`.`) or restricted words in your connection key.	Yes
connection `object`	Configuration attributes that should match the values used when getting the script from the integration endpoint.	Yes
connection.technology `string`	The technology backing the new connection.	Yes
connection.hostname `string`	Your Databricks workspace URL. This is the same as `host` and `workspaceURL`.	Yes
connection.port `integer`	The port to use when connecting to your Databricks account.	Yes
connection.httpPath `string`	The HTTP path of your Databricks cluster or SQL warehouse.	Yes
connection.authenticationType `string`	The authentication type to register the connection. Make sure this auth type is the same used when requesting the script.	Yes
connection.token `string`	The Databricks personal access token for the service principal you created for Immuta.	Yes
settings `object`	Specifications of the connection's settings, including status.	No
settings.isActive `boolean`	When `false`, data objects will be inactive (disabled) by default when created in Immuta. Set to `false` for the recommended configuration. If you set this to `true` for a data object and it has no subscription policy set on it, Immuta will REVOKE access to the data in Databricks for all Immuta users, even if they had been directly granted access to the table in Unity Catalog. If a user is not registered in Immuta, Immuta will have no effect on that user's access to data in Unity Catalog. See the Databricks Unity Catalog reference guide for more details.	No
options `object`	Specification of the connection's default behavior for object crawls.	No
options.forceRecursiveCrawl `boolean`	If `false`, only active (enabled) objects will be crawled. If `true`, both active (enabled) and inactive (disabled) data objects will be crawled; any child objects from inactive (disabled) objects will be set as inactive (disabled). Set to `true` for the recommended configuration.	No
nativeIntegration `object`	Configuration attributes that should match the values used when getting the script from the integration endpoint.	Yes
nativeIntegration.type `string`	Same as `connection.technology`	Yes
nativeIntegration.autoBootstrap `boolean`	Use the same setting as the script generation.	Yes
nativeIntegration.unityCatalog `boolean`	Use the same setting as the script generation.	Yes
nativeIntegration.config.authenticationType `string`	Same as `connection.authenticationType`	Yes
nativeIntegration.config.token `string`	Same as `connection.token`	Yes
nativeIntegration.config.host `string`	Same as `connection.hostname`	Yes
nativeIntegration.config.port `integer`	Same as `connection.port`	Yes
nativeIntegration.config.catalog `string`	Use the same setting as the script generation.	Yes
nativeIntegration.config.audit `object`	Use the same setting as the script generation.	Yes
nativeIntegration.config.workspaceIds `array`	Use the same setting as the script generation.	No
nativeIntegration.config.groupPattern `object`	Use the same setting as the script generation.	No
nativeIntegration.config.jobConfig.workspaceDirectoryPath `string`	Use the same setting as the script generation.	No
nativeIntegration.config.jobConfig.jobClusterId `string`	Use the same setting as the script generation.	No

{% endtab %} {% tab title="M2M" %}

curl -X 'POST' \
   'https://<your-immuta-url>/data/connection' \
   -H 'accept: application/json' \
   -H 'Content-Type: application/json' \
   -H 'Authorization: <your-bearer-token>' \
   -d '{
   "connectionKey": "<your-connection-key-name>",
   "connection": {
     "technology": "Databricks",
     "hostname": "<www.your-workspace.cloud.databricks.com>",
     "port": <your-Databricks-port>,
     "httpPath": "<your-Databricks-warehouse-path>",
     "authenticationType": "oAuthM2M",
     "oAuthClientConfig": {
       "useCertificate": false,
       "clientId": "<your-client-ID>",
       "clientSecret": "<your-client-secret>",
       "scope": "all-apis",
       "authorityUrl": "<your.authority.com>"
     }
   },
   "settings": {
     "isActive": false
   },
   "options": {
     "forceRecursiveCrawl": true
   },
   "nativeIntegration": {
     "type": "Databricks",
     "autoBootstrap": false,
     "unityCatalog": true,
     "config": {
       "host": "<www.your-workspace.cloud.databricks.com>",
       "port": <your-Databricks-port>,
       "authenticationType": "oAuthM2M",
       "oAuthClientConfig": {
         "useCertificate": false,
         "clientId": "<your-client-ID>",
         "clientSecret": "<your-client-secret>",
         "scope": "all-apis",
         "authorityUrl": "<your.authority.com>"
       },
       "catalog": "<your-immuta-catalog>",
       "audit": { "enabled": true },
       "workspaceIds": ["<your-workspace>", <"another-workspace">],
       "groupPattern": { "deny": "<your-exemption-group>" },
       "jobConfig": {
         "workspaceDirectoryPath": "/Workspace/ImmutaArtifacts",
         "jobClusterId": "undefined"
       }
   }
