Request Access Through Unity Catalog

DatabricksGovernance
Written By Hubert Dudek

Managing data access permissions in enterprise environments has always been a challenge. To read a table, you need at least SELECT privileges, but getting access often means tracking down administrators or requesting membership in obscure security groups with cryptic names. These groups typically have unclear purposes, and over time, even the original creators lose track of what resources they grant access to and how to properly manage them.

Databricks recognized this pain point and introduced a game-changing solution: the BROWSE privilege and automated access request workflows in Unity Catalog.

The BROWSE Privilege: See Metadata Without Data Access

Databricks significantly simplified the discovery process by introducing the BROWSE privilege. This allows you to grant users visibility into metadata (table lists, column schemas, etc.) without providing access to the actual data. At minimum, you can grant users USE CATALOG, USE SCHEMA, and BROWSE permissions at the catalog level.

This approach enables users to explore and understand your data landscape while maintaining strict security controls over sensitive information. Users can view all metadata and learn exactly what data exists, making it easier for them to request appropriate permissions for the resources they actually need.

Setting Up Access Requests: A Step-by-Step Guide

Unity Catalog's "Access Requests" feature provides a ready-made solution for streamlining permission requests. Here's how to implement it:

Enable Email Notifications

First, configure the default email destination in your workspace. This must be done by the metastore admin:

Configure Access Request Destinations

Once email notifications are enabled, the metastore admin or object owner can activate access requests by selecting "Manage access request destinations" in the options menu.

From here, you can:

  • Set the email address where requests will be sent

  • Configure external destinations like Slack, Microsoft Teams, or webhooks

  • Integrate with ITSM tools like Jira or ServiceNow using JSON webhooks (though email provides a similar workflow)

How Users Request Access

With access requests enabled, users can easily request permissions when they encounter tables they can see but cannot query:

  1. Navigate to the table or resource in Unity Catalog

  2. Click the "Request Access" option

  3. Select the specific permissions needed (SELECT, MODIFY, etc.)

  4. Add a custom message explaining the business justification

  5. Submit the request

The process is intuitive and provides clear visibility into what permissions are being requested and why.

Approving Access Requests

When a request is submitted, administrators receive an email notification with all relevant details.

Interestingly, the system's default recommendation is to add users to existing groups rather than granting individual permissions - a security best practice that promotes better access management.

This group-based approach only works effectively if you've pre-created appropriate groups (such as "schema_readers" or "department_analysts"). If groups aren't available, you can still grant individual permissions, and the system will redirect you to the standard permissions interface with the request details pre-filled.

Beyond Email: Integrating with ITSM Tools

While email notifications work well for small teams, larger organizations need more robust tracking and approval workflows. The major limitation of email-only requests is the lack of audit trails and centralized management.

By configuring webhook integrations with tools like Jira, you can automatically create tickets for each access request. The webhook sends structured JSON data including:

  • Requester information and contact details

  • Specific object and permission details

  • Business justification comments

  • Direct links to grant permissions in Databricks

Here's the webhook payload structure:

{
  "requesterName": "<first-name> <last-name> (<email>)",
  "objectName": "<catalog>.<schema>.<table>",
  "objectType": "Table",
  "privileges": "SELECT",
  "principalName": "<group-name>",
  "onBehalfOf": "<group-name>",
  "onBehalfOfType": "Group",
  "comment": "Business justification for access request",
  "databricksWorkspaceUrl": "https://workspace.databricks.com/explore/data/..."
}

Conclusion

Unity Catalog's access request feature transforms data access management from a bureaucratic bottleneck into a streamlined, self-service process. By combining metadata visibility through BROWSE privileges with automated request workflows, organizations can maintain security while dramatically improving data accessibility and user productivity.

The key to success lies in proper setup: create meaningful groups, configure appropriate approval workflows, and integrate with your existing IT service management tools. When implemented correctly, this feature eliminates the frustration of hunting down mysterious security groups while providing administrators with the visibility and control they need.

Hubert Dudek

Databricks MVP | Advisor to Databricks Product Board and Technical advisor to SunnyData

https://www.linkedin.com/in/hubertdudek/
Next

New Classic Compute Policies: Prevent Overspending