Fine-Grained Access Control in Databricks with Privacera


By: Purnima Kuchikulla & Sharada Ramesh

Privacera offers the ability to enable fine-grained access control in a Databricks environment to help secure your sensitive information. Companies can create policies to grant access to specific users, roles, and groups by using SQL notebook in Databricks. This notebook needs to be associated with a cluster that is secured using the Privacera Ranger Plugin for Databricks.

Fine-Grained Access Control can be applied to a variety of different use cases. These include restricting access to data at a column-level so that users have access to specified columns within a database. Administrators can also limit access to specific rows so that users can only query certain rows. Additionally, policies can be created that revoke access to the database altogether. Privacera also provides the ability to create encryption policies that mask the data so that users cannot view sensitive information, such as date of birth or social security numbers. These use cases, which are all supported through the Privacera Ranger Plugin for Databricks, ensure data security.

How Privacera Ranger Plugin for Databricks Works

We will run a Spark SQL query to get all the records from a table. Here you can see that when the query is run in Databricks, the user was able to access all the data in the database.

If we go to the Privacera Ranger Access Manager Audits tab, we can see that Policy ID 49 gave the user access to run the necessary query on this table, in Databricks Policy ID 49 grants a star to the columns meaning it gives the user the permission to see the data from the entire table. Now we will disable this policy as indicated in the screenshot below to deny users from accessing all the columns in the table.

If this policy is disabled and the same query is run again, Emily will not be able to see the data as a result of her permission being revoked.

Now as part of Policy ID 50 we can also give users access to selective columns.

In Databricks, we are going to run a query that states these specified columns. The user is able to see the data for these columns only because we gave them permission in the policy for these particular columns. This is just one of many features offered by Privacera, to ensure that the sensitive data is protected.

Privacera also provides administrators the flexibility to restrict users to data that they are permitted to view due to compliance requirements. This can be achieved by using row-level filters. Row-level filters are implicitly applied to the where clause for a given user, role, or group. In the example below, row-level filtering has been enabled where the user has only access to rows containing sales data from the US.

So if the same query is rerun, we will see this policy being applied so that the user can only see data from the US as opposed to both UK and US sales. This is an effective way of supporting multi-tenancy.

Administrators can also set up masking policies to protect customer data. One such example is creating a masking policy, using a partial mask, so that the user can only see the last 4 digits of a customer’s Social Security Number.

You can also use the same logic to create a policy to hash the customer email. When running the query in Databricks, you can see these policies being enforced.

Why use Privacera for Fine-Grained Access Control in Databricks?

Privacera provides a simple yet effective solution to fine-grained access control in Databricks. This solution ensures that sensitive data is protected at a user, role, and group level by applying various levels of protection with complete auditability.

Fine-grained access control capability for Databricks is also available as part of the PrivaceraCloud SaaS offering. PrivaceraCloud is a fully managed service that enables organizations to deploy data governance capabilities across cloud services in minutes. In addition to fine-grained access control, PrivaceraCloud also provides out-of-box and customizable reports, alerts, and dashboards required for compliance, audit, and governance purposes.

To learn more about PrivaceraCloud schedule a personalized demo or request a free30-day trial.


Contact Privacera for a Data Governance and Security Demo Today