Secure Unity Catalog Objects
The grant model: who, what, and where
A data analyst has been granted SELECT on the orders table, runs SELECT * FROM sales.finance.orders, and still gets a permission error. The fix reveals the whole model: reading a table in Unity Catalog needs three grants working together, not one.
Unity Catalog authorizes access by granting privileges on securable objects to principals. A securable is any object in the three-level namespace — a catalog, a schema, or a table, view, volume, or function inside a schema. A principal is a user, an account group, or a service principal (an identity for jobs and tools rather than a person, covered under machine identity below). The statement reads GRANT <privilege> ON <securable> TO <principal>, and REVOKE takes it away; the everyday privileges are SELECT (read a table or view), MODIFY (write), and CREATE TABLE (Manage privileges in Unity Catalog[1]). Prefer granting to a group over naming individuals: the principal is not limited to a single user, and group membership is far easier to keep correct as people join and leave.
The three grants the analyst actually needs are SELECT on the table, USE CATALOG on its parent catalog, and USE SCHEMA on its parent schema. USE CATALOG and USE SCHEMA are usage privileges: they grant traversal of the namespace so you can reach an object, but they expose no data by themselves. All three are required, and holding only SELECT is not enough — which is exactly why the query above failed (Unity Catalog permissions model[2]). This is deliberate: because only catalog and schema owners, or a user with MANAGE, can grant the USE privileges, a table owner cannot hand out access to their table beyond the boundary an administrator has drawn.
Privileges inherit downward. A privilege granted on a container object — a catalog or a schema — automatically applies to all of its current and future children. Grant SELECT on a catalog and the grantee can read every table in every schema it contains, present and future, still subject to the USE privileges (Unity Catalog permissions model[2]). One catalog-level grant can thus replace hundreds of table-level ones, which is why you set broad read access high in the hierarchy and reserve table-level grants for exceptions. Metastore-level grants are the exception that does not inherit: they control operations such as CREATE CATALOG, not access to data.
The figure below stacks the three levels and shows the grant each one needs before a query can read the table.
Ownership, MANAGE, and account-level identity
Being able to read an object and being able to control who else reads it are different powers, and Unity Catalog keeps them strictly apart. The rule in one line: only an object's owner, or a user with MANAGE, can grant on it; a plain SELECT holder cannot.
Every securable has exactly one owner, and the owner can be a user, a group, or a service principal (Unity Catalog permissions model[2]). The owner implicitly holds all privileges on the object, without any privilege being explicitly listed, and is the principal who can GRANT and REVOKE, ALTER, transfer ownership, and DROP it. Ownership moves with a single statement.
Reassign a table's owner to a group
ALTER TABLE mycatalog.myschema.orders OWNER TO `data-eng`;
Transferring to a group is the recommended pattern for shared objects: any group member can then administer the object, while data access still follows the group's own grants (Manage privileges in Unity Catalog[1]).
When a non-owner must administer an object without becoming the owner, grant the MANAGE privilege. MANAGE lets a principal grant and revoke privileges, drop the object, and even transfer its ownership, and on a container it cascades to child objects — it is close to ownership, not a lesser grant-only role. Two things still keep it short of ownership: a MANAGE holder is not automatically given the object's data privileges such as SELECT — they must grant those to themselves, which is the whole point of keeping the roles distinct — and, unlike an owner, they must hold USE CATALOG and USE SCHEMA on the parents to exercise MANAGE at all (Unity Catalog permissions model[2]). The line to remember is between a plain SELECT holder — who can read but neither grant nor drop — and a MANAGE holder or owner, who can administer the object.
One more distinction the exam probes: who the principals even are. Users, groups, and service principals in Unity Catalog are account-level identities, provisioned from Microsoft Entra ID — historically through SCIM provisioning, and now, by default for newer accounts, through automatic identity management with Entra ID as the source of record (Manage users, service principals, and groups[3]). Groups are managed once at the account level, never per workspace, and an account group must be assigned to a workspace through identity federation before it can be granted anything there. A grant therefore always targets an account-level principal federated into the workspace, not a group that lives only inside one workspace.
Column and row security beyond object grants
You have a sales_raw table with an email column and a total column. Analysts should see every row but never the raw email, auditors should see the email, and each regional manager should see only their own region's rows. A SELECT grant cannot express any of that, because a grant is all-or-nothing: it covers the entire table and every column. Trying to grant SELECT on only the non-sensitive columns is not a Unity Catalog capability; it would break SELECT * with a permission error rather than hide values. Fine-grained control is added as a layer on top of the base grant, and Unity Catalog offers four.
A dynamic view wraps a base table in a view whose SQL redacts or filters per caller. For column-level redaction, a CASE expression calls is_account_group_member(), returning the real value to members of an authorized group and a placeholder to everyone else.
Column redaction in a dynamic view
CREATE VIEW sales_redacted AS
SELECT
user_id,
CASE WHEN is_account_group_member('auditors') THEN email
ELSE 'REDACTED' END AS email,
region,
total
FROM sales_raw;
is_account_group_member() returns TRUE when the current user belongs to a named account-level group; Databricks recommends it over is_member(), which only checks workspace-local groups and should be avoided against Unity Catalog data (Create a dynamic view[4]). For row-level security, a WHERE predicate built from the caller's identity keeps only the rows that principal may see — is_account_group_member('managers') to lift a limit, or current_user() (equivalently session_user()) to match rows to the person running the query. When entitlements change often, move them into data: join the base table to a mapping table that records which principal or group may see which key values, so you adjust access by editing rows rather than rewriting the view (Row filters and column masks[5]). For any of this to hold, grant SELECT on the view and do not grant the base table, forcing every principal through the view.
The other two layers attach to the table itself instead of wrapping it in a view. A column mask is a SQL user-defined function (UDF) bound to a column with ALTER TABLE ... ALTER COLUMN ... SET MASK; it takes the column value and returns the original or a masked version (Row filters and column masks[5]). A row filter is a boolean SQL UDF bound to the table with ALTER TABLE ... SET ROW FILTER; rows for which it returns FALSE are dropped from results. Masks and filters travel with the table, so they hold no matter which query or downstream view reaches it — the advantage over a dynamic view, which only protects data accessed through that one view.
