policies
Creates, updates, deletes, gets or lists a policies resource.
Overview
| Name | policies |
| Type | Resource |
| Id | databricks_workspace.catalog.policies |
Fields
The following fields are returned by SELECT queries:
- get
- list
| Name | Datatype | Description |
|---|---|---|
id | string | Unique identifier of the policy. This field is output only and is generated by the system. |
name | string | Name of the policy. Required on create and optional on update. To rename the policy, set `name` to a different value on update. |
column_mask | object | Options for column mask policies. Valid only if `policy_type` is `POLICY_TYPE_COLUMN_MASK`. Required on create and optional on update. When specified on update, the new options will replace the existing options as a whole. |
comment | string | Optional description of the policy. |
created_at | integer | Time at which the policy was created, in epoch milliseconds. Output only. |
created_by | string | Username of the user who created the policy. Output only. |
except_principals | array | Optional list of user or group names that should be excluded from the policy. |
for_securable_type | string | The type of Unity Catalog securable. (CATALOG, CLEAN_ROOM, CONNECTION, CREDENTIAL, EXTERNAL_LOCATION, EXTERNAL_METADATA, FUNCTION, METASTORE, PIPELINE, PROVIDER, RECIPIENT, SCHEMA, SHARE, STAGING_TABLE, STORAGE_CREDENTIAL, TABLE, VOLUME) |
match_columns | array | Optional list of condition expressions used to match table columns. Only valid when `for_securable_type` is `TABLE`. When specified, the policy only applies to tables whose columns satisfy all match conditions. |
on_securable_fullname | string | Full name of the securable on which the policy is defined. Required on create. |
on_securable_type | string | The type of Unity Catalog securable. (CATALOG, CLEAN_ROOM, CONNECTION, CREDENTIAL, EXTERNAL_LOCATION, EXTERNAL_METADATA, FUNCTION, METASTORE, PIPELINE, PROVIDER, RECIPIENT, SCHEMA, SHARE, STAGING_TABLE, STORAGE_CREDENTIAL, TABLE, VOLUME) |
policy_type | string | Type of the policy. Required on create. (POLICY_TYPE_COLUMN_MASK, POLICY_TYPE_ROW_FILTER) |
row_filter | object | Options for row filter policies. Valid only if `policy_type` is `POLICY_TYPE_ROW_FILTER`. Required on create and optional on update. When specified on update, the new options will replace the existing options as a whole. |
to_principals | array | |
updated_at | integer | Time at which the policy was last modified, in epoch milliseconds. Output only. |
updated_by | string | Username of the user who last modified the policy. Output only. |
when_condition | string | Optional condition when the policy should take effect. |
| Name | Datatype | Description |
|---|---|---|
id | string | Unique identifier of the policy. This field is output only and is generated by the system. |
name | string | Name of the policy. Required on create and optional on update. To rename the policy, set `name` to a different value on update. |
column_mask | object | Options for column mask policies. Valid only if `policy_type` is `POLICY_TYPE_COLUMN_MASK`. Required on create and optional on update. When specified on update, the new options will replace the existing options as a whole. |
comment | string | Optional description of the policy. |
created_at | integer | Time at which the policy was created, in epoch milliseconds. Output only. |
created_by | string | Username of the user who created the policy. Output only. |
except_principals | array | Optional list of user or group names that should be excluded from the policy. |
for_securable_type | string | The type of Unity Catalog securable. (CATALOG, CLEAN_ROOM, CONNECTION, CREDENTIAL, EXTERNAL_LOCATION, EXTERNAL_METADATA, FUNCTION, METASTORE, PIPELINE, PROVIDER, RECIPIENT, SCHEMA, SHARE, STAGING_TABLE, STORAGE_CREDENTIAL, TABLE, VOLUME) |
match_columns | array | Optional list of condition expressions used to match table columns. Only valid when `for_securable_type` is `TABLE`. When specified, the policy only applies to tables whose columns satisfy all match conditions. |
on_securable_fullname | string | Full name of the securable on which the policy is defined. Required on create. |
on_securable_type | string | The type of Unity Catalog securable. (CATALOG, CLEAN_ROOM, CONNECTION, CREDENTIAL, EXTERNAL_LOCATION, EXTERNAL_METADATA, FUNCTION, METASTORE, PIPELINE, PROVIDER, RECIPIENT, SCHEMA, SHARE, STAGING_TABLE, STORAGE_CREDENTIAL, TABLE, VOLUME) |
policy_type | string | Type of the policy. Required on create. (POLICY_TYPE_COLUMN_MASK, POLICY_TYPE_ROW_FILTER) |
row_filter | object | Options for row filter policies. Valid only if `policy_type` is `POLICY_TYPE_ROW_FILTER`. Required on create and optional on update. When specified on update, the new options will replace the existing options as a whole. |
to_principals | array | |
updated_at | integer | Time at which the policy was last modified, in epoch milliseconds. Output only. |
updated_by | string | Username of the user who last modified the policy. Output only. |
when_condition | string | Optional condition when the policy should take effect. |
Methods
The following methods are available for this resource:
| Name | Accessible by | Required Params | Optional Params | Description |
|---|---|---|---|---|
get | select | on_securable_type, on_securable_fullname, name, deployment_name | Get the policy definition on a securable | |
list | select | on_securable_type, on_securable_fullname, deployment_name | include_inherited, max_results, page_token | List all policies defined on a securable. Optionally, the list can include inherited policies defined |
create | insert | deployment_name, policy_info | Creates a new policy on a securable. The new policy applies to the securable and all its descendants. | |
update | update | on_securable_type, on_securable_fullname, name, deployment_name, policy_info | update_mask | Update an ABAC policy on a securable. |
delete | delete | on_securable_type, on_securable_fullname, name, deployment_name | Delete an ABAC policy defined on a securable. |
Parameters
Parameters can be passed in the WHERE clause of a query. Check the Methods section to see which parameters are required or optional for each operation.
