Note
Access to this page requires authorization. You can try signing in or changing directories.
Access to this page requires authorization. You can try changing directories.
Note
This information applies to Databricks CLI versions 0.205 and above. The Databricks CLI is in Public Preview.
Databricks CLI use is subject to the Databricks License and Databricks Privacy Notice, including any Usage Data provisions.
The rfa (Request for Access) command group within the Databricks CLI contains commands to enable users to request access for Unity Catalog securables. These commands provide a standardized way for securable owners (or users with MANAGE privileges) to manage access request destinations.
databricks rfa batch-create-access-requests
Create access requests for Unity Catalog permissions for a specified principal on a securable object. This Batch API can take in multiple principals, securable objects, and permissions as the input and returns the access request destinations for each. Principals must be unique across the API call.
The supported securable types are: metastore, catalog, schema, table, external_location, connection, credential, function, registered_model, and volume.
databricks rfa batch-create-access-requests [flags]
Options
--json JSON
The inline JSON string or the @path to the JSON file with the request body
Examples
The following example creates multiple access requests using JSON:
databricks rfa batch-create-access-requests --json '{"requests": [{"principal": "user@example.com", "securable_type": "catalog", "securable_full_name": "my_catalog", "permissions": ["USE_CATALOG", "USE_SCHEMA"]}]}'
The following example creates access requests using a JSON file:
databricks rfa batch-create-access-requests --json @access-requests.json
databricks rfa get-access-request-destinations
Get access request destinations for the specified securable. Any caller can see URL destinations or the destinations on the metastore. Otherwise, only those with BROWSE permissions on the securable can see destinations.
The supported securable types are: metastore, catalog, schema, table, external_location, connection, credential, function, registered_model, and volume.
databricks rfa get-access-request-destinations SECURABLE_TYPE FULL_NAME [flags]
Arguments
SECURABLE_TYPE
The type of the securable.
FULL_NAME
The full name of the securable.
Options
Examples
The following example gets access request destinations for a catalog:
databricks rfa get-access-request-destinations catalog my_catalog
The following example gets access request destinations for a table:
databricks rfa get-access-request-destinations table my_catalog.my_schema.my_table
databricks rfa update-access-request-destinations
Update the access request destinations for the given securable. The caller must be a metastore admin, the owner of the securable, or a user that has the MANAGE privilege on the securable in order to assign destinations.
Destinations cannot be updated for securables underneath schemas (tables, volumes, functions, and models). For these securable types, destinations are inherited from the parent securable. A maximum of 5 emails and 5 external notification destinations (Slack, Microsoft Teams, and Generic Webhook destinations) can be assigned to a securable. If a URL destination is assigned, no other destinations can be set.
The supported securable types are: metastore, catalog, schema, table, external_location, connection, credential, function, registered_model, and volume.
databricks rfa update-access-request-destinations UPDATE_MASK SECURABLE [flags]
Arguments
UPDATE_MASK
The field mask must be a single string, with multiple fields separated by commas (no spaces). The field path is relative to the resource object, using a dot (.) to navigate sub-fields (e.g., author.given_name). Specification of elements in sequence or map fields is not allowed, as only the entire collection field can be specified. Field names must exactly match the resource field names.
An asterisk (*) field mask indicates full replacement. It's recommended to always explicitly list the fields being updated and avoid using wildcards, as it can lead to unintended results if the API changes in the future.
SECURABLE
The securable for which the access request destinations are being modified or read.
Options
--json JSON
The inline JSON string or the @path to the JSON file with the request body
Examples
The following example updates access request destinations for a catalog using JSON:
databricks rfa update-access-request-destinations "destinations" catalog:my_catalog --json '{"destinations": [{"email": "admin@example.com"}]}'
The following example updates access request destinations using a JSON file:
databricks rfa update-access-request-destinations "destinations" catalog:my_catalog --json @destinations.json
Global flags
--debug
Whether to enable debug logging.
-h or --help
Display help for the Databricks CLI or the related command group or the related command.
--log-file string
A string representing the file to write output logs to. If this flag is not specified then the default is to write output logs to stderr.
--log-format format
The log format type, text or json. The default value is text.
--log-level string
A string representing the log format level. If not specified then the log format level is disabled.
-o, --output type
The command output type, text or json. The default value is text.
-p, --profile string
The name of the profile in the ~/.databrickscfg file to use to run the command. If this flag is not specified then if it exists, the profile named DEFAULT is used.
--progress-format format
The format to display progress logs: default, append, inplace, or json
-t, --target string
If applicable, the bundle target to use