When the same rule must hold across many tables, reach for attribute-based access control (ABAC). An ABAC policy attaches at the catalog or schema level and applies a row filter or column mask automatically to any table or column carrying a governed tag, so newly tagged tables are covered with no per-table configuration (Attribute-based access control in Unity Catalog[6]). Databricks now recommends ABAC over per-table masks and filters when you need consistent, centrally-authored rules at scale.
The figure shows how one query is routed to different results by the caller's group membership.
Secrets: keep credentials out of code
A pipeline that connects to an external database needs a password, and the wrong move is to type it into the notebook. Databricks secrets store that value outside your code and hand it back only at runtime, redacted from output.
A secret scope is a named collection of secrets, and a secret is a key-value pair inside a scope. There are two scope types, and the distinction matters on Azure. An Azure Key Vault-backed scope maps a Databricks scope onto an Azure Key Vault, so the secrets actually live in Key Vault; it is a read-only interface from Databricks, meaning you create, update, and rotate the values in Azure Key Vault, never from Databricks (Secret management[7]). A Databricks-backed scope stores its secrets in an encrypted store that Databricks manages, and you write to it with the Databricks CLI or SDK. So if a question says the secret must be created and rotated in Azure, the answer is a Key Vault-backed scope, and remember you cannot write to it from Databricks.
Code reads a secret with the secrets utility rather than hardcoding it.
Read a secret in a notebook
password = dbutils.secrets.get(scope='sales-prod', key='db-password')
dbutils.secrets.get(scope, key) returns the value, and Databricks redacts it: any attempt to print the value, in a notebook cell or through a Spark configuration property, is replaced with the literal [REDACTED] so the secret cannot leak into output or logs (Secret management[7]). Redaction covers literal values only — it cannot stop a deliberate transformation of the secret — so treat it as a safety net, not the access control.
The access control is the scope ACL. Each secret scope carries per-principal permissions at three levels: READ, WRITE, and MANAGE. READ permits reading the secret values and listing the keys in the scope; WRITE adds creating and deleting secrets; MANAGE adds managing the scope's own permissions (Secret management[7]). A principal needs at least READ on the scope before dbutils.secrets.get returns anything. Because ACLs are set at the scope level, align a scope to a role or application and grant READ to the group that runs that workload.
Machine identity and Azure storage access
Two different non-human identities appear when a pipeline runs, and confusing them is a classic exam trap: the identity the job runs as is not the identity that reaches the storage account.
The job runs as a service principal — an identity created for tools, jobs, and CI/CD rather than a person. A service principal is granted Unity Catalog privileges exactly like a user, so an automated pipeline can authenticate and read data without depending on any individual's account (Service principals[8]). Configuring a Lakeflow Job to run as a service principal decouples it from its author: the job keeps working when that person leaves or loses access, and it can touch only the data the service principal itself has been granted. Service principals authenticate non-interactively with OAuth machine-to-machine (M2M) tokens — the principal presents its client ID (its application ID) and an OAuth secret and receives a short-lived access token, valid for one hour, that tools use on its behalf (OAuth machine-to-machine authorization[9]). Databricks recommends OAuth M2M over long-lived personal access tokens for automation.
Reaching the storage account is a separate mechanism. Unity Catalog governs cloud storage through two securables built on an Azure managed identity. First, an Access Connector for Azure Databricks is a first-party Azure resource carrying a system-assigned or user-assigned managed identity; you grant that identity a storage role such as Storage Blob Data Contributor on the ADLS Gen2 account, letting Databricks reach the storage with no keys stored anywhere (Connect to an ADLS Gen2 external location[10]). Second, you register that managed identity in Unity Catalog as a storage credential, and an external location then references the storage credential to govern reads and writes to a specific container path (an abfss:// URL). Managed identities are recommended over embedding storage account keys or SAS tokens precisely because Azure manages the credential and it never appears in notebook code or cluster configuration.
Now the trap, stated plainly: the managed identity authenticates the workspace to the underlying storage resource, while a service principal is a principal whose Unity Catalog privileges govern who may read the data. They are not interchangeable. A production pipeline usually uses both — it runs as a service principal that has SELECT on a table, and that table's files sit under an external location whose storage credential wraps an Access Connector managed identity. The figure traces that storage chain from the managed identity to the container path.
Exam-pattern recognition
Most questions on securing Unity Catalog objects turn on one distinction. Read the stem for the signal, then pick the answer that honors the stated constraint.
- A
SELECTgrant exists but the query still fails with a permission error: the principal is missingUSE CATALOGorUSE SCHEMAon the parents. All three grants are required to read a table. - Give one group read access to every table in a catalog, including future ones: grant at the catalog level and let inheritance carry it down, rather than enumerating tables.
- A privileged user must not be able to drop or re-grant a table: give them
SELECT(orMODIFY), not ownership orMANAGE. ASELECT/MODIFYholder can read or write but cannotDROPor re-grant the table;MANAGEand ownership both can, which is exactly why you withhold them here. - Hide a column from most users but not from auditors: a column mask (reused across tables) or a dynamic view with
CASEandis_account_group_member(); never a partial-column grant, which does not exist. - Show each regional manager only their own rows: a row filter, or a dynamic view with a
WHEREpredicate on the caller's identity; a mapping table when entitlements change often. - Apply the same masking rule automatically across many tables: an ABAC policy driven by a governed tag, not a separate per-table mask on each one.
- The secret must be rotated in Azure, not Databricks: an Azure Key Vault-backed secret scope, which is read-only from Databricks.
- Keep a scheduled job working after its author leaves: run the Lakeflow Job as a service principal that authenticates with OAuth M2M.
- Let Databricks read ADLS Gen2 with no keys in code: an Access Connector managed identity, registered as a storage credential and referenced by an external location.
- Managed identity versus service principal: the managed identity authenticates the storage resource; the service principal's Unity Catalog privileges govern data access.
Access-control granularity: the object grant and the four fine-grained layers
| Mechanism | What it scopes | How it is enforced | Choose when |
|---|---|---|---|
| Object GRANT (SELECT / MODIFY) | The whole table or view, every column | USE CATALOG + USE SCHEMA + the privilege on the securable | Whole-object access is the right granularity |
| Dynamic view | Columns and/or rows, per caller | CASE / WHERE calling is_account_group_member() or current_user() | One-off redaction; grant the view, withhold the base table |
| Column mask | One column's values, via a reusable UDF | A SQL UDF bound with ALTER TABLE ... SET MASK | The same masking logic must apply across many tables |
| Row filter | Which rows the query returns | A boolean SQL UDF bound with ALTER TABLE ... SET ROW FILTER | Row-level filtering that travels with the table itself |
| ABAC policy | Columns or rows matched by a governed tag | A policy attached at catalog or schema level, applied by tag | Consistent rules across many tables, applied automatically |
Decision tree
Sharp facts the exam loves — give these one last read before exam day.
