Skip to main content

Grant Databricks permissions Private Preview

Once you've enabled Context Engineering Studio, you need to grant the Atlan service principal the Databricks permissions required to connect, deploy Metric Views, and execute queries on your behalf. You only need to complete this step once per Databricks workspace. Subsequent context repositories on the same workspace don't require additional grants.

Prerequisites

Before you begin, make sure:

  • You have an existing Databricks connection in Atlan configured with Service Principal + OAuth M2M credentials. See Add a Databricks connection.
  • You know the Atlan service principal name. Confirm with your Atlan representative if unsure: applying grants to the wrong principal is the most common setup mistake.
  • You have access to the target Unity Catalog schema and the Databricks workspace and account admin consoles.
  • Partner-powered AI is enabled at both the account and workspace levels. Per Databricks's Genie setup requirements, without this Genie is unavailable even to users who hold the SQL entitlement. An account administrator enables it.
  • A pro or serverless SQL warehouse is available and runs Databricks Runtime 17.3 or later (required for Metric Views).
  • Permissions may already be applied. In a Databricks SQL editor, run SHOW GRANTS ON SCHEMA <target_catalog>.<target_schema>; and filter for your service principal. If CREATE TABLE, SELECT, and MODIFY are listed and the service principal has CAN USE on the pro or serverless SQL warehouse, skip this guide and go to Build.

Apply grants

  1. Grant Unity Catalog access to enable CES to create Metric Views and read source data for simulations. Run the following in a Databricks SQL editor.

    -- Catalog and schema access
    GRANT USE CATALOG ON CATALOG <target_catalog> TO `<atlan_service_principal>`;
    GRANT USE SCHEMA ON SCHEMA <target_catalog>.<target_schema> TO `<atlan_service_principal>`;

    -- Required to create Metric Views in the target schema
    GRANT CREATE TABLE ON SCHEMA <target_catalog>.<target_schema> TO `<atlan_service_principal>`;

    -- Required for Metric View creation and simulation
    GRANT SELECT ON ALL TABLES IN SCHEMA <target_catalog>.<target_schema> TO `<atlan_service_principal>`;

    -- Required to sync Atlan descriptions into Unity Catalog comments
    GRANT MODIFY ON ALL TABLES IN SCHEMA <target_catalog>.<target_schema> TO `<atlan_service_principal>`;

    In Unity Catalog, CREATE TABLE is the privilege required to create Metric Views. There's no separate CREATE VIEW privilege. If your source tables live in a different catalog or schema from the deployment target, grant USE CATALOG, USE SCHEMA, and SELECT on those source locations too.

  2. Grant SQL warehouse access to enable CES to run simulations. In the Databricks workspace, navigate to SQL Warehouses, select your target pro or serverless warehouse, open the Permissions tab, and add the Atlan service principal with CAN USE.

    note

    Genie requires a pro or serverless SQL warehouse running Databricks Runtime 17.3 or later to support Metric Views.

  3. Grant Genie Space management access to enable CES to create and configure Genie Spaces. In the Databricks account and workspace admin consoles:

    • Confirm partner-powered AI is enabled at both the account and workspace levels.
    • Add the service principal to the workspace as a workspace member.
    • Enable the Databricks SQL workspace entitlement for the service principal.

Verify permissions

CES doesn't run an automated preflight check for Databricks. Verify grants manually before building:

  • Run SHOW GRANTS ON SCHEMA <target_catalog>.<target_schema>; and confirm USE CATALOG, USE SCHEMA, CREATE TABLE, SELECT, and MODIFY appear for the service principal.
  • In SQL Warehouses, confirm the service principal has CAN USE on the target warehouse.
  • Confirm the service principal is a workspace member with the Databricks SQL entitlement.
  • Open the Databricks connection in Atlan and confirm that catalog browsing works. This tests the OAuth M2M credentials CES uses at build and deploy time.

If any permission is missing, deployment surfaces an error from Databricks. Resolve and retry.

Next steps