🛡️ Unity Catalog Access Control

Four Layers of Access Control

Unity Catalog uses complementary layers that work together to enforce secure, fine-grained access across your data environment.

📖 Official Access Control Documentation
↓ Scroll to explore each layer

Query Arrives

A user or service principal sends a query to access data in Unity Catalog.

UC evaluates four complementary layers before returning any data. Each layer answers a different question.

1

Workspace Restrictions

WHERE can users access data?

Workspace bindings limit which workspaces can access specific catalogs, external locations, and storage credentials.

  • Restrict production data to production workspaces
  • Isolate environments (dev, staging, prod)
  • Overrides user-level permissions
2

Privileges & Ownership

WHO can access WHAT?

GRANTs on securable objects control baseline access.

  • GRANT SELECT ON TABLE
  • Hierarchical: catalog → schema → table
  • Owners have full control
  • Explicit: no access without GRANT
3

ABAC Policies

WHAT data based on tags?

Attribute-based policies use governed tags to dynamically enforce access at scale.

  • Define once → apply to 1000s of tables
  • Tag-driven: sensitivity=high
  • UDFs for filters/masks
  • Recommended for centralized governance
4

Table-Level Filtering

WHAT rows/columns within tables?

Row filters, column masks, and dynamic views control data visibility at query time.

  • Row filters: WHERE owner = current_user()
  • Column masks: CASE WHEN is_member() THEN VALUE
  • Dynamic views: SQL-based logic
  • Use when per-table logic needed

Governed Data Returned

All four layers evaluate in sequence. The user receives fully governed data:

  • ✓ Workspace access verified
  • ✓ Privileges checked
  • ✓ ABAC policies enforced
  • ✓ Rows filtered, columns masked
  • ✓ All actions audited
🏢
Layer 1: Workspace Restrictions
WHERE can they access? (workspace bindings)
🔐
Layer 2: Privileges & Ownership
WHO can access WHAT? (GRANTs)
🏷️
Layer 3: ABAC Policies
WHAT data based on tags? (governed tags + UDFs)
🔍
Layer 4: Table-Level Filtering
WHAT rows/columns? (filters, masks, views)
Governed Data Returned
Secure, audited, compliant

The Four Layers

1. Workspace Restrictions

Question: WHERE can they access?

  • Workspace bindings on catalogs
  • External location restrictions
  • Environment isolation

2. Privileges & Ownership

Question: WHO can access WHAT?

  • GRANTs (SELECT, MODIFY, etc.)
  • Object ownership
  • Hierarchical inheritance

3. ABAC Policies

Question: WHAT data based on tags?

  • Governed tags + policies
  • Centralized, scalable governance
  • Dynamic enforcement via UDFs

4. Table-Level Filtering

Question: WHAT rows/columns?

  • Row filters (current_user)
  • Column masks (is_member)
  • Dynamic views
← Back to AI Governance 📄 View Full Docs on GitHub