Cheat sheet
Sharp facts the exam loves — scan these before test day.
- GRANT assigns a privilege on a securable to a user, group, or service principal
Access to a Unity Catalog securable is granted with GRANT ON TO , where the principal can be a user, an account group, or a service principal, and REVOKE removes it; common privileges include SELECT, MODIFY, and CREATE.
Trap A principal is not limited to individual users; groups and service principals are equally valid grant targets and groups are preferred for manageability.
8 questions test this
- You have an Azure Databricks workspace enabled for Unity Catalog. A group named data-engineers must be able to create new tables inside an existing schema named bronze in a catalog named lakehouse, bu
- You have an Azure Databricks workspace enabled for Unity Catalog. A nightly Lakeflow job runs as a service principal named sp_ingest that already holds USE CATALOG on catalog1 and USE SCHEMA on catalo
- You have an Azure Databricks workspace enabled for Unity Catalog. A group named data_engineers must be able to create new tables in the schema catalog1.staging. The group already holds USE CATALOG on
- You have an Azure Databricks workspace enabled for Unity Catalog. Thirty analysts in a growing team all need identical SELECT access to a set of tables in a catalog named sales, and team membership ch
- You have an Azure Databricks workspace enabled for Unity Catalog. A group named contractors was previously granted the MODIFY privilege on a table named finance.ledger.Postings for a short-term projec
- You have an Azure Databricks workspace enabled for Unity Catalog. A group named etl-writers needs to insert, update, and delete rows in a table named warehouse.staging.Loads. The group must NOT be abl
- You have an Azure Databricks workspace enabled for Unity Catalog. A group named etl_writers has been granted SELECT and MODIFY on the table catalog2.raw.events, but their write jobs fail with a permis
- You have an Azure Databricks workspace enabled for Unity Catalog. A group named contractors was previously granted SELECT on the table catalog1.hr.salaries. The contractors' engagement has ended, and
- Reading a table also requires USE CATALOG and USE SCHEMA on its parents
To query a table a principal needs SELECT on the table plus USE CATALOG on its catalog and USE SCHEMA on its schema; the USE privileges grant traversal of the three-level namespace but do not by themselves expose any data.
Trap SELECT on the table alone is insufficient; without USE CATALOG and USE SCHEMA on the parents the query fails with a permission error.
15 questions test this
- You have an Azure Databricks workspace enabled for Unity Catalog. A group named analysts has been granted SELECT on the table catalog1.finance.transactions, but when members run a query against catalo
- You have an Azure Databricks workspace enabled for Unity Catalog. The catalog sales contains several schemas. A group named emea_reporting must be able to read all current and future tables in the sal
- You have an Azure Databricks workspace enabled for Unity Catalog. A catalog named enterprise contains several schemas, including one named hr that holds sensitive tables and another named logistics. A
- You have an Azure Databricks workspace enabled for Unity Catalog. A schema named catalog1.lake contains tables, views, and volumes, and more of each are added over time. A group named ds_team must be
- You have an Azure Databricks workspace enabled for Unity Catalog. An administrator wants a group named platform-readers to read every table in a catalog named datalake. The administrator granted SELEC
- You have an Azure Databricks workspace enabled for Unity Catalog. A group named auditors has been granted USE CATALOG on a catalog named ops and USE SCHEMA on a schema named events, but running SELECT
- You have an Azure Databricks workspace enabled for Unity Catalog. A catalog named finance contains a schema named reporting, which contains a table named GLBalances. A business analyst has been grante
- You have an Azure Databricks workspace enabled for Unity Catalog. A group named etl-writers needs to insert, update, and delete rows in a table named warehouse.staging.Loads. The group must NOT be abl
- You have an Azure Databricks workspace enabled for Unity Catalog. A catalog named crm contains a schema named marketing, which contains a table named Campaigns. A group named campaign-analysts current
- You have an Azure Databricks workspace enabled for Unity Catalog. A new group named auditors has no privileges anywhere in the metastore. The auditors must be able to run read-only queries against exa
- You have an Azure Databricks workspace enabled for Unity Catalog. A group named etl_writers has been granted SELECT and MODIFY on the table catalog2.raw.events, but their write jobs fail with a permis
- You have an Azure Databricks workspace enabled for Unity Catalog. Through a BROWSE grant on a catalog named sales, a group named regional-managers can see that a table named sales.emea.Revenue exists
- You have an Azure Databricks workspace enabled for Unity Catalog. You granted a group named support_team USE CATALOG on catalog1 and USE SCHEMA on catalog1.ops so they could navigate the namespace. Me
- You have an Azure Databricks workspace enabled for Unity Catalog. A catalog named analytics contains dozens of schemas, and new schemas and tables are added every week. A group named bi_readers must b
- You have an Azure Databricks workspace enabled for Unity Catalog. A catalog named research is expected to gain many new schemas over the coming year as new projects start. A group named research-reade
- A privilege granted on a catalog or schema is inherited by its child objects
Unity Catalog privileges are inherited down the object hierarchy, so a privilege granted on a catalog applies to all of its current and future schemas and tables, and a grant on a schema applies to its tables, views, and volumes.
7 questions test this
- You have an Azure Databricks workspace enabled for Unity Catalog. The catalog sales contains several schemas. A group named emea_reporting must be able to read all current and future tables in the sal
- You have an Azure Databricks workspace enabled for Unity Catalog. A catalog named enterprise contains several schemas, including one named hr that holds sensitive tables and another named logistics. A
- You have an Azure Databricks workspace enabled for Unity Catalog. A schema named catalog1.lake contains tables, views, and volumes, and more of each are added over time. A group named ds_team must be
- You have an Azure Databricks workspace enabled for Unity Catalog. An administrator wants a group named platform-readers to read every table in a catalog named datalake. The administrator granted SELEC
- You have an Azure Databricks workspace enabled for Unity Catalog. A new group named auditors has no privileges anywhere in the metastore. The auditors must be able to run read-only queries against exa
- You have an Azure Databricks workspace enabled for Unity Catalog. A catalog named analytics contains dozens of schemas, and new schemas and tables are added every week. A group named bi_readers must b
- You have an Azure Databricks workspace enabled for Unity Catalog. A catalog named research is expected to gain many new schemas over the coming year as new projects start. A group named research-reade
- Object owners and MANAGE control who can grant on a securable
In Unity Catalog the owner of a securable (a user, group, or service principal) implicitly holds all privileges on it and is the principal who can GRANT/REVOKE, ALTER, and DROP it; granting the MANAGE privilege lets a non-owner administer the object, including granting and revoking privileges and even dropping or transferring it, without being the owner, and ownership can be reassigned with ALTER OWNER TO.
