🎯 Authentication Decision Guide

Quick Decision Guide

Walk through the key questions to determine which authentication pattern fits your use case.

↓ Scroll to navigate the decision tree
?

First Question

Is there a user logged in?

Think about who or what is making the request. Is it a human user interacting with the system, or an automated job/workflow?

A

No User — Automated Job

If it's a scheduled job, CI/CD pipeline, or background process, there's no user identity.

→ Use Pattern 1: Service Principal

The service principal has fixed permissions that apply to every execution.

B

Yes User — Next Question

If a user is logged in, we need to ask:

Should each user see different data?

Do you need row-level security, user-specific filtering, or per-user audit trails?

C

Yes — Per-User Access

If users need personalized data access:

→ Use Pattern 2: On-Behalf-Of-User (OBO)

Unity Catalog row filters use current_user() to show each user only their data.

D

Need External APIs?

Finally: Are you accessing external services?

If you need to call OpenAI, Salesforce, or other external APIs, you'll also need:

→ Add Pattern 3: Manual Credentials (via Databricks Secrets)

User logged in?
No (automated)
Yes (user present)
Pattern 1: SP
Per-user data?
No (same for all)
Yes (filter/mask)
Pattern 2: OBO
+ Pattern 3 for external APIs

Pattern Summary

Pattern 1: Service Principal

When: No user, automated jobs

  • Batch processing
  • CI/CD pipelines
  • Scheduled workflows
  • Same permissions every run

Pattern 2: OBO (User Auth)

When: User needs their own data

  • Genie Spaces (always OBO)
  • User-facing apps
  • Row-level security
  • Per-user audit trails

Pattern 3: Manual Credentials

When: External APIs needed

  • OpenAI, Anthropic APIs
  • SaaS integrations
  • Combined with P1 or P2
  • Secrets stored securely
← Back to AI Governance 📄 View Full Docs on GitHub