Skip to content

Prerequisites

Complete the following prerequisites:

  1. Add Databricks as an Identity Security Cloud source where your deployment requires it.
  2. Before you can use Data Access Security to analyze your data in Databricks, make sure your Databricks account has a working environment (workspace) that's already linked to the data storage system (metastore) you want to govern.
  3. Create a service principal (or reuse one that is aligned with your Identity Security Cloud Databricks source, if the policy allows) and an OAuth client secret (client ID and client secret). Save the client ID and client secret for later configuration.
  4. Assign the service principal to the target workspace as USER so that the Databricks APIs accept the connector token.
  5. Grant the service principal the Databricks access needed to read metadata and permissions for each in-scope catalog.
  6. In Data Access Security, you will configure the Cloud Type, Authentication Type, Grant Type, Client ID, Client Secret, Account ID, Metastore ID, and Workspace ID on the connection details step.

Authentication

Data Access Security authenticates to Databricks using OAuth 2.0 client credentials and a service principal. For Azure, you can use Databricks M2M or Microsoft Entra Authentication. For AWS, use Databricks M2M. The Grant Type is Client Credentials.

Service Principal Setup

Complete the following steps to set up the service principal:

  1. Configure a service principal for Data Access Security (or reuse the principal from your Identity Security Cloud Databricks source, if the policy allows).
  2. In the Databricks account console, create or select the service principal and create an OAuth secret (client ID and client secret).
    1. Select the service principal.
    2. Open Roles.
    3. Select Assign and then select Account admin.
    4. Select Save.
  3. Assign the service principal to the workspace attached to your metastore.
  4. Grant the Databricks privileges so the principal can discover catalogs, schemas, and data objects you want governed, and read permissions on those securables for permission collection.

Important

Databricks is privilege-aware. This means the connector only sees metadata and grants for objects the principal can access. Catalogs or objects without sufficient privileges may be omitted from crawl results.

"Metastore Admin" is not required for typical read-only inventory and permission collection.

Run the following grants using the service principal Client ID (UUID) in backticks:

GRANT USE CATALOG ON CATALOG system TO `<client-id>`;
GRANT USE SCHEMA ON SCHEMA system.information_schema TO `<client-id>`;
GRANT SELECT ON SCHEMA system.information_schema TO `<client-id>`;
GRANT SELECT ON TABLE system.data_classification.results TO `<client-id>`;

For each in-scope catalog, grant:

GRANT USE CATALOG ON CATALOG <your_catalog> TO `<client-id>`;
GRANT USE SCHEMA ON CATALOG <your_catalog> TO `<client-id>`;
GRANT MANAGE ON CATALOG <your_catalog> TO `<client-id>`;

Documentation Feedback

Feedback is provided as an informational resource only and does not form part of SailPoint’s official product documentation. SailPoint does not warrant or make any guarantees about the feedback (including without limitation as to its accuracy, relevance, or reliability). All feedback is subject to the terms set forth at https://developer.sailpoint.com/discuss/tos.