Databricks Interview Series

Below is a detailed response to your questions about Unity Catalog in Databricks, organized by the sections you provided. Each answer includes explanations, examples, and practical insights where applicable, aiming to provide a comprehensive understanding suitable for both foundational and advanced scenarios.

—

### Basic Understanding

#### 1. What is Unity Catalog in Databricks?

Unity Catalog is a unified governance solution in Databricks that provides centralized metadata management, access control, auditing, lineage tracking, and data discovery for data and AI assets across Databricks workspaces and cloud platforms. It governs structured and unstructured data, tables, machine learning models, notebooks, dashboards, and files, ensuring compliance and secure collaboration in a lakehouse architecture.

– **Key Features**:
– Centralized governance for all data assets.
– Fine-grained access control at catalog, schema, table, row, and column levels.
– Automated data lineage and audit logging.
– Support for Delta Sharing for secure data sharing.
– Multi-cloud and cross-platform compatibility (AWS, Azure, GCP).

– **Example**: An organization uses Unity Catalog to manage access to sensitive customer data, ensuring only authorized data analysts can query specific tables while maintaining audit logs for compliance.

**Source**:,,[](https://learn.microsoft.com/en-us/azure/databricks/data-governance/unity-catalog/)%5B%5D(https://docs.databricks.com/aws/en/data-governance/unity-catalog/)%5B%5D(https://www.chaosgenius.io/blog/databricks-unity-catalog/)

#### 2. Why was Unity Catalog introduced?

Unity Catalog was introduced to address the limitations of traditional Databricks governance models, such as the Hive Metastore, and to provide a robust solution for modern data lakehouse architectures. Key reasons include:

– **Centralized Governance**: Unlike the Hive Metastore, which operates at the workspace level, Unity Catalog centralizes governance across multiple workspaces, reducing administrative overhead.
– **Fine-Grained Access Control**: It supports row-level, column-level, and attribute-based access controls, critical for compliance with regulations like GDPR, HIPAA, and CCPA.
– **Multi-Cloud Support**: It enables consistent governance across AWS, Azure, and GCP, addressing the needs of hybrid and multi-cloud environments.
– **Data Sharing and Collaboration**: Integration with Delta Sharing allows secure, real-time data sharing without duplication, supporting cross-organization collaboration.
– **Scalability and Performance**: It provides a scalable metadata layer optimized for large data volumes and high user concurrency.

– **Example**: A company with data spread across multiple clouds needed a single governance layer to enforce policies consistently. Unity Catalog replaced fragmented workspace-level controls with a unified model.

**Source**:,,[](https://www.credencys.com/blog/databricks-unity-catalog-explained/)%5B%5D(https://www.chaosgenius.io/blog/databricks-unity-catalog/)%5B%5D(https://www.secoda.co/learn/what-is-databricks-unity-catalog)

#### 3. How does Unity Catalog differ from Hive Metastore?

Unity Catalog and Hive Metastore differ significantly in architecture, governance capabilities, and scalability:

| **Feature**                     | **Unity Catalog**                                                                 | **Hive Metastore**                                                              |
|———————————|———————————————————————————-|——————————————————————————–|
| **Scope**                       | Account-level, centralized across workspaces                                      | Workspace-level, siloed per workspace                                           |
| **Governance**                  | Fine-grained (catalog, schema, table, row, column) with ABAC support              | Coarse-grained (table-level ACLs)                                               |
| **Data Lineage**                | Automated