Forward-looking Statement

This presentation has been prepared for informational purposes only. The information set forth herein
does not purport to be complete or contain all relevant information. Statements contained herein are
made as of the date of this presentation unless stated otherwise.
This presentation and the accompanying oral commentary may contain forward-looking statements. In
some cases, forward-looking statements can be identified by terms such as “may”, “will”, “should”,
“expects”, “plans”, “anticipates”, “could”, “intends”, “projects”, “believes”, “estimates”, “predicts”, or
“continue”, or the negative of these words or other similar terms or expressions that concern Databricks’
expectations, strategy, plans, or intentions.
Forward-looking statements are based on information available at the time those statements are made
and are inherently subject to risks and uncertainties that could cause actual results to differ materially
from those expressed in or suggested by the forward-looking statements.
Forward-looking statements should not be read as a guarantee of future performance or outcomes.
Except as required by law, Databricks does not undertake any obligation to publicly update or revise any
forward-looking statement, whether as a result of new information, future developments or otherwise.
Complete Your Surveys
Your feedback has a direct impact on Data + AI Summit content

• You will receive a survey for each

session attended
• Open the Databricks Events app
and select “My Surveys” from the
menu
• Surveys can also be submitted in
the Attendee Portal
Fine-Grained
Access Control for
Unstructured Data
With Volume Path Permissions

Adrian Ionescu, Databricks

Lianne Zelsman, Databricks

June 11, 2025

Access Control in Unity Catalog

Granted access Metastore

a p p lie s d ownwa rd
t o ob je c t c hild re n
Catalog

Manage privileges to
securable objects at each
Schema
level of the data hierarchy

Table View Volume Function

including models
Fine-Grained Access for Tabular Data
Mask and filter sensitive data

Name DOB Email SSN

Bob Data 07-02-1984 [email protected] 123-45-6789

John Smith 11-23-1991 [email protected] 987-65-4321

Jane Doe 04-02-2018 [email protected] 999-99-9999

Fine-Grained Access for Tabular Data
Mask and filter sensitive data

Sensitive Sensitive

Name DOB Email SSN

Bob Data 07-02-1984 [email protected] 123-45-6789

John Smith 11-23-1991 [email protected] 987-65-4321

Jane Doe 04-02-2018 [email protected] 999-99-9999

Under 18 years old

Fine-Grained Access for Tabular Data
Mask and filter sensitive data
Admin
Name DOB Email SSN

Bob Data 07-02-1984 [email protected] 123-45-6789

John Smith 11-23-1991 [email protected] 987-65-4321

Apply fine-grained
Jane Doe 04-02-2018 [email protected] 999-99-9999 permissions via:
- Native RLS/CM
- Dynamic Views
- ABAC

User Name DOB Email SSN

Bob Data **-**-**** [email protected] ***-**-****

John Smith **-**-**** [email protected] ***-**-****

Volumes in Unity Catalog
Governance and management of non-tabular data

Data engineering & ingestion

Image, audio, video

Documents Data science & ML

Sensor, scientific data

Libraries & config files Data Sharing

Unity Catalog
Volumes
Proprietary file formats

Raw data CI/CD

Logging & checkpointing

Non-tabular data File-based workloads

Volume Access Management - Example

clinical_study_x
/raw_data
/phase1
/trial_1A

/dicoms

/images

/analysis
/trial_1B
...
/phase2
/phase3
/phase4
/shared
Volume Access Management - Example

clinical_study_x
/raw_data
/phase1
/trial_1A

/dicoms

/images
Researchers
/analysis can READ all files
/trial_1B
...
/phase2
/phase3
/phase4
/shared
Volume Access Management - Example

raw_data
/raw_data
trials
/patient_x
/patient_y /phase1
/trial_1A
/trial_1B
/phase2
shared /phase3
/phase4
/shared
/experiments
/other
Volume Access Management - Example

raw_data
/raw_data
trials
/patient_x
/patient_y /phase1
/trial_1A
/trial_1B
/phase2
shared /phase3
/phase4
/shared
/experiments
/other WRITE