Trap Holding SELECT is not enough to administer an object - only the owner or a MANAGE holder can grant, drop, or transfer it, and MANAGE differs from ownership only in that it is not automatically given the object's data privileges (it must self-grant SELECT).
- UC principals are account-level identities federated from Microsoft Entra ID
Users, groups, and service principals in Unity Catalog are account-level identities, typically provisioned from Microsoft Entra ID via SCIM; account groups must be assigned to a workspace through identity federation before they can be granted privileges there.
Trap Groups are managed at the account level, not per-workspace - grants target account-level principals federated to the workspace, not a workspace-local group.
- Object-level grants cover every column; column limits need a view, mask, or ABAC
A SELECT grant applies to the entire table securable and cannot be scoped to individual columns, so column-level access control is achieved by layering a view that exposes only permitted columns, a column mask, or an ABAC policy on top of the base grant.
Trap Granting SELECT on only the non-sensitive columns is not a Unity Catalog capability; it would break SELECT * with a permission error rather than hide values.
16 questions test this
- You have an Azure Databricks workspace enabled for Unity Catalog. Business users query a reporting object named quarterly_report, which is a view built on several base tables and whose rep_commission
- You have an Azure Databricks workspace enabled for Unity Catalog. A table owner applied column masks to the ssn and salary columns of a table named hr.people so that a benefits_team group would see re
- You have an Azure Databricks workspace enabled for Unity Catalog. A single Delta table named payroll has a column named bank_account that must be redacted for most users. The masking logic is specific
- You have an Azure Databricks workspace enabled for Unity Catalog. You created a dynamic view named orders_secure that redacts the customer_ssn column for everyone except the account group compliance.
- You manage an Azure Databricks workspace that is enabled for Unity Catalog. A catalog named grid_ops contains a wide managed Delta table named asset_readings with 22 columns, several of which hold con
- You have an Azure Databricks workspace enabled for Unity Catalog. All analysts must be able to query every row of a single HR table named compensation, but the salary column must show a redacted value
- You have an Azure Databricks workspace enabled for Unity Catalog. A catalog named finance contains a schema named ledger with a managed Delta table named gl_entries that has the columns entry_id, cost
- You have an Azure Databricks workspace enabled for Unity Catalog. A catalog named lakehouse_prod contains more than 300 tables, and columns that hold personal data are labeled with a governed tag name
- You have an Azure Databricks workspace enabled for Unity Catalog. An external analytics vendor group named vendor_bi must run queries that return every row of a Unity Catalog table named telemetry.dev
- You have an Azure Databricks workspace enabled for Unity Catalog. You are defining a dynamic view over a table named sales_raw so that only members of the account-level group pii_readers can see the r
- You have a Unity Catalog metastore whose catalog named lakehouse contains more than 60 tables. Columns that hold personal data are labeled with a governed tag named pii. You need to mask every pii-tag
- You have an Azure Databricks workspace enabled for Unity Catalog. You are about to publish a dynamic view named marketing_secure that redacts several columns for users outside the account group market
- You have a Unity Catalog table named ops.tickets that is queried directly by several existing dashboards, and the object name cannot change. The table has a column named assignee_ssn. You need to ensu
- You have an Azure Databricks workspace enabled for Unity Catalog. In a dynamic view over a table named transactions, the card_number column (an integer) must return its real value only to members of t
- You have an Azure Databricks workspace enabled for Unity Catalog. Your data governance team currently masks sensitive columns by hand-building a dynamic view for each table. They now require a mechani
- You have an Azure Databricks workspace enabled for Unity Catalog. A catalog named Sales1 contains a schema named crm with a table named Customers that has the columns customer_id, region, email, and s
- A dynamic view redacts columns per group with is_account_group_member in CASE
A dynamic view wraps a base table and uses CASE expressions calling is_account_group_member() so that members of an authorized group receive the real column value while all other callers receive NULL or a redacted literal.
16 questions test this
- You have an Azure Databricks workspace enabled for Unity Catalog. You are writing a dynamic view over a Unity Catalog table and need the redaction logic to reveal a column only to users who belong to
- You have an Azure Databricks workspace enabled for Unity Catalog. Business users query a reporting object named quarterly_report, which is a view built on several base tables and whose rep_commission
- You have an Azure Databricks workspace enabled for Unity Catalog. You created a dynamic view named orders_secure that redacts the customer_ssn column for everyone except the account group compliance.
- You have a dynamic view that must reveal a salary column only to members of an account-level group named comp_admins that is defined in your Azure Databricks account and synced from Microsoft Entra ID
- You have an Azure Databricks workspace enabled for Unity Catalog. All analysts must be able to query every row of a single HR table named compensation, but the salary column must show a redacted value
- You have an Azure Databricks workspace enabled for Unity Catalog. A catalog named finance contains a schema named ledger with a managed Delta table named gl_entries that has the columns entry_id, cost
- You have an Azure Databricks workspace enabled for Unity Catalog. A dynamic view named sales_redacted is defined as SELECT user_id, CASE WHEN is_account_group_member('auditors') THEN email ELSE 'REDAC
- You have an Azure Databricks workspace enabled for Unity Catalog. An external analytics vendor group named vendor_bi must run queries that return every row of a Unity Catalog table named telemetry.dev
- You have an Azure Databricks workspace enabled for Unity Catalog whose groups are all defined at the account level and synced from Microsoft Entra ID. A colleague built a dynamic view named claims_sec
- You have an Azure Databricks workspace enabled for Unity Catalog. You are defining a dynamic view over a table named sales_raw so that only members of the account-level group pii_readers can see the r
- You have a Unity Catalog metastore whose catalog named lakehouse contains more than 60 tables. Columns that hold personal data are labeled with a governed tag named pii. You need to mask every pii-tag
- You have a Unity Catalog table named crm.customers with a column named contact_phone. You need to expose a version of the table to the support group in which members of the onshore_agents group see th
- You have an Azure Databricks workspace enabled for Unity Catalog. You are about to publish a dynamic view named marketing_secure that redacts several columns for users outside the account group market
- You have a Unity Catalog table named ops.tickets that is queried directly by several existing dashboards, and the object name cannot change. The table has a column named assignee_ssn. You need to ensu
- You have a Unity Catalog table named billing.invoices with a column named card_number. You need to publish a single shared view to the analysts group in which members of fraud_team see the full card_n
- You have an Azure Databricks workspace enabled for Unity Catalog. In a dynamic view over a table named transactions, the card_number column (an integer) must return its real value only to members of t
- Grant the secure view and withhold the base table so users query only the view
For view-based access control you grant SELECT on the dynamic or restricted view and do not grant access to the underlying base table, forcing every principal through the view where the column and row rules are enforced.
