Introducing Cross-Engine ABAC

In December, we shared our vision for completing the lakehouse: open storage, open access, and unified governance. We described a world where organizations could define fine-grained access policies once in Unity Catalog and have them enforced across every engine, on every table, for every user. Today, we’re extending that vision.

We're announcing the Beta of cross-engine ABAC, which enables enterprises to enforce attribute-based access controls (ABAC) on external engines using Iceberg REST Catalog APIs. With cross-engine ABAC, Unity Catalog becomes the first and only catalog to deliver cross-engine ABAC enforcement, allowing tag-based row filters and column masks to be enforced from every engine.

Why this matters

The open lakehouse Databricks pioneered made interoperability possible. Open table formats like Delta Lake and Apache Iceberg freed organizations from lock-in; any engine could read the same copy of data without duplicating or converting data into a different format. However, governance didn't follow. Row-level and column-level policies remained siloed inside individual engine runtimes.

This created a painful tradeoff for security teams: duplicate policies manually across every engine and hope they stay in sync, maintain separate table copies for different consumers, or grant broader access than intended and accept the risk.

Cross-engine ABAC eliminates that tradeoff.

What Cross-engine ABAC delivers

With this Beta, Unity Catalog enforces fine-grained access control policies on data read by external engines. This includes:

• Row filters and column masks — the full expressiveness of Unity Catalog policies, including tag-based rules, conditional logic, and SQL UDFs
• Multi-engine support — because policy enforcement runs through the Iceberg REST Catalog scan APIs, any Iceberg REST client is supported. Cross-engine ABAC is open by design and not tied to a specific connector. Today, you can use Apache Spark via the Iceberg-Spark and Delta-Spark connectors. Additional engine integrations such as Starburst and DuckDB are coming soon.

Define ABAC policies once in Unity Catalog and ensure they are enforced everywhere — on Databricks or any engine that integrates with the Iceberg REST Catalog.

How it works

Cross-engine ABAC is built on the Iceberg REST Catalog scan APIs, an open specification that any engine can adopt to delegate policy enforcement to the catalog. With cross-engine ABAC, the catalog handles policy enforcement, and the engine handles the query. Organizations get fine-grained security without sacrificing flexibility for where their queries run.

When a user queries a table with fine-grained access control policies from an external engine:

1. The engine sends a scan request to Unity Catalog via the Iceberg REST Catalog scan API
2. Unity Catalog evaluates the user's entitlements and all applicable policies
3. Unity Catalog returns a filtered scan plan scoped to the data the user is authorized to access
4. The engine completes the query against the filtered files in the scan plan

Enforcement happens at the catalog layer, before data reaches the engine. The engine does not need to understand or implement any policy logic; it processes only the data it receives. This means cross-engine ABAC can work for any engine, even if it has no native governance runtime.

Looking ahead

Cross-engine ABAC delivers unified governance today through centralized enforcement: the catalog evaluates policies and returns only the data the user is authorized to access. This is the best approach for “untrusted” engines that do not have a native governance runtime, and it works immediately with any engine that adopts the Iceberg REST Catalog scan APIs.

Centralized enforcement is one piece of the picture. The industry also needs a scalable approach for policy and metadata exchange – one where catalogs can share governance metadata so policies can be enforced natively in external engines.

We’re contributing to this conversation in the Apache Iceberg community with a proposal for catalogs to exchange labels, which carry governance and semantic context. With shared labels, engines across the lakehouse can act on the same governance and business context no matter where data is read.

Centralized enforcement and metadata exchange are complementary. Unity Catalog will support both as the data ecosystem evolves.

Get started

Cross-engine ABAC is now available in Beta. To try it:

1. Enable the preview: Enroll in "Cross-engine ABAC" in the Databricks preview portal (see Manage Databricks previews)
2. Define your ABAC policies: Create tag-based row filters and column masks on your Unity Catalog tables (see ABAC documentation)
3. Query from an external engine: Connect Apache Spark via the Iceberg-Spark or Delta-Spark connector and confirm that policies are enforced on read

Full setup instructions and configuration details are available in the cross-engine ABAC documentation.

New to Unity Catalog? Follow the getting started guides for AWS, Azure, or GCP.

Join us at Data and AI Summit 2026

Data and AI Summit 2026 is almost here! Join us June 15-18, 2026 at the Moscone Center in San Francisco, California to learn how leading organizations are using Unity Catalog to govern data and AI across engines. Register today to get a first look at what’s coming next for open, unified governance.