How to scale data governance with Attribute-Based Access Control in Unity Catalog

As organizations democratize access to data to accelerate analytics and AI, maintaining control at scale becomes increasingly complex. Traditional fine-grained access controls (FGAC), such as row- and column-level security, provide precision but are often applied directly at the object level, resulting in duplication and inconsistent management as data estates expand..

Attribute-Based Access Control (ABAC) addresses this challenge by enabling governance teams to define tag-driven policies at the catalog or schema level, where they’re automatically inherited by all current and future tables and views. This approach ensures consistent protection and least-privilege access while eliminating repetitive, asset-by-asset rules.

ABAC on Unity Catalog for row- and column-level security policies pairs Governed Tags and Data Classification with ABAC, allowing data teams to automatically mask or restrict sensitive fields (such as PII) while keeping the rest of the dataset accessible for analysis, thereby enabling secure, scalable data democratization.

In this blog, we’ll walk through how ABAC works in Unity Catalog, how it integrates with tagging and classification, and what’s included in the Public Preview.

What is Attribute-Based Access Control in Unity Catalog?

ABAC is a security model in which access decisions are conditional and based on attributes of securable objects in Unity Catalog, such as catalogs, schemas, tables, and views. These attributes can be defined in accordance with an organization’s data classification standards, applied to resources, and then leveraged in ABAC policies. Policies can be inherited down from catalogs and schemas to tables and columns, providing high-leverage governance across all assets.

Unity Catalog’s ABAC Public Preview currently supports:

• Column Masks: Automatically redact sensitive values based on attributes. Example: Mask any column tagged ‘sensitive’ to ‘*****’
• Row Filters: Control which table rows are visible to specific groups and users. Example: Filter any tables tagged ‘sales’ to make sure that sales teams can only see the rows pertaining to their region

Benefits of ABAC: 

• Scale governance: Define policies once at the catalog or schema level and apply them everywhere through inheritance, which includes future tables and views that don’t exist yet
• Simplify access policies: Avoid table-by-table permissions and eliminate complex view-based workarounds.
• Set guardrails: Governance admins can author centralized policies that ensure consistent enforcement and cannot be overridden by lower-level admins.
• Protect sensitive data automatically: Combine with Data Classification to auto-tag and protect sensitive fields without manual effort as new datasets and columns are created. 

“Databricks ABAC with column masking unblocked a major workflow for us by enabling dynamic masking of sensitive datasets at scale. The centralized hierarchical policy design, with governed tags, brings simplicity and flexibility to policy management and enforcement. With a broader adoption coming up, we are optimistic about it to help us achieve a comprehensive and scalable governance story on access control and data protection.” — Nan Wu, Grammarly

How ABAC works

ABAC policies leverage Governed Tags and Data Classification for automation. Governed Tags are standardized, account-level tags that allow governance teams to define the tag’s allowed values and which users are permitted to assign them. Data Classification takes this idea even further by automatically identifying and labeling sensitive columns and tables, giving ABAC a foundation to enforce row- and column-level access policies.

Together, these capabilities let admins define rules once and apply them across catalogs, schemas, tables, and downstream assets. Inheritance ensures consistent enforcement without repetitive manual effort. For example, once Data Classification tags sensitive columns like email_address or phone_number, an ABAC policy can automatically mask those fields for all users except authorized teams.

By combining Governed Tags, Data Classification, and ABAC, data teams gain a continuous workflow: auto-classify sensitive data → apply account-level tags → enforce policies automatically at scale. Check out our demo to see this in action! 

Finally, as part of the ABAC Public Preview, we are also adding:

• Delta Sharing support: Data providers can share data assets with ABAC policies when the share owner is excluded from the policy, and recipients can create new ABAC policies on shared data as needed.
• AI-powered policy creation: Describe how data should be masked in natural language, and the Databricks Assistant automatically converts it into a performant SQL function.

• Support for materialized views, streaming tables, and foreign tables: ABAC policies now apply consistently across a wider range of table types, including real-time and externally managed data assets.
• Support for reusable UDFs across data types: You can reuse masking logic across different column types with shared UDFs, simplifying policy authoring and reducing maintenance effort.
• Compatibility with shallow clone and time travel: Policies persist across clones and historical table versions, ensuring consistent protection even during development, testing, and debugging workflows.

Get started 

ABAC is now available in Public Preview on AWS, Azure Databricks, and GCP for row filter and column masking policies. Check out the ABAC documentation for details. Governed Tags and Data Classification are also available in Public Preview. 

To get started with Unity Catalog, follow the Unity Catalog guides available for AWS, Azure, and GCP.