Attribute-Based Access Control (ABAC) in Unity Catalog
Who this is for:
Architecture / Concept Overview: Attribute-Based Access Control (ABAC) in Unity Catalog
ABAC shifts access decisions from "who has explicit grants on this table" to "who is authorised for data with this classification." Tags on data assets drive policy evaluation.
%%{init: {"theme":"base","themeVariables":{"background":"#0B0E14","primaryTextColor":"#E0E6ED","lineColor":"#5D6470","darkMode":true,"primaryColor":"#2E4A4A","secondaryColor":"#374151","secondaryTextColor":"#E0E6ED","tertiaryColor":"#111827","tertiaryTextColor":"#E0E6ED","edgeLabelBackground":"#1f2937"}}}%%
flowchart LR
classDef source fill:#3F4B59,stroke:#9CA3AF,stroke-width:2px,rx:8,ry:8,color:#E0E6ED
classDef ingestion fill:#5A4B36,stroke:#C9A86B,stroke-width:2px,rx:8,ry:8,color:#E0E6ED
classDef processing fill:#535072,stroke:#8E82B4,stroke-width:2px,rx:8,ry:8,color:#E0E6ED
classDef storage fill:#2E4A4A,stroke:#5FAFA8,stroke-width:2px,rx:8,ry:8,color:#E0E6ED
classDef serving fill:#3D5550,stroke:#6BB7AA,stroke-width:2px,rx:8,ry:8,color:#E0E6ED
classDef governance fill:#5A3F52,stroke:#C28BB0,stroke-width:2px,rx:8,ry:8,color:#E0E6ED
DATA[Data Assets<br/>Tables · Columns] -->|Tagged with| TAGS[Classification Tags<br/>pii · confidential · public]
TAGS --> POLICY[ABAC Policy<br/>Tag-based rules]
USER[User / Group] -->|Requests access| POLICY
POLICY -->|Evaluate tags + identity| DECISION[Allow / Deny]
DATA:::storage
TAGS:::governance
POLICY:::governance
USER:::source
DECISION:::serving
*Figure 1 — ABAC flow: data is tagged, policies evaluate tag values against the requester's identity, and access is allowed or denied.*
ABAC and RBAC work together in Unity Catalog — RBAC handles structural access (catalog/schema/table grants), while ABAC handles attribute-based policies (sensitivity classifications).
%%{init: {"theme":"base","themeVariables":{"background":"#0B0E14","primaryTextColor":"#E0E6ED","lineColor":"#5D6470","darkMode":true,"primaryColor":"#2E4A4A","secondaryColor":"#374151","secondaryTextColor":"#E0E6ED","tertiaryColor":"#111827","tertiaryTextColor":"#E0E6ED","edgeLabelBackground":"#1f2937"}}}%%
graph TD
classDef source fill:#3F4B59,stroke:#9CA3AF,stroke-width:2px,rx:8,ry:8,color:#E0E6ED
classDef ingestion fill:#5A4B36,stroke:#C9A86B,stroke-width:2px,rx:8,ry:8,color:#E0E6ED
classDef processing fill:#535072,stroke:#8E82B4,stroke-width:2px,rx:8,ry:8,color:#E0E6ED
classDef storage fill:#2E4A4A,stroke:#5FAFA8,stroke-width:2px,rx:8,ry:8,color:#E0E6ED
classDef serving fill:#3D5550,stroke:#6BB7AA,stroke-width:2px,rx:8,ry:8,color:#E0E6ED
classDef governance fill:#5A3F52,stroke:#C28BB0,stroke-width:2px,rx:8,ry:8,color:#E0E6ED
ACCESS[Access Decision] --> RBAC[RBAC Layer<br/>GRANT SELECT ON table]
ACCESS --> ABAC[ABAC Layer<br/>Tag-based policy evaluation]
RBAC --> BOTH[Both must allow<br/>access for query to succeed]
ABAC --> BOTH
ACCESS:::governance
RBAC:::processing
ABAC:::processing
BOTH:::serving
*Figure 2 — RBAC and ABAC operate as complementary layers; both must permit access for a query to succeed.*
Key Terms
Prerequisites and Setup
- Unity Catalog enabled (Enterprise tier for ABAC features)
- Account admin or metastore admin role for creating tags and policies
- Existing tables with identified sensitivity requirements
- Groups configured to represent access tiers (e.g.,
pii-authorised,public-readers)
Step-by-Step Implementation
Configuration Reference
| Feature | Scope | Description |
|---|---|---|
| Tag creation | Metastore | Define reusable tag keys |
| Tag assignment | Table/Column/Schema/Catalog | Apply key=value tags to any securable |
| Tag-based policy | Metastore | Rule binding tag values to access decisions |
| Policy exception | Group | Groups excluded from a tag-based restriction |
| Tag inheritance | Hierarchy | Tags on a schema apply to all child tables (if configured) |