| Name | Datatype | Description |
|---|---|---|
deployment_name | string | The Databricks Workspace Deployment Name (default: dbc-abcd0123-a1bc) |
name | string | Required. The name of the policy to delete |
on_securable_fullname | string | Required. The fully qualified name of the securable to delete the policy from. |
on_securable_type | string | Required. The type of the securable to delete the policy from. |
include_inherited | boolean | Optional. Whether to include policies defined on parent securables. By default, the inherited policies are not included. |
max_results | integer | Optional. Maximum number of policies to return on a single page (page length). - When not set or set to 0, the page length is set to a server configured value (recommended); - When set to a value greater than 0, the page length is the minimum of this value and a server configured value; |
page_token | string | Optional. Opaque pagination token to go to next page based on previous query. |
update_mask | string | Optional. The update mask field for specifying user intentions on which fields to update in the request. |
SELECT examples
- get
- list
Get the policy definition on a securable
SELECT
id,
name,
column_mask,
comment,
created_at,
created_by,
except_principals,
for_securable_type,
match_columns,
on_securable_fullname,
on_securable_type,
policy_type,
row_filter,
to_principals,
updated_at,
updated_by,
when_condition
FROM databricks_workspace.catalog.policies
WHERE on_securable_type = '{{ on_securable_type }}' -- required
AND on_securable_fullname = '{{ on_securable_fullname }}' -- required
AND name = '{{ name }}' -- required
AND deployment_name = '{{ deployment_name }}' -- required
;
List all policies defined on a securable. Optionally, the list can include inherited policies defined
SELECT
id,
name,
column_mask,
comment,
created_at,
created_by,
except_principals,
for_securable_type,
match_columns,
on_securable_fullname,
on_securable_type,
policy_type,
row_filter,
to_principals,
updated_at,
updated_by,
when_condition
FROM databricks_workspace.catalog.policies
WHERE on_securable_type = '{{ on_securable_type }}' -- required
AND on_securable_fullname = '{{ on_securable_fullname }}' -- required
AND deployment_name = '{{ deployment_name }}' -- required
AND include_inherited = '{{ include_inherited }}'
AND max_results = '{{ max_results }}'
AND page_token = '{{ page_token }}'
;
INSERT examples
- create
- Manifest
Creates a new policy on a securable. The new policy applies to the securable and all its descendants.
INSERT INTO databricks_workspace.catalog.policies (
policy_info,
deployment_name
)
SELECT
'{{ policy_info }}' /* required */,
'{{ deployment_name }}'
RETURNING
id,
name,
column_mask,
comment,
created_at,
created_by,
except_principals,
for_securable_type,
match_columns,
on_securable_fullname,
on_securable_type,
policy_type,
row_filter,
to_principals,
updated_at,
updated_by,
when_condition
;
# Description fields are for documentation purposes
- name: policies
props:
- name: deployment_name
value: "{{ deployment_name }}"
description: Required parameter for the policies resource.
- name: policy_info
description: |
Required. The policy to create.
value:
to_principals:
- "{{ to_principals }}"
for_securable_type: "{{ for_securable_type }}"
policy_type: "{{ policy_type }}"
column_mask:
function_name: "{{ function_name }}"
on_column: "{{ on_column }}"
using:
- alias: "{{ alias }}"
constant: "{{ constant }}"
comment: "{{ comment }}"
created_at: {{ created_at }}
created_by: "{{ created_by }}"
except_principals:
- "{{ except_principals }}"
id: "{{ id }}"
match_columns:
- alias: "{{ alias }}"
condition: "{{ condition }}"
name: "{{ name }}"
on_securable_fullname: "{{ on_securable_fullname }}"
on_securable_type: "{{ on_securable_type }}"
row_filter:
function_name: "{{ function_name }}"
using:
- alias: "{{ alias }}"
constant: "{{ constant }}"
updated_at: {{ updated_at }}
updated_by: "{{ updated_by }}"
when_condition: "{{ when_condition }}"
UPDATE examples
- update
Update an ABAC policy on a securable.
UPDATE databricks_workspace.catalog.policies
SET
policy_info = '{{ policy_info }}'
WHERE
on_securable_type = '{{ on_securable_type }}' --required
AND on_securable_fullname = '{{ on_securable_fullname }}' --required
AND name = '{{ name }}' --required
AND deployment_name = '{{ deployment_name }}' --required
AND policy_info = '{{ policy_info }}' --required
AND update_mask = '{{ update_mask}}'
RETURNING
id,
name,
column_mask,
comment,
created_at,
created_by,
except_principals,
for_securable_type,
match_columns,
on_securable_fullname,
on_securable_type,
policy_type,
row_filter,
to_principals,
updated_at,
updated_by,
when_condition;
DELETE examples
- delete
Delete an ABAC policy defined on a securable.
DELETE FROM databricks_workspace.catalog.policies
WHERE on_securable_type = '{{ on_securable_type }}' --required
AND on_securable_fullname = '{{ on_securable_fullname }}' --required
AND name = '{{ name }}' --required
AND deployment_name = '{{ deployment_name }}' --required
;