Enable a workspace for Unity Catalog

This article explains how to enable a workspace for Unity Catalog by assigning a Unity Catalog metastore.

About enabling workspaces for Unity Catalog

Enabling Unity Catalog for a workspace means that:

  • Users in that workspace can potentially access the same data that users in other workspaces in your account can access, and data stewards can manage that data access centrally, across workspaces
  • Data access is audited automatically
  • Identity federation is enabled for the workspace, allowing admins to manage identities centrally using the account console and other account-level interfaces. This includes assigning users to workspaces.

To enable an Azure Databricks workspace for Unity Catalog, you assign the workspace to a Unity Catalog metastore. A metastore is the top-level container for data in Unity Catalog. Each metastore exposes a 3-level namespace (catalog.schema.table) by which data can be organized.

You can share a single metastore across multiple Azure Databricks workspaces in an account. Each linked workspace has the same view of the data in the metastore, and you can manage data access control across workspaces. You can create one metastore per region and attach it to any number of workspaces in that region.

Considerations before you enable a workspace for Unity Catalog

Before you enable a workspace for Unity Catalog, you should:

  • Understand the privileges of workspace admins in workspaces that are enabled for Unity Catalog, and review your existing workspace admin assignments.

    Workspace admins can manage operations for their workspace using the account console and account-level APIs. For example, they can use account-level interfaces to add users and service principals, assign them to their workspace, and give workspace admin privileges. While they cannot create account-level groups, they can give account-level groups access to workspaces.

  • Update any automation that has been configured to manage users, groups, and service principals, such as SCIM provisioning connectors and Terraform automation, so that they refer to account endpoints instead of workspace endpoints. See Account-level and workspace-level SCIM provisioning.

  • Be aware that enabling a workspace for Unity Catalog cannot be reversed. Once you enable the workspace, you will manage users, groups, and service principals for this workspace using account-level interfaces.

Requirements

Before you can enable your workspace for Unity Catalog, you must have a Unity Catalog metastore configured for your Azure Databricks account. See Create a Unity Catalog metastore.

Enable your workspace for Unity Catalog

When you create a metastore, you are prompted to assign workspaces to that metastore, which enables those workspace for Unity Catalog. You can also enable workspaces for Unity Catalog when you create a new workspace, or by modifying an existing workspace.

To enable an existing workspace:

  1. As an account admin, log in to the account console.
  2. Click Data Icon Data.
  3. Click the metastore name.
  4. Click the Workspaces tab.
  5. Click Assign to workspaces.
  6. Select one or more workspaces. You can type part of the workspace name to filter the list.
  7. Click Assign.
  8. On the confirmation dialog, click Enable.

To enable Unity Catalog when you create a workspace:

  1. As an account admin, log in to the account console.
  2. Click Workspaces Icon Workspaces.
  3. Click the Enable Unity Catalog toggle.
  4. Select the Metastore.
  5. On the confirmation dialog, click Enable.
  6. Complete the workspace creation configuration and click Save.

When the assignment is complete, the workspace appears in the metastore’s Workspaces tab, and the metastore appears on the workspace’s Configuration tab.

Next steps

To remove a workspace’s access to data in a metastore, you can unlink the metastore from the workspace.

Warning

If you break the link between a workspace and a Unity Catalog metastore:

  • Users in the workspace will no longer be able to access data in the metastore.
  • You will break any notebook, query, or job that references the data managed in the metastore.
  1. As an account admin, log in to the account console.
  2. Click Data Icon Data.
  3. Click the metastore name.
  4. On the Workspaces tab, find the workspace you want to remove from the metastore.
  5. Click the three-button menu at the far right of the workspace row and select Remove from this metastore.
  6. On the confirmation dialog, click Unassign.

When the removal is complete, the workspace no longer appears in the metastore’s Workspaces tab.