Question posted in 
I want to mount my ADLS2 storage into a Databricks workspace without sharing the data with every user in the workspace. We have multiple teams working on different clusters in the same workspace so we want to keep the data separate. I haven’t been able to find any documentation on the topic.
Currently able to mount using a secret from an Azure Service Principle with permissions on the ADLS but I suspect this will enable everyone to view since it is already authenticated by the ASP. Can I enforce RBAS or ACLs on folders when accessing through the mount?
2
Answers
If you are using Unity Catalog, then instead of a mount use a Volume, which allows you to manage permissions at volume level for users and groups. You won’t be able to set permissions on specific folders, but it’s easy to set up separate volumes to different teams.
If you don’t have Unity Catalog, then you can’t do that. DBFS doesn’t have granular ACLs on file/folder level. You can only grant
SELECT/CREATE/MODIFY ON ANY FILEthat grants the permission globally. It’s safer to make your users access ADLS directly using "abfss://" authenticated by SAS scoped to specific directory.Also, you can try Credentials pass through option at the cluster level.
But this requires Premium Databricks workspace and cluster should be Standard, and it will only allow a single user. Create the cluster in this workspace like below.
Here, the user must have Can Attach To permission to run the commands on the cluster. By using this, only the assigned user can run this cluster and can access the data from ADLS.