Databricks dbfs restriction rules

Question

We need to ultimately limit the user to access databases and tables in the data tab.

By default what are the restrictions on dbfs folder? Do all users have access to them by default?

I have one workspace that I am seeing users are able to see the database under the data tab. Table access control is disabled in admin console

On the other workspace the users are NOT able to see the database under the data tab. Table access control is disabled in admin console

I am a bit confused on how the permissions work when table access control is disabled in admin console. Does it take access away from all folder in DBFS or just Filestore and user folder.

I have followed several links like but some basics are still not very clear.

https://docs.databricks.com/data/tables.html
https://docs.databricks.com/administration-guide/access-control/table-acl.html

https://learn.microsoft.com/en-us/azure/databricks/security/access-control/cluster-acl
https://learn.microsoft.com/en-us/azure/databricks/administration-guide/access-control/table-acl

Would really appreciate some help on this.

I have asked somewhat similar question in another post of mine and didnt get any answers on that.
Here is the link to my other post and if you can address that also, it be nice.

https://learn.microsoft.com/en-us/answers/questions/409471/databricks-restrict-access-to-users-for-data-1.html

Answer 1

Hello @Sarah C Benjamin ,

Thanks for the question and using MS Q&A platform.

By default, all users have access to all data stored in a cluster’s managed tables unless table access control is enabled for that cluster. Once table access control is enabled, users can set permissions for data objects on that cluster.

Table access control lets you programmatically grant and revoke access to your data using the Azure Databricks view-based access control model.

Table Access control feature is only available in High Concurrency mode and needs to be turned on so that users can limit access to their database objects (tables, views, functions, etc.) created on the shared cluster. In case of ADLS, we recommend restricting access using the AAD Credential Passthrough feature instead of Table Access Controls.

Does it take access away from all folder in DBFS or just File store and user folder?

Table access control lets you control access to securable objects like catalogs, databases, tables, views, and functions.

For more details, refer to Enable table access control for your workspace and Data object privileges.

Hope this helps. Do let us know if you any further queries.

---------------------------------------------------------------------------

Please "Accept the answer" if the information helped you. This will help us and others in the community as well.

Answer 2

Hi @PRADEEPCHEEKATLA , @Sarah C Benjamin ,

Would say I'm facing the same concern as Sarah.

Does it take access away from all folder in DBFS or just File store and user folder?

We have multiple databases for different Clients. So one client should not see other clients data (No even know about existence of other client Databases) This is why we need Table ACLs.

The problem is that once we enable Table ACLs in a cluster, all our users loose all instructions/commands on DBFS locations. Including any access to mount point on external Storage (my case ADLS). I understand the need to secure tables DBFS locations, but it seems too restrictive to not allow any file operation on DBFS on any location.

Is there a workaround this restrictions? how would you suggest to have file access?

When Disabled ACLS (Standard Cluster)

When Enabled ACLS (High Concurrency Cluster)

Hope this adds more light into Sarah's concern.

Regards,
Emiliano