Note
Access to this page requires authorization. You can try signing in or changing directories.
Access to this page requires authorization. You can try changing directories.
Important
This feature is in Public Preview.
This page explains how to configure access request destinations for securable objects in Unity Catalog. These destinations determine where access requests are sent when users request access to data objects.
What are access request destinations?
When users request access to an object in Unity Catalog (such as a table or view), the request is sent to one or more configured destinations. Destinations can be any of the following:
Email addresses
Slack channels
Microsoft Teams channels
Webhook endpoints
A redirect URL (to your organization's external access request system)
Only one redirect URL can be configured per object. If a URL is set, no other destinations can be set and users are redirected to that URL instead of seeing the in-product request form.
How access request destinations work
If access request destinations are configured, users can request privileges on objects where they have either the
BROWSEprivilege or a direct URL to the object. Users can also request privileges when they encounter permission denied errors in notebooks, the SQL editor, or other authoring tools.When submitting a request, users can request access for one or more principals, including themselves, service principals, other users, or groups. The request is routed to the configured destinations.
Destinations can be configured on metastores, catalogs, schemas, storage credentials, service credentials, external locations, and connections.
Destinations are inherited by child objects such as tables and views.
If no destination is configured, users cannot request access to the object.
By default, no destinations are configured on any object. To ensure access requests are always delivered, Databricks recommends that you enable default email destinations.
If multiple destinations are configured, the request is sent to all of them.
If a Redirect URL is configured, users are taken to the URL and do not see the access request form.
Workspace admins can configure external destinations by following the instructions in Manage notification destinations.
Enable default email destinations
Databricks recommends enabling default email destinations. This ensures that access requests are delivered even when no destination is manually configured. When enabled, requests for catalog objects are sent to the catalog owner’s email address, and requests for objects outside a catalog, such as external locations, are sent to the object owner’s email address.
Tip
Enabling default email destinations ensures that access requests are delivered even when no destination is manually configured for an object. This is the fastest way to start receiving and responding to requests across your Unity Catalog metastore.
To enable default destinations, you must be both a metastore admin and workspace admin.
- In the upper-right corner of your workspace, click your profile photo and select Settings.
- Click Notifications.
- Turn on Enable default destinations for request for access in UC.
Configure access request destinations on an object
To configure destinations for a catalog or schema, you must be a metastore admin or the object owner. To configure an access request destination on a schema, you must also have the USE CATALOG privilege on the parent catalog.
You can also configure access request destinations using the Access Request Destinations API.
In your Azure Databricks workspace, click
Catalog.Select a securable object.
Click the
kebab menu and select Manage access request destinations.Choose one or more email or external destinations, or configure a redirect URL. If a URL is selected, no other destination types can be added.
Click Update.
To disable access requests, remove all destinations and turn off the default destination setting (if enabled).
Access request examples
The following section shows examples for access requests sent to different destinations.
Access request emails are sent from noreply@databricks.com.
Slack
Webhook (JSON)
{
"requesterName": "<first-name> <last-name> (<email>)",
"objectName": "<catalog>.<schema>.<table>",
"objectType": "Table",
"privileges": "SELECT",
"principalName": "<group-name>",
"onBehalfOf": "<group-name>",
"onBehalfOfType": "Group",
"comment": "My team needs access to run queries on this table.",
"databricksWorkspaceUrl": "https:/<account>.databricks.com/explore/data/<catalog>/<schema>/<table>?o=<table-id>&activeTab=permissions&showGrantModal=true&requestedPrivileges=SELECT&groupId=<group-id>"
}
For information on how to integrate webhooks with common tools, see the following:
Approve an access request
To approve an access request, follow the link sent to your access request notification. The link opens a modal dialog in your workspace that displays the requester, object, and requested privileges.
Next, select one of the following approval methods:
Add principal to group(s) to add the requester to one or more existing groups that have at least one of the requested privileges.
Grant privileges to principal to give them access the object directly. You can also select privilege presets, such as Data Reader to grant a user a collection of privileges.
