ABAC_POLICY_DEFINITIONS

Applies to: check marked yes Databricks SQL check marked yes Databricks Runtime check marked yes Unity Catalog only

Important

This feature is in Public Preview.

INFORMATION_SCHEMA.ABAC_POLICY_DEFINITIONS returns one row per attribute-based access control (ABAC) policy attached to a securable object in the local catalog. Each row contains the policy definition, including its scope, policy type, target conditions, applicable principals, and the condition used to enforce the policy. This view returns the same policy details as DESCRIBE POLICY for every policy in the catalog.

You can see only policies for which you have MANAGE on the catalog, schema, or table where the policy is attached. This matches the access pattern of DESCRIBE POLICY.

This relation is an extension of the SQL Standard Information Schema.

Definition

The ABAC_POLICY_DEFINITIONS relation contains the following columns:

Name Data type Nullable Description
POLICY_ID STRING No Unique identifier of the policy.
POLICY_NAME STRING No Name of the policy.
POLICY_TYPE STRING No The policy type. For example, ROW_FILTER, COLUMN_MASK, or GRANT (Beta).
CATALOG_NAME STRING Yes Name of the catalog the policy is attached to, or that contains the schema or table the policy is attached to.
SCHEMA_NAME STRING Yes Name of the schema the policy is attached to, or that contains the table the policy is attached to. NULL for catalog-attached policies.
SECURABLE_NAME STRING Yes Name of the securable object the policy is attached to. NULL for catalog-attached and schema-attached policies.
ON_SECURABLE_TYPE STRING No Type of the securable object the policy is attached to. For example, CATALOG, SCHEMA, TABLE, or MODEL.
TO_PRINCIPALS ARRAY<STRING> No Principals (users, groups, or service principals) the policy applies to. Empty array [] when none are set.
EXCEPT_PRINCIPALS ARRAY<STRING> No Principals excluded from policy application. Empty array [] when none are excluded.
FOR_SECURABLE_TYPE STRING No Type of the securable object the policy targets when evaluated. For example, TABLE.
PRIVILEGES ARRAY<STRING> Yes Privileges granted by the policy. NULL for ROW_FILTER and COLUMN_MASK policies.
WHEN_CONDITION STRING Yes Conditional expression under which the policy applies. For example, a boolean expression that matches tables based on their governed tags.
MATCH_COLUMNS ARRAY<STRING> Yes Columns referenced by the policy. NULL for GRANT policies.
CREATED_BY STRING No Principal who created the policy.

Examples

-- List every GRANT policy in the current catalog.
> SELECT *
    FROM information_schema.abac_policy_definitions
    WHERE policy_type = 'GRANT';

-- Find all row filters and column masks attached to securable objects in a schema.
> SELECT policy_name, policy_type, on_securable_type, securable_name, when_condition, match_columns
    FROM information_schema.abac_policy_definitions
    WHERE policy_type IN ('ROW_FILTER', 'COLUMN_MASK')
      AND catalog_name = 'my_catalog'
      AND schema_name = 'my_schema';