Databricks is enhancing its Delta Sharing protocol to incorporate Attribute-Based Access Control (ABAC). This move aims to simplify and secure data sharing across organizational boundaries by allowing policies to be defined based on attributes like tags, rather than fixed user lists.
The update means data providers can share tables governed by existing ABAC policies without the need to generate separate, materialized copies for each recipient. This significantly reduces storage costs and management overhead. It’s a crucial step for organizations needing to share data quickly while maintaining robust security.
ABAC: Security Through Attributes
Attribute-Based Access Control (ABAC) operates by evaluating policies against attributes associated with resources, such as tags. For example, an ABAC policy could mask columns tagged as 'sensitive' or restrict access to rows pertaining to a specific 'sales' region.
With this update, providers can share ABAC-governed tables, with their own policies enforced on their side. Crucially, recipients can then apply their independent ABAC policies to this shared data, ensuring local data governance and compliance requirements are met.
Seamless Sharing, Granular Control
The process involves providers building shares of their data assets. Recipients, upon receiving the shared tables, can then apply their own ABAC policies. These policies, which can include row filtering and column masking, are now correctly enforced at query time on the recipient's end.
This ensures that each user only accesses the data they are authorized to see, based on attributes and tags applied within their own environment. This approach provides flexibility and control without compromising the provider's security posture or requiring data duplication.
Every action related to sharing and access is logged within Unity Catalog, providing an auditable trail for compliance and internal reviews. This level of traceability is essential for enterprise-grade data governance.
Real-World Impact
Companies like global travel platform Yanolja are already seeing benefits. They've used ABAC Sharing to improve partner engagement and reduce friction in data sharing across multiple workspaces, ensuring data consistency and usability without sacrificing control.
