Pattern 2: How Databricks executes queries with the end user's identity, ensuring each user sees only their authorized data.
📖 OAuth U2M Documentation
Alice (alice@company.com) authenticates through your Identity Provider and accesses Genie Space.
Her identity is federated from Okta, Azure AD, or another IdP via SCIM protocol.
Genie validates Alice's session and requests a scoped access token from the Databricks OAuth server.
The token is short-lived (1 hour TTL) and automatically rotates. No manual credential management needed.
Genie queries Unity Catalog as Alice. UC sees the request coming from her identity.
The function current_user() returns 'alice@company.com' — enabling per-user access control.
Unity Catalog evaluates row filters automatically:
WHERE owner = current_user()
Column masks hide sensitive fields based on is_member('group'). No app code changes needed.
Alice receives only her authorized data. If Bob runs the same query, he sees his own data instead.
All access is logged with Alice's email for HIPAA, SOC2, and GDPR compliance.
Each request carries the actual user's identity through the entire flow.
Unity Catalog row filters enforce per-user access without app code changes.
Every access is logged with the user's email for HIPAA, SOC2, GDPR.
Genie Space always uses OBO — no configuration needed.