Note
Access to this page requires authorization. You can try signing in or changing directories.
Access to this page requires authorization. You can try changing directories.
Important
This documentation has been retired and might not be updated. The products, services, or technologies mentioned in this content are no longer supported. See Unity Catalog attribute-based access control (ABAC).
This page provides information for ABAC Beta customers about the transition to Public Preview, and how to assess whether the change impacts your workloads.
What's changing?
As part of the Public Preview launch, ABAC will transition from a workspace-level preview to an account-level preview. This change affects how ABAC policies are enforced across your Unity Catalog metastore.
Current behavior (Beta)
- Workspace admins enable ABAC at the workspace level
- ABAC policies apply only in workspaces that have explicitly opted in to the Beta
- Catalogs can be accessed from non-Beta workspaces without ABAC policy enforcement
New behavior (Public Preview)
- The ABAC Public Preview is enabled at the account-level by default
- ABAC policies will be enforced across all workspaces attached to the metastore
- Any existing ABAC policies in your metastore will automatically apply to all connected workspaces
Sample code to assess impact
Use the following code snippet to identify which catalogs in your metastore are shared across multiple workspaces:
from databricks.sdk import WorkspaceClient
w = WorkspaceClient()
print(f"{'CATALOG':50} {'WORKSPACE_ACCESS'}")
print("-" * 90)
for catalog in w.catalogs.list():
isolation_mode = getattr(catalog, "isolation_mode", "UNKNOWN")
if isolation_mode.value == "OPEN":
bound_str = "ALL WORKSPACES"
else:
try:
bindings = w.workspace_bindings.get(name=catalog.name)
bound_workspaces = bindings.workspaces or []
if len(bound_workspaces) < 2:
continue
bound_str = ", ".join(str(ws) for ws in bound_workspaces)
except Exception as e:
bound_str = f"ERROR: {str(e)}"
print(f"{catalog.name:50} {bound_str}")
Understanding the output
The notebook output shows each catalog in your metastore along with its workspace access:
- ALL WORKSPACES: The catalog is accessible from every workspace attached to the metastore. Any ABAC policies on this catalog will apply globally after Public Preview begins.
- Specific workspace IDs: The catalog is shared across the listed workspaces. Those workspaces will start enforcing ABAC policies after Public Preview begins.
Example output:
CATALOG WORKSPACE_ACCESS
------------------------------------------------------------------------------------------
test_catalog ALL WORKSPACES
test_catalog_2 ALL WORKSPACES
test_catalog_3 123456789101112, 121110987654321
test_catalog_4 ALL WORKSPACES
Your options
Before October 30, 2025, you can choose one of the following actions:
Option 1: Do nothing
If you take no action, your account will automatically be included in the Public Preview. At that point, ABAC policies are enforced across all workspaces attached to the metastore.
Choose this option if you want consistent ABAC policy enforcement across all workspaces, and you've tested your ABAC policies across all affected workspaces.
Option 2: Opt out of Public Preview
You can opt out of ABAC at the account level to maintain the current workspace-level behavior.
Choose this option if you need more time to prepare for account-level enforcement. For example, you might have workloads that would be disrupted by account-level ABAC enforcement.
Note
Before Public Preview launches, opting out will not impact your current workspace-level Beta usage. After Public Preview launches, opting out means you lose all ABAC capabilities, even at the workspace-level.
How to opt out
To opt out of the Public Preview:
- Navigate to your account console.
- Click Previews.
- For Attribute Based Access Control - Opt out only, toggle the setting to Off.
You must complete the opt-out process before October 30, 2025.