Permissions for Databricks AI models
This reference covers the privileges the Atlan service account needs to crawl AI models and extract lineage from Databricks Unity Catalog, what each privilege enables, and how to grant it.
For standard Databricks connector permissions, see Set up Databricks.
Model metadata privileges
These privileges are required for Atlan to enumerate models and read their metadata from Unity Catalog system tables.
Grant the Data Reader preset—which includes all of the following—or grant individual privileges as listed:
| Privilege | Scope | What it enables |
|---|---|---|
USE CATALOG | Catalog containing models | Lets the service account access the catalog. Without this, the catalog is invisible to the crawler. |
USE SCHEMA | Schema containing models | Lets the service account access schemas within the catalog. Required to list and query models within a schema. |
EXECUTE | Schema containing models | Lets the service account execute functions referenced by model versions. Some models reference user-defined functions; this privilege is needed to inspect those references. |
READ VOLUME | Volume | Lets the service account read volume artifacts associated with models, such as model files stored in Unity Catalog volumes. |
SELECT | Schema containing models | Lets the service account query model metadata from Unity Catalog system tables and information schema views. |
Notebook and experiment privileges
Atlan reads input datasets and run metadata from MLflow runs linked to each model version. Each run is associated with a notebook or MLflow experiment. Without access to these, Atlan can't retrieve run-level attributes (metrics, parameters, run timing) or build lineage from run inputs.
Grant CAN VIEW or CAN READ on all notebooks and MLflow experiments linked to model versions.
| Access level | Scope | What it enables |
|---|---|---|
CAN VIEW | Notebook or MLflow experiment | Minimum access needed to read run data. Sufficient for metadata extraction. |
CAN READ | Notebook or MLflow experiment | Broader access. Also sufficient for metadata extraction. |
Granting at workspace level vs. per object
Granting access per notebook or experiment gives precise control but requires ongoing maintenance as new notebooks and experiments are added. Granting CAN VIEW at the workspace level covers all current and future notebooks without manual re-grants:
- Per notebook/experiment: more precise, higher operational overhead
- Workspace level: simpler, broader—recommended for teams with many model versions
Feature store privileges (optional)
Required only if your workspace uses Databricks Feature Store models and the feature_spec.yaml artifact is stored in an external location.
Atlan reads feature_spec.yaml to discover the upstream feature views, tables, and functions a model was trained on. If this file is inaccessible, Atlan skips Feature Store lineage for that model version and falls back to run-based lineage where available.
| Privilege | Scope | What it enables |
|---|---|---|
READ FILES | External location storing feature_spec.yaml | Lets the service account read the Feature Store artifact. Without this, Feature Store lineage is skipped. |
Grant using:
GRANT READ FILES ON EXTERNAL LOCATION <external_location_name> TO <atlan_user_or_role>;
Repeat for each external location that stores Feature Store artifacts for models you want to crawl.
See also
- Crawl Databricks AI models: Configure the crawler to discover and catalog AI models.
- Extract Databricks AI model lineage: Build lineage from AI model versions to upstream data assets.