- A dynamic view enforces row-level security with a caller-identity WHERE predicate
Row-level security through a dynamic view adds a WHERE predicate built from current_user() or is_account_group_member(), returning only the rows whose values match the querying principal, such as their own region or business unit.
23 questions test this
- You have an Azure Databricks workspace enabled for Unity Catalog. A dynamic view named my_records enforces per-user row-level security with WHERE owner_email = current_user(). An automated Lakeflow jo
- You have an Azure Databricks workspace enabled for Unity Catalog that contains a managed Delta table named Transactions with a total column. Requirement: members of the account-level managers group mu
- You have an Azure Databricks workspace enabled for Unity Catalog. Catalog1 contains tables named Customers and Orders. A partner analyst group must query a single combined dataset of customer and orde
- You have an Azure Databricks workspace enabled for Unity Catalog. Users are organized into regional subgroups such as emea_west and emea_east, and those subgroups are themselves members of a parent ac
- You have an Azure Databricks workspace enabled for Unity Catalog. A catalog named crm contains two managed Delta tables, Customers and Orders, that share a customer_id key; Orders carries a region col
- You have an Azure Databricks workspace enabled for Unity Catalog. An existing standard view named sales_summary aggregates data from several base tables. You must now restrict the rows of sales_summar
- You have an Azure Databricks workspace enabled for Unity Catalog. A table named Ledger has a business_unit column. The account-level group auditors must see every row, while each business-unit group m
- You have an Azure Databricks workspace enabled for Unity Catalog. You created a dynamic view named CustomersSecure over a base table named Customers; its predicate filters rows with is_account_group_m
- You have an Azure Databricks workspace enabled for Unity Catalog. A dynamic view named orders_secure correctly filters rows by the caller's region and reads from a base table named Orders. The analyst
- You have an Azure Databricks workspace named Workspace1 that is enabled for Unity Catalog. Catalog1 contains a table named Sales that includes a region column. Regional analyst teams are organized int
- You have an Azure Databricks workspace named Workspace1 that is enabled for Unity Catalog. A catalog named sales_cat contains a managed Delta table named Orders that includes a region column holding v
- You have an Azure Databricks workspace enabled for Unity Catalog. A table named Employees has a department column. Each department's managers must see only their own department's employee rows from th
- You have an Azure Databricks workspace enabled for Unity Catalog. A table named CustomerContacts has region and email columns. You must expose a single governed object to an analyst group in which the
- You have an Azure Databricks workspace that is enabled for Unity Catalog. A schema named finance contains a managed Delta table named Expenses that includes an owner_email column identifying the emplo
- You have an Azure Databricks workspace enabled for Unity Catalog. A dynamic view is defined as CREATE VIEW my_orders AS SELECT * FROM orders WHERE sales_rep_email = current_user(). The orders table st
- You have an Azure Databricks workspace enabled for Unity Catalog that contains a reporting view named SalesReport, which several BI dashboards already query. You need to add row-level security so each
- You manage an Azure Databricks workspace that was recently attached to a Unity Catalog metastore. A dynamic view named sales_secure filters rows with the predicate WHERE is_member('managers'), and the
- You have an Azure Databricks workspace enabled for Unity Catalog. A managed Delta table named Sales carries a region column. Which regions each user may see is governed by a frequently changing entitl
- You have an Azure Databricks workspace enabled for Unity Catalog. A managed Delta table named Customers has a region column and an email column. Requirements delivered through one object: analysts mus
- You have an Azure Databricks workspace enabled for Unity Catalog. A single managed Delta table named Sales holds data for five business units, each identified by a business_unit column and each mapped
- You have an Azure Databricks workspace enabled for Unity Catalog. You must expose a single curated dataset that combines columns from two governed tables to one executive group, restricted to only the
- You have an Azure Databricks workspace enabled for Unity Catalog. Catalog1 contains a table named Accounts with a column named account_owner that stores each sales rep's login email. Reps join and lea
- You have an Azure Databricks workspace enabled for Unity Catalog. A table named Cases has an assigned_agent column holding each support agent's login email. Each agent must see only the rows where ass
- Data-driven row-level security joins to an entitlement mapping table
A scalable row-level-security pattern joins the base table to a mapping table that records which principal or group may see which key values, so entitlement changes are made by editing data rather than by rewriting the view definition.
- An Azure Key Vault-backed secret scope exposes Key Vault secrets read-only
An Azure Key Vault-backed secret scope maps a Databricks secret scope onto an Azure Key Vault so notebooks can read its secrets; it is a read-only interface, meaning the secret values are created, updated, and rotated in Azure rather than in Databricks.
Trap A Key Vault-backed scope cannot be written from Databricks; secrets must be added and rotated in the Azure Key Vault itself.