   }'

Attribute	Description	Required
connectionKey `string`	A unique name for the connection. Avoid the use of periods (`.`) or restricted words in your connection key.	Yes
connection `object`	Configuration attributes that should match the values used when getting the script from the integration endpoint.	Yes
connection.technology `string`	The technology backing the new connection.	Yes
connection.hostname `string`	Your Databricks workspace URL. This is the same as `host` and `workspaceURL`.	Yes
connection.port `integer`	The port to use when connecting to your Databricks account.	Yes
connection.httpPath `string`	The HTTP path of your Databricks cluster or SQL warehouse.	Yes
connection.authenticationType `string`	The authentication type to register the connection. Make sure this auth type is the same used when requesting the script.	Yes
connection.oAuthClientConfig `object`	The `oAuthClientConfig` object represents your OAuth configuration in Databricks Unity Catalog.	Yes
connection.oAuthClientConfig.clientId `string`	The client identifier of the Immuta service principal you configured. This is the client ID displayed in Databricks when creating the client secret for the service principal.	Yes
connection.oAuthClientConfig.clientSecret `string`	Client secret created for the Immuta service principal.	Yes
connection.oAuthClientConfig.authorityUrl `string`	Authority URL of your identity provider.	Yes
settings `object`	Specifications of the connection's settings, including status.	No
settings.isActive `boolean`	When `false`, data objects will be inactive (disabled) by default when created in Immuta. Set to `false` for the recommended configuration. If you set this to `true` for a data object and it has no subscription policy set on it, Immuta will REVOKE access to the data in Databricks for all Immuta users, even if they had been directly granted access to the table in Unity Catalog. If a user is not registered in Immuta, Immuta will have no effect on that user's access to data in Unity Catalog. See the Databricks Unity Catalog reference guide for more details.	No
options `object`	Specification of the connection's default behavior for object crawls.	No
options.forceRecursiveCrawl `boolean`	If `false`, only active (enabled) objects will be crawled. If `true`, both active (enabled) and inactive (disabled) data objects will be crawled; any child objects from inactive (disabled) objects will be set as inactive (disabled). Set to `true` for the recommended configuration.	No
nativeIntegration `object`	Configuration attributes that should match the values used when getting the script from the integration endpoint.	Yes
nativeIntegration.type `string`	Same as `connection.technology`	Yes
nativeIntegration.autoBootstrap `boolean`	Use the same setting as the script generation.	Yes
nativeIntegration.unityCatalog `boolean`	Use the same setting as the script generation.	Yes
nativeIntegration.config.authenticationType `string`	Same as `connection.authenticationType`	Yes
nativeIntegration.config.oAuthClientConfig `object`	Same as `connection.oAuthClientConfig`	Yes
nativeIntegration.config.host `string`	Same as `connection.hostname`	Yes
nativeIntegration.config.port `integer`	Same as `connection.port`	Yes
nativeIntegration.config.catalog `string`	Use the same setting as the script generation.	Yes
nativeIntegration.config.audit `object`	Use the same setting as the script generation.	Yes
nativeIntegration.config.workspaceIds `array`	Use the same setting as the script generation.	No
nativeIntegration.config.groupPattern `object`	Use the same setting as the script generation.	No
nativeIntegration.config.jobConfig.workspaceDirectoryPath `string`	Use the same setting as the script generation.	No
nativeIntegration.config.jobConfig.jobClusterId `string`	Use the same setting as the script generation.	No

{% endtab %} {% endtabs %} ### Response schema | Attribute | Description | | ----------------------- | ------------------------------------------------------------------------------------------------------------------------------------------------------------------ | | **objectPath** `string` | The list of names that uniquely identify the path to a data object in the remote platform's hierarchy. The first element should be the associated `connectionKey`. | | **bulkId** `string` | A bulk ID that can be used to search for the status of background jobs triggered by this request. | #### Example response ``` { "objectPath": [''], "bulkId": "a-new-uuid" } ``` ## Setting up the required Databricks service principal If you need instruction for setting up your Databricks service principal **before registering your connection**, see the steps below. ### Creating the Databricks service principal In Databricks, [create a service principal](https://docs.databricks.com/aws/en/admin/users-groups/manage-service-principals) with the privileges listed below. Immuta uses this service principal continuously to orchestrate Unity Catalog policies and maintain state between Immuta and Databricks. * `USE CATALOG` and `MANAGE` on all catalogs containing securables you want registered as Immuta data sources. * `USE SCHEMA` on all schemas containing securables you want registered as Immuta data sources. * `MODIFY` and `SELECT` on all securables you want registered as Immuta data sources. *The* `MODIFY` *privilege is not required for materialized views registered as Immuta data sources, since* `MODIFY` *is not a supported privilege on that object type in* [*Databricks*](https://docs.databricks.com/aws/en/data-governance/unity-catalog/manage-privileges/privileges#privilege-types-by-securable-object-in-unity-catalog)*.