-- =============================================================================-- AnomalyArmor Databricks Unity Catalog Permissions-- =============================================================================-- WHAT THIS GRANTS:-- - USE CATALOG: Access catalog metadata-- - USE SCHEMA: Access schema metadata-- - SELECT: Read table data for freshness checks---- WHAT THIS DOES NOT GRANT:-- - CREATE: No table/schema/catalog creation-- - MODIFY: No data modification-- - MANAGE: No permission management-- =============================================================================-- Grant access to the catalogGRANT USE CATALOG ON CATALOG your_catalog TO `anomalyarmor`;-- Grant access to all schemas in the catalogGRANT USE SCHEMA ON CATALOG your_catalog TO `anomalyarmor`;-- Grant read access to all tables in the catalogGRANT SELECT ON CATALOG your_catalog TO `anomalyarmor`;
-- Grant catalog access (required)GRANT USE CATALOG ON CATALOG your_catalog TO `anomalyarmor`;-- Grant schema access per schemaGRANT USE SCHEMA ON SCHEMA your_catalog.raw TO `anomalyarmor`;GRANT USE SCHEMA ON SCHEMA your_catalog.staging TO `anomalyarmor`;GRANT USE SCHEMA ON SCHEMA your_catalog.marts TO `anomalyarmor`;-- Grant read access per schemaGRANT SELECT ON SCHEMA your_catalog.raw TO `anomalyarmor`;GRANT SELECT ON SCHEMA your_catalog.staging TO `anomalyarmor`;GRANT SELECT ON SCHEMA your_catalog.marts TO `anomalyarmor`;
Service principals are more secure than personal access tokens:
Organization-owned, not tied to individual users
Persist regardless of employee changes
Can be managed centrally
Create service principal: Admin Console → Service Principals → Add Service Principal
Generate OAuth secret: Select the service principal → Secrets → Generate Secret
Copy the Client ID and Client Secret for AnomalyArmor
-- Grant permissions to service principalGRANT USE CATALOG ON CATALOG your_catalog TO `anomalyarmor-monitoring`;GRANT USE SCHEMA ON CATALOG your_catalog TO `anomalyarmor-monitoring`;GRANT SELECT ON CATALOG your_catalog TO `anomalyarmor-monitoring`;
-- Run as the AnomalyArmor user/service principal-- Test 1: Can list schemasSHOW SCHEMAS IN CATALOG your_catalog;-- Test 2: Can list tablesSHOW TABLES IN SCHEMA your_catalog.your_schema;-- Test 3: Can query for freshnessSELECT MAX(event_timestamp) FROM your_catalog.your_schema.your_table;
REVOKE SELECT ON CATALOG your_catalog FROM `anomalyarmor`;REVOKE USE SCHEMA ON CATALOG your_catalog FROM `anomalyarmor`;REVOKE USE CATALOG ON CATALOG your_catalog FROM `anomalyarmor`;
