Skills
skills/jeremylongshore/claude-code-plugins-plus-skills/databricks-enterprise-rbac

databricks-enterprise-rbac

SKILL.md

Databricks Enterprise RBAC

Overview

Implement access control across Databricks using Unity Catalog privileges, workspace-level entitlements, and SCIM-provisioned groups. Unity Catalog enforces a three-level namespace (catalog.schema.table) with privilege inheritance, so granting USAGE on a catalog cascades to its schemas.

Prerequisites

  • Databricks Premium or Enterprise tier with Unity Catalog enabled
  • Account-level admin access for SCIM and group management
  • Identity Provider supporting SAML 2.0 and SCIM 2.0

Instructions

Step 1: Create Account-Level Groups via SCIM

# Provision groups that map to IdP teams
databricks account groups create --json '{
  "displayName": "data-engineers",
  "entitlements": [{"value": "workspace-access"}, {"value": "databricks-sql-access"}]
}'

databricks account groups create --json '{
  "displayName": "data-analysts",
  "entitlements": [{"value": "workspace-access"}, {"value": "databricks-sql-access"}]
}'

Step 2: Grant Unity Catalog Privileges

-- Data Engineers: full ETL access to bronze/silver, read gold
GRANT USAGE ON CATALOG analytics TO `data-engineers`;
GRANT CREATE, MODIFY, SELECT ON SCHEMA analytics.bronze TO `data-engineers`;
GRANT CREATE, MODIFY, SELECT ON SCHEMA analytics.silver TO `data-engineers`;
GRANT SELECT ON SCHEMA analytics.gold TO `data-engineers`;

-- Analysts: read-only on curated gold tables
GRANT USAGE ON CATALOG analytics TO `data-analysts`;
GRANT SELECT ON SCHEMA analytics.gold TO `data-analysts`;

Step 3: Apply Cluster Policies

{
  "name": "analyst-serverless-only",
  "definition": {
    "cluster_type": { "type": "fixed", "value": "sql" },
    "autotermination_minutes": { "type": "range", "maxValue": 30 },
    "num_workers": { "type": "range", "maxValue": 4 }
  }
}

Assign the policy to data-analysts so they cannot spin up expensive GPU clusters.

Step 4: Configure SQL Warehouse Permissions

databricks permissions update sql/warehouses WAREHOUSE_ID --json '[
  {"group_name": "data-analysts", "permission_level": "CAN_USE"},
  {"group_name": "data-engineers", "permission_level": "CAN_MANAGE"}
]'

Step 5: Audit with System Tables

SELECT event_time, user_identity.email, action_name, request_params
FROM system.access.audit
WHERE action_name LIKE '%Grant%' OR action_name LIKE '%Revoke%'
  AND event_date > current_date() - INTERVAL 30 DAYS
ORDER BY event_time DESC;

Error Handling

Issue Cause Solution
PERMISSION_DENIED on table Missing USAGE on parent catalog/schema Grant USAGE at each namespace level
SCIM sync fails Expired bearer token Regenerate account-level PAT
Cluster start blocked No matching cluster policy Assign a permissive policy to the group
Cannot see SQL warehouse Missing CAN_USE grant Add warehouse permission for the group

Examples

Basic usage: Apply databricks enterprise rbac to a standard project setup with default configuration options.

Advanced scenario: Customize databricks enterprise rbac for production environments with multiple constraints and team-specific requirements.

Output

  • Configuration files or code changes applied to the project
  • Validation report confirming correct implementation
  • Summary of changes made and their rationale

Resources

  • Official logging documentation
  • Community best practices and patterns
  • Related skills in this plugin pack
Weekly Installs
19
Repository
jeremylongshore…s-skills
GitHub Stars
1.6K
First Seen
Feb 14, 2026
Security Audits
Gen Agent Trust HubPass
SocketFail
SnykFail
Installed on
codex19
opencode18
github-copilot18
kimi-cli18
gemini-cli18
amp18