13 questions test this
- Fabrikam has an Azure Databricks workspace enabled for Unity Catalog. Notebooks read credentials through an Azure Key Vault-backed secret scope named kv-scope that maps to the key vault KV1. A new pip
- You have an Azure Databricks workspace with an Azure Key Vault-backed secret scope named kv-scope that maps to a key vault named KV1. A database password stored in KV1 must be rotated regularly, and t
- Contoso, Inc. has an Azure Databricks workspace named Workspace1 that is enabled for Unity Catalog. The security team requires that every credential used by production pipelines be created, updated, a
- You have an Azure Databricks workspace where a scheduled Lakeflow job reads an ADLS Gen2 account key from an Azure Key Vault-backed secret scope named kv-scope. Your security team just rotated that ke
- Contoso runs an Azure Databricks workspace named Workspace1 that reads a PostgreSQL password through an Azure Key Vault-backed secret scope named kv-scope, which maps to the key vault KV1. Security is
- Northwind's Azure Databricks workspace already uses Azure Key Vault-backed secret scopes for production. A development team now needs to create, update, and delete a handful of short-lived experiment
- Adventure Works runs two Azure Databricks workspaces, WS1 and WS2, that both connect to the same production database using the same password. The security team stores that password in a single Azure K
- You have an Azure Databricks workspace named Workspace1 that is enabled for Unity Catalog. Your central security team must create, rotate, and audit the production database and storage credentials exc
- An administrator rotates a database credential by updating its value in the Azure Key Vault that backs an Azure Key Vault-backed secret scope in your workspace. A scheduled Lakeflow job reads the cred
- Litware's security team stores every production credential in an Azure Key Vault named KV1 and requires that all secret values be created, rotated, and audited only in Azure, never inside Databricks.
- You have an Azure Databricks workspace that is enabled for Unity Catalog. A Structured Streaming notebook must read events from an Azure Event Hubs namespace, authenticating with a connection string t
- Your Azure Databricks workspace exposes credentials to notebooks through an Azure Key Vault-backed secret scope named kv-scope that maps to the key vault KV1. A legacy service account is being decommi
- You are configuring an Azure Databricks workspace to read credentials from an Azure Key Vault named KV1. When you try to create an Azure Key Vault-backed secret scope for KV1 from the workspace, the o
- dbutils.secrets.get reads a secret and Databricks redacts it from output
Code retrieves a secret with dbutils.secrets.get(scope, key) instead of hardcoding credentials, and Databricks automatically replaces any printed secret value with [REDACTED] so it cannot leak into notebook cell output or logs.
13 questions test this
- You have an Azure Databricks workspace named Workspace1 with an all-purpose cluster used by a data engineering team. A notebook on the cluster launches a third-party command-line ingestion tool that r
- You have an Azure Databricks cluster where a JDBC connector reads its password from a Spark configuration property at startup. The password is stored in a secret scope named jdbc-scope, and it must no
- You have an Azure Databricks workspace. A notebook connects to an Azure Data Lake Storage Gen2 account by using a storage account key that is currently written directly in a notebook cell. A security
- You maintain an Azure Databricks notebook that connects to an external PostgreSQL database with a JDBC read. The password is stored as the key db-pw in a secret scope named app-scope, and company poli
- You are building an Azure Databricks notebook that calls an external vendor REST API to pull reference data for a Lakeflow pipeline. The API bearer token is stored as the key api-token in a secret sco
- You have an Azure Databricks workspace named Workspace1 that is enabled for Unity Catalog. Your central security team must create, rotate, and audit the production database and storage credentials exc
- A notebook in your Azure Databricks workspace must load a binary signing key that is stored as the secret key sign-key in a secret scope named crypto-scope. The value is raw bytes that are not valid U
- You have an Azure Databricks workspace with a secret scope named prod-scope that holds production credentials. A teammate assumes that because Databricks shows secrets as [REDACTED] in output, no one
- An administrator rotates a database credential by updating its value in the Azure Key Vault that backs an Azure Key Vault-backed secret scope in your workspace. A scheduled Lakeflow job reads the cred
- Litware's security team stores every production credential in an Azure Key Vault named KV1 and requires that all secret values be created, rotated, and audited only in Azure, never inside Databricks.
- You have an Azure Databricks workspace that is enabled for Unity Catalog. A Structured Streaming notebook must read events from an Azure Event Hubs namespace, authenticating with a connection string t
- An analyst uses a SQL warehouse in your Azure Databricks workspace and runs a query that references a stored credential with the secret SQL function, for example SELECT secret('db-scope', 'db-pw'). Th
- A Lakeflow Jobs task in your Azure Databricks workspace must connect to several databases whose passwords are stored under different keys in a secret scope named db-scope. The task needs to discover t
- Secret access is governed by READ, WRITE, and MANAGE scope ACLs
Secret scope access control assigns per-scope ACLs at the READ, WRITE, and MANAGE levels, and a principal needs at least READ on the scope, which permits reading secret values and listing keys, before dbutils.secrets.get will succeed.
- A service principal is a non-human identity for automated data workloads
A service principal is an identity created for tools, jobs, and CI/CD rather than a person, and it is granted Unity Catalog privileges like any principal so automated pipelines can authenticate and access data without depending on an individual user's account.
