
__Author:__ Mathieu Pelletier <mathieu.pelletier@databricks.com> | _Last Modified:_ 14 JUL 2025

## Pre-requisites

To enable the ABAC beta, do the following:

- As a workspace admin, click your username in the top bar of the Databricks workspace.
- From the menu, select Previews.
- Set the Attribute Based Access Control toggle to On.



## Limitations

The following limitations apply during the ABAC preview stages:

- A user who has MODIFY permissions on a table but does not have ASSIGN tag policy permissions can drop a column that has a governed tag. This alters the table structure and might invalidate the ABAC policy tied to that column.
- The ABAC beta is enabled at the workspace level. - Databricks does not enforce ABAC policies on catalogs when they are accessed from workspaces not enabled in the beta.
- Users with the required Delta Sharing permissions can Delta share tables secured by ABAC policies regardless of how the policy applies to them. The policy does not govern the recipient’s access.
- Views are not supported.
- Foreign catalogs are not supported.
- Materialized views and streaming tables are not supported.
- Only one column mask or row filter can be applied to a given column or row within the object hierarchy. Applying multiple masks or filters might make the table inaccessible.
A- BAC is not supported on Databricks on AWS GovCloud or workspaces with FedRAMP moderate compliance controls.


In [0]:
dbutils.widgets.text("catalog", "mpelletier")
dbutils.widgets.text("database", "dbdemos")
dbutils.widgets.text("volume", "input")

In [0]:
## CHANGE THESE VARIABLES AS NEEDED

catalog = dbutils.widgets.get("catalog")
database = dbutils.widgets.get("database")
volume = dbutils.widgets.get("volume")

print(f"{catalog}.{database}")

In [0]:
# Get the current notebook path
current_path = dbutils.notebook.entry_point.getDbutils().notebook().getContext().notebookPath().get()

# Display the current path
display(current_path)

## Load dataset that contains PII

In [0]:
file_path = f"file:/Workspace/{current_path}/../../data/pii_dataset.csv"

df = spark.read.csv(f"{file_path}", header=True, inferSchema=True)
df.display()
df.write.saveAsTable(f"{catalog}.{database}.students")


## Enable data classification (Optional)

Data Classification automatically classifies and tags tables in your catalog. Classifications can produce tags that can be used by downstream policies to enforce row-level and column-level security using attribute-based access control (ABAC).

<img src="../data/data-classification-details-tab.png" width="800" />


Instructions: 
- this feature can be enabled using the UI
- cannot be programmatically enabled for the moment 

Limitations:
- Views are not supported
- Delta Sharing catalogs are not supported
- Limited number of supported classes, more are coming (custom)

Source: https://learn.microsoft.com/en-us/azure/databricks/lakehouse-monitoring/data-classification

<img src="../data/classes.png" width="800" />