READ
Researchers
Volume Access Management - Example

raw_data
phase1_trial1 phase2_trial2
/raw_data A A
/patient_x
/patient_y phase1_trial1 phase2_trial2
B B

shared
phase3_trial3 phase4_trial4
/shared A A
/experiments
/other phase3_trial3 phase4_trial4
B B
Volume Access Management - Example

raw_data
phase1_trial1 phase2_trial2 Researcher
/raw_data A A Alice
/patient_x
/patient_y phase1_trial1 phase2_trial2
B B

shared
phase3_trial3 phase4_trial4
/shared A A
/experiments
/other phase3_trial3 phase4_trial4
B B
Researcher
Researchers Bob
What if… you didn’t need to create new volumes to
manage different use-cases or to adapt to
changing access requirements?
Introducing Volume Path Permissions
Fine-grained access control for your unstructured data

Control access at
the directory or file
level by assigning
path-specific
permissions.
Introducing Volume Path Permissions
Fine-grained access control for your unstructured data

Manage path
permissions via
Catalog Explorer…
Introducing Volume Path Permissions
Fine-grained access control for your unstructured data

Manage path
permissions via
Catalog Explorer…
Introducing Volume Path Permissions
Fine-grained access control for your unstructured data

Current state
-- Grant READ/WRITE for entire volume
GRANT READ VOLUME, WRITE VOLUME
ON VOLUME <volume>
TO <principals>; …or programmatically with
With volume path permissions
your solution of choice (SQL,
-- Grant READ/WRITE for individual file &
APIs, etc)
directory paths
GRANT READ VOLUME, WRITE VOLUME
ON VOLUME <volume>
TO <principals>
WITH PATHS ('/foo/bar/1/’, ‘/foo/bar/2’);
Granular access control within a volume
Alice

GRANT READ VOLUME

clinical_study_x ON VOLUME clinical_study_x
TO Alice
/raw_data WITH PATHS (‘/phase2/’,‘/phase3/trial_3a/’)
/phase1
/phase2 Bob
/trial_2a
/trial_2b GRANT WRITE VOLUME
/phase3 ON VOLUME clinical_study_x
/trial_3a TO Bob
/trial_3b WITH PATHS (‘/phase3/trial_3b/images/’)
/dicoms
/images
/analysis
/phase4 GRANT READ VOLUME
/shared ON VOLUME clinical_study_x
/experiments TO ‘account users’
/other WITH PATHS (‘/shared/’)
Granular access control within a volume
Alice

GRANT READ VOLUME

clinical_study_x ON VOLUME clinical_study_x
TO Alice
/raw_data WITH PATHS (‘/phase2/’,‘/phase3/trial_3a/’)
/phase1
/phase2 Bob
/trial_2a
/trial_2b GRANT WRITE VOLUME
/phase3 ON VOLUME clinical_study_x
/trial_3a TO Bob
/trial_3b WITH PATHS (‘/phase3/trial_3b/images/’)
/dicoms
/images
/analysis
/phase4 GRANT READ VOLUME
/shared ON VOLUME clinical_study_x
/experiments TO ‘account users’
/other WITH PATHS (‘/shared/’)
Demo
Want early access to volume path permissions?
Let us know you’re interested!

Targeting October 2025 for

Private Preview of volume
path permissions.

Sign-up here!
Recap & what comes next?
Expanding unstructured data governance capabilities in UC

We’re adding granular path-specific permissions within volumes, so you can

grant access at the file and folder level.

We’re also researching further governance improvements that build off of

volume path permissions:
• More scalable access management by supporting more dynamic
permissions or policies
• Improved data search & discovery with additional metadata capabilities
for files/directories, as well as a BROWSE privilege
Thank you!

Questions?
Continue your learning journey
Explore Databricks training and certifications to upskill yourself

Self Paced (hands-on labs available)

Join Databricks Academy and explore
courses to learn at your own pace

Instructor-led training
Find a instructor-led class for a guided,
hands-on experience

Certifications
Validate your learning by earning industry
recognized certifications
Complete Your Surveys
Your feedback has a direct impact on Data + AI Summit content

• You will receive a survey for each

session attended
• Open the Databricks Events app
and select “My Surveys” from the
menu
• Surveys can also be submitted in
the Attendee Portal