Skip to main content

Grant Databricks permissions Private Preview

Connect docs via MCP

These Databricks grants are required at deploy time. You can build a context repository and design the semantic model before applying them.

Dedicated connector for production

For production, use a dedicated Databricks connector for CES separate from your catalog crawling connector. This isolates deployment permissions from catalog permissions. Assets appear twice in the Atlan catalog since both connectors point to the same workspace. This is expected.

Databricks-specific

Unlike Snowflake, Simulate on Databricks runs on a live Genie Space, so simulating effectively requires a first deploy. If you plan to simulate before certifying, apply these grants and run Deploy to Databricks once to create the Genie Space, then iterate.

When you're ready to deploy, grant the Atlan service principal the Databricks permissions to create Metric Views, set up the Genie Space, and execute queries on your behalf. You only need to complete this step once per Databricks workspace; subsequent context repositories on the same workspace don't require additional grants.

Prerequisites

Before you begin, make sure:

  • You're at the deploy stage of your context repository, or you intend to deploy to create a Genie Space for Simulate. If you're only authoring the semantic model, you can return to this guide later. Grants aren't needed yet.
  • You have an existing Databricks connection in Atlan configured with Service Principal + OAuth M2M credentials. See Add a Databricks connection.
  • You know the Atlan service principal name. Confirm with your Atlan representative if you're unsure. Applying grants to the wrong principal is the most common setup mistake.
  • You have access to the target Unity Catalog schema and the Databricks workspace and account admin consoles.
  • Partner-powered AI is enabled at both the account and workspace levels. Per Databricks's Genie setup requirements, without this Genie is unavailable even to users who hold the SQL entitlement. An account administrator enables it.
  • A pro or serverless SQL warehouse is available and runs Databricks Runtime 17.3 or later (required for Metric Views).
  • Permissions may already be applied. In a Databricks SQL editor, run SHOW GRANTS ON SCHEMA <target_catalog>.<target_schema>; and filter for your service principal. If CREATE TABLE, SELECT, and MODIFY are listed and the service principal has CAN USE on the pro or serverless SQL warehouse, skip this guide and go to Deploy.

Apply grants

  1. Grant Unity Catalog access to enable CES to create Metric Views and read source data for simulations. Run the following in a Databricks SQL editor.

    -- Catalog and schema access
    GRANT USE CATALOG ON CATALOG <target_catalog> TO `<atlan_service_principal>`;
    GRANT USE SCHEMA ON SCHEMA <target_catalog>.<target_schema> TO `<atlan_service_principal>`;

    -- Required to create Metric Views in the target schema
    GRANT CREATE TABLE ON SCHEMA <target_catalog>.<target_schema> TO `<atlan_service_principal>`;

    -- Required for Metric View creation and simulation
    GRANT SELECT ON ALL TABLES IN SCHEMA <target_catalog>.<target_schema> TO `<atlan_service_principal>`;

    -- Required to sync Atlan descriptions into Unity Catalog comments
    GRANT MODIFY ON ALL TABLES IN SCHEMA <target_catalog>.<target_schema> TO `<atlan_service_principal>`;

    In Unity Catalog, CREATE TABLE is the privilege required to create Metric Views. There's no separate CREATE VIEW privilege. If your source tables live in a different catalog or schema from the deployment target, grant USE CATALOG, USE SCHEMA, and SELECT on those source locations too.

  2. Grant SQL warehouse access to enable CES to run simulations. In the Databricks workspace, navigate to SQL Warehouses, select your target pro or serverless warehouse, open the Permissions tab, and add the Atlan service principal with CAN USE.

    note

    Genie requires a pro or serverless SQL warehouse running Databricks Runtime 17.3 or later to support Metric Views.

  3. Grant Genie Space management access to enable CES to create and configure Genie Spaces. In the Databricks account and workspace admin consoles:

    • Confirm partner-powered AI is enabled at both the account and workspace levels.
    • Add the service principal to the workspace as a workspace member.
    • Enable the Databricks SQL workspace entitlement for the service principal.

Verify permissions

CES doesn't run an automated preflight check for Databricks. Verify grants manually before deploying:

  • Run SHOW GRANTS ON SCHEMA <target_catalog>.<target_schema>; and confirm USE CATALOG, USE SCHEMA, CREATE TABLE, SELECT, and MODIFY appear for the service principal.
  • In SQL Warehouses, confirm the service principal has CAN USE on the target warehouse.
  • Confirm the service principal is a workspace member with the Databricks SQL entitlement.
  • Open the Databricks connection in Atlan and confirm that catalog browsing works. This tests the OAuth M2M credentials CES uses at build and deploy time.

If any permission is missing, deployment surfaces an error from Databricks. Return to the Configure tab in CES to review the connection settings, resolve the missing grant, and retry.

Next steps