Supporting Fine-Grained Access Control with Server-Side Scan Planning

Open table formats such as Iceberg allow organizations to run multiple engines on shared data, but this openness makes governance difficult. Unity Catalog already supports universal table-level access control for external engines like Starburst via credential vending, but that alone cannot support fine-grained policies like column masking or row filtering. UC’s move to server-side scan planning, built on Iceberg REST Catalog Scan APIs, allows enforcement of fine-grained access control in Starburst: policies are defined and applied server-side, and Starburst uses the filtered scan plan from UC to respect them, with no bespoke policy logic. Starburst and Databricks share how they collaborated to bring fine-grained access control to Starburst on UC-managed Iceberg tables.