22 questions test this
- You have an Azure Databricks workspace that is enabled for Unity Catalog and contains a catalog named catalog1 with a schema named sales. You created a service principal named etl_sp to run an automat
- You have a CI/CD pipeline in Azure DevOps that deploys Databricks Asset Bundles to a workspace on every merge to the main branch. The pipeline runs unattended, with no interactive user present. Requir
- You have an Azure Databricks workspace that is enabled for Unity Catalog. Currently, several data engineers run production data-loading jobs under their own user accounts, so each engineer holds write
- You have an Azure Databricks workspace that is enabled for Unity Catalog. A Lakeflow Spark Declarative Pipelines (SDP) pipeline named Pipeline1 publishes tables to a catalog. The engineer who created
- You have an external reporting application that connects to a Databricks SQL warehouse every hour to refresh dashboards. It runs as a background service with no interactive user. Requirements: the con
- You have an Azure Databricks workspace. You want to configure a production job to Run as an existing service principal named prod_sp that you did not create. When you edit the job's Run as field, prod
- Contoso, Inc. has an Azure Databricks workspace named Workspace1 that is enabled for Unity Catalog. A GitHub Actions workflow deploys notebooks and Lakeflow Jobs to Workspace1 every night by authentic
- You have an Azure Databricks workspace that is enabled for Unity Catalog. While reviewing system logs, you notice an Azure Databricks-managed service principal that is performing background operations
- You have an Azure Databricks workspace that is enabled for Unity Catalog. Several unrelated production jobs currently all run as a single service principal that holds broad SELECT and MODIFY privilege
- You have a Lakeflow Declarative Pipeline in Azure Databricks that publishes several streaming tables to Unity Catalog. The pipeline currently runs as its author, who is leaving the company. Requiremen
- You have a Lakeflow Job that writes to a production catalog. The job currently runs as a lead engineer who happens to hold broad, workspace-wide Unity Catalog privileges. Requirements: the job must be
- You have an Azure Databricks workspace that is enabled for Unity Catalog. A critical production Lakeflow Job named Job1 was created by an engineer and, by default, runs as that engineer, who is leavin
- You have a Lakeflow Job that must read from and write to an Azure Data Lake Storage Gen2 account. Access to that storage account is granted only to a specific service principal, not to any individual
- You need an automation identity for a scheduled job that must authenticate to Azure Databricks to run and must also authenticate directly to an Azure Data Lake Storage Gen2 account and an Azure Key Va
- You have an Azure Databricks workspace. An internally built scheduling application must call the Azure Databricks REST API on a recurring basis to start jobs and read run status. The application runs
- You have a Databricks service principal that a Lakeflow ingestion pipeline runs as. The pipeline fails with a permission error while reading its source table, catalog1.bronze.events. Requirements: the
- You manage Unity Catalog access for many automated pipelines in an Azure Databricks workspace, and each pipeline runs as its own service principal. Requirements: you want to grant one common set of re
- You have an Azure Databricks workspace. You are setting up an identity for an automated workload that must authenticate to Azure Databricks and, at the same time, authenticate directly to other Azure
- You have several production Lakeflow Jobs that fail intermittently. Investigation shows that each job runs as the user who created it, and every failure coincides with that user losing a Unity Catalog
- You have an Azure Databricks workspace that is enabled for Unity Catalog. A nightly ETL job ingests data into Unity Catalog tables and currently authenticates by using a data engineer's personal acces
- You have a production Lakeflow Job that writes to a curated Gold table. Company policy states that no individual user may hold write access to production Gold tables, yet the job must write to them, a
- You have an Azure Databricks workspace that is enabled for Unity Catalog and contains a production table named Orders. A nightly Lakeflow Job must update rows in Orders, but business analysts must kee
- Running a job as a service principal decouples it from a user account
Configuring a Lakeflow Job or pipeline to run as a service principal keeps it working when the original author leaves or loses access, and confines the job's data access to exactly the Unity Catalog privileges granted to that service principal.
16 questions test this
- You have an Azure Databricks workspace that is enabled for Unity Catalog. Currently, several data engineers run production data-loading jobs under their own user accounts, so each engineer holds write
- You have an Azure Databricks workspace that is enabled for Unity Catalog. A Lakeflow Job named Job1 is configured to Run as a service principal named prod_sp, which has SELECT on a sensitive catalog.
- You have an Azure Databricks workspace that is enabled for Unity Catalog. A Lakeflow Spark Declarative Pipelines (SDP) pipeline named Pipeline1 publishes tables to a catalog. The engineer who created
- You have an external reporting application that connects to a Databricks SQL warehouse every hour to refresh dashboards. It runs as a background service with no interactive user. Requirements: the con
- You have an Azure Databricks workspace. You want to configure a production job to Run as an existing service principal named prod_sp that you did not create. When you edit the job's Run as field, prod
- Contoso, Inc. has an Azure Databricks workspace named Workspace1 that is enabled for Unity Catalog. A GitHub Actions workflow deploys notebooks and Lakeflow Jobs to Workspace1 every night by authentic
- You have an Azure Databricks workspace that is enabled for Unity Catalog. Several unrelated production jobs currently all run as a single service principal that holds broad SELECT and MODIFY privilege
- You have a Lakeflow Declarative Pipeline in Azure Databricks that publishes several streaming tables to Unity Catalog. The pipeline currently runs as its author, who is leaving the company. Requiremen
- You have a Lakeflow Job that writes to a production catalog. The job currently runs as a lead engineer who happens to hold broad, workspace-wide Unity Catalog privileges. Requirements: the job must be
- You have an Azure Databricks workspace. A scheduled Lakeflow Job must read from and write to an Azure Data Lake Storage Gen2 account whose access is controlled by a service principal. The job must acc
- You have an Azure Databricks workspace that is enabled for Unity Catalog. A critical production Lakeflow Job named Job1 was created by an engineer and, by default, runs as that engineer, who is leavin
- You have a Lakeflow Job that must read from and write to an Azure Data Lake Storage Gen2 account. Access to that storage account is granted only to a specific service principal, not to any individual
- You have several production Lakeflow Jobs that fail intermittently. Investigation shows that each job runs as the user who created it, and every failure coincides with that user losing a Unity Catalog
- You have an Azure Databricks workspace that is enabled for Unity Catalog. A nightly ETL job ingests data into Unity Catalog tables and currently authenticates by using a data engineer's personal acces
- You have a production Lakeflow Job that writes to a curated Gold table. Company policy states that no individual user may hold write access to production Gold tables, yet the job must write to them, a
- You have an Azure Databricks workspace that is enabled for Unity Catalog and contains a production table named Orders. A nightly Lakeflow Job must update rows in Orders, but business analysts must kee
- Service principals authenticate with OAuth machine-to-machine tokens
A service principal authenticates non-interactively using OAuth machine-to-machine (M2M) tokens minted from its client ID and secret, which are the recommended automation credential in place of long-lived personal access tokens.
- An Access Connector managed identity authenticates the workspace to Azure storage
Resource access to ADLS Gen2 uses an Access Connector for Azure Databricks, a first-party Azure resource whose system- or user-assigned managed identity is granted a storage role such as Storage Blob Data Contributor, letting Databricks reach the storage account with no stored keys.
Trap A managed identity authenticates the underlying storage resource; a service principal instead represents a principal whose Unity Catalog privileges govern data access, not the storage connection.