* * [Workspace admin permissions](https://docs.databricks.com/aws/en/admin/users-groups/manage-service-principals#assign-the-workspace-admin-role-to-a-service-principal) (If your service principal is a regular user in Databricks and not an actual service principal in Databricks, follow the guidance for [managing users in Databricks documentation](https://docs.databricks.com/aws/en/admin/users-groups/users#assign-the-workspace-admin-role-to-a-user) to grant this user the workspace admin permission.) {% hint style="info" %} `MANAGE` and `MODIFY` are required so that the service principal can apply row filters and column masks on the securable; to do so, the service principal must also have `SELECT` on the securable as well as `USE CATALOG` on its parent catalog and `USE SCHEMA` on its parent schema. Since privileges are inherited, you can grant the service principal the `MODIFY` and `SELECT` privilege on all catalogs or schemas containing Immuta data sources, which automatically grants the service principal the `MODIFY` and `SELECT` privilege on all current and future securables in the catalog or schema. The service principal also inherits `MANAGE` from the parent catalog for the purpose of applying row filters and column masks, but that privilege must be set directly on the parent catalog in order for grants to be fully applied. {% endhint %} See the [Databricks documentation](https://docs.databricks.com/en/data-governance/unity-catalog/manage-privileges/privileges.html) for more details about Unity Catalog privileges and securable objects. ### Configuring query audit privileges {% hint style="info" %} Audit is enabled by default on all Databricks Unity Catalog connections. If you need to turn audit off, set `audit` to `false` when generating the script and creating the connection. {% endhint %} [Grant the service principal access to the Databricks Unity Catalog system tables](https://docs.databricks.com/en/administration-guide/system-tables/index.html#grant-access-to-system-tables). For Databricks Unity Catalog audit to work, Immuta must have, at minimum, the following access. * `USE CATALOG` on the `system` catalog * `USE SCHEMA` on the `system.access` and `system.query` schemas * `SELECT` on the following system tables: * `system.access.table_lineage` * `system.access.column_lineage` * `system.access.audit` * `system.query.history` Access to system tables is governed by Unity Catalog. No user has access to these system schemas by default. To grant access, a user that is both a metastore admin and an account admin must grant `USE_SCHEMA` and `SELECT` privileges on the system schemas to the service principal. See [Manage privileges in Unity Catalog](https://docs.databricks.com/en/data-governance/unity-catalog/manage-privileges/index.html). [^1]: To learn more about connections in Immuta, see the [Connections section](https://documentation.immuta.com/saas/configuration/integrations/data-and-integrations/registering-a-connection/reference-guides/connections-overview). [^2]: A Databricks user authorized to create a Databricks service principal must create one for Immuta. This service principal is used continuously by Immuta to orchestrate Unity Catalog policies and maintain state between Immuta and Databricks. [^3]: *The* `MODIFY` *privilege is not required for materialized views registered as Immuta data sources, since* `MODIFY` *is not a supported privilege on that object type in* [*Databricks*](https://docs.databricks.com/aws/en/data-governance/unity-catalog/manage-privileges/privileges#privilege-types-by-securable-object-in-unity-catalog)*.* [^4]: These privileges are required to enable query audit. See [Manage privileges in Unity Catalog](https://docs.databricks.com/en/data-governance/unity-catalog/manage-privileges/index.html) for details. [^5]: This must be `false`. [^6]: This must be `all-apis`. [^7]: Insert the values from the script generation here. [^8]: This must be `true`. [^9]: This must be `/Workspace/ImmutaArtifacts`. [^10]: This must be `undefined`. [^11]: Your display name cannot be any of the following words: `data`, `connection`, `object`, `crawl`, `search`, `settings`, `metadata`, `permission`, `sync`, `bulk`, and `upgrade`. [^12]: Must be `all-apis`.