20 questions test this
- You have several Azure Databricks Access Connectors and Azure resources that must all authenticate to storage under a single identity whose permissions and lifecycle stay consistent even if an individ
- Fabrikam has an Azure Databricks workspace enabled for Unity Catalog and a storage credential named cred_sales that wraps an Access Connector managed identity holding the Storage Blob Data Contributor
- You have an Azure Databricks workspace enabled for Unity Catalog and an Access Connector whose managed identity already has the Storage Blob Data Contributor role on an ADLS Gen2 account. You need Uni
- Contoso Ltd. has an Azure Databricks workspace named Workspace1 that is enabled for Unity Catalog and must read and write Parquet files in an Azure Data Lake Storage Gen2 account named adlssales. A ju
- You have an Azure Databricks workspace named Workspace1 that is enabled for Unity Catalog and an Azure Data Lake Storage Gen2 account named adlscore. You have created an Access Connector for Azure Dat
- You have an Azure Databricks workspace enabled for Unity Catalog. An Access Connector's managed identity has the Storage Blob Data Contributor role on an ADLS Gen2 account named adls1, which holds thr
- You have an Azure Databricks workspace enabled for Unity Catalog and one Access Connector for Azure Databricks whose managed identity can access two ADLS Gen2 containers named bronze and silver. You n
- You have an Azure Databricks workspace named Workspace1 that is enabled for Unity Catalog and a new Azure Data Lake Storage Gen2 account named adls1. You need to allow Databricks to read from and writ
- You have an Azure Databricks workspace enabled for Unity Catalog. An engineer created a Microsoft Entra service principal, added it to a group, and granted the group SELECT on the external tables in a
- You have an Azure Databricks workspace enabled for Unity Catalog. Business analysts must query an external table whose files live in an ADLS Gen2 container that is already governed by an external loca
- You are setting up a new Azure Databricks environment that is enabled for Unity Catalog and must authenticate to a new Azure Data Lake Storage Gen2 account named adlscore with no stored keys, secrets,
- You are creating a new Unity Catalog metastore in Azure Databricks. The metastore's root storage will be an ADLS Gen2 container, and the metastore must authenticate to that container with no stored ac
- You have an Azure Databricks workspace named Workspace1 that is enabled for Unity Catalog and an Azure Data Lake Storage Gen2 account named adls2. A junior engineer enabled a system-assigned managed i
- You have an Azure Databricks workspace enabled for Unity Catalog and an Access Connector for Azure Databricks whose managed identity will back a storage credential. You need Databricks to read, write,
- You have an Azure Databricks workspace named Workspace1 that is enabled for Unity Catalog. You must let Workspace1 read and write data in an Azure Data Lake Storage Gen2 account named adlsprod. The so
- You have an Azure Databricks workspace enabled for Unity Catalog. A legacy notebook mounts an ADLS Gen2 container to /mnt/sales by using a Microsoft Entra service principal whose client secret is kept
- You have created an Access Connector for Azure Databricks and granted its managed identity the Storage Blob Data Contributor role on an ADLS Gen2 account. In your Unity Catalog metastore you now need
- You have an Azure Databricks workspace enabled for Unity Catalog. A storage credential holds an Access Connector's managed identity that has the Storage Blob Data Contributor role on an entire ADLS Ge
- You have an Azure Databricks workspace deployed in your own Azure virtual network (VNet injection). An ADLS Gen2 account named adlssecure is protected by a storage firewall that denies public network
- You have an Azure Databricks workspace enabled for Unity Catalog and a storage credential named cred1 that holds an Access Connector's managed identity with access to an ADLS Gen2 account. You need en
- A storage credential wraps the managed identity for an external location to use
In Unity Catalog the Access Connector's managed identity is registered as a storage credential, and an external location then references that credential to govern reads and writes to a specific ADLS Gen2 container path.
15 questions test this
- Fabrikam has an Azure Databricks workspace enabled for Unity Catalog and a storage credential named cred_sales that wraps an Access Connector managed identity holding the Storage Blob Data Contributor
- You have an Azure Databricks workspace enabled for Unity Catalog and an Access Connector whose managed identity already has the Storage Blob Data Contributor role on an ADLS Gen2 account. You need Uni
- Contoso Ltd. has an Azure Databricks workspace named Workspace1 that is enabled for Unity Catalog and must read and write Parquet files in an Azure Data Lake Storage Gen2 account named adlssales. A ju
- You have an Azure Databricks workspace enabled for Unity Catalog. An Access Connector's managed identity has the Storage Blob Data Contributor role on an ADLS Gen2 account named adls1, which holds thr
- You have an Azure Databricks workspace enabled for Unity Catalog and one Access Connector for Azure Databricks whose managed identity can access two ADLS Gen2 containers named bronze and silver. You n
- You have an Azure Databricks workspace enabled for Unity Catalog and an Access Connector for Azure Databricks whose managed identity already holds the Storage Blob Data Contributor role on an ADLS Gen
- You have an Azure Databricks workspace enabled for Unity Catalog. You are scripting the setup that lets Unity Catalog govern a new ADLS Gen2 container path. You have already created an Access Connecto
- You have an Azure Databricks workspace enabled for Unity Catalog. An engineer created a Microsoft Entra service principal, added it to a group, and granted the group SELECT on the external tables in a
- You have an Azure Databricks workspace enabled for Unity Catalog. Business analysts must query an external table whose files live in an ADLS Gen2 container that is already governed by an external loca
- You are creating a new Unity Catalog metastore in Azure Databricks. The metastore's root storage will be an ADLS Gen2 container, and the metastore must authenticate to that container with no stored ac
- You have an Azure Databricks workspace named Workspace1 that is enabled for Unity Catalog and an Azure Data Lake Storage Gen2 account named adls2. A junior engineer enabled a system-assigned managed i
- You have an Azure Databricks workspace enabled for Unity Catalog. A legacy notebook mounts an ADLS Gen2 container to /mnt/sales by using a Microsoft Entra service principal whose client secret is kept
- You have created an Access Connector for Azure Databricks and granted its managed identity the Storage Blob Data Contributor role on an ADLS Gen2 account. In your Unity Catalog metastore you now need
- You have an Azure Databricks workspace enabled for Unity Catalog. A storage credential holds an Access Connector's managed identity that has the Storage Blob Data Contributor role on an entire ADLS Ge
- You have an Azure Databricks workspace enabled for Unity Catalog and a storage credential named cred1 that holds an Access Connector's managed identity with access to an ADLS Gen2 account. You need en
- Managed identities are preferred over storage account keys or SAS tokens
Authenticating storage access through an Access Connector managed identity is recommended over embedding storage account keys or SAS tokens, because the credential is managed by Azure and is never exposed in notebook code or cluster configuration.
Also tested in
References
- Manage privileges in Unity Catalog
- Unity Catalog permissions model concepts
- Manage users, service principals, and groups
- Create a dynamic view
- Row filters and column masks
- Attribute-based access control in Unity Catalog
- Secret management
- Service principals
- Authorize service principal access to Azure Databricks with OAuth
- Connect to an Azure Data Lake Storage Gen2 (ADLS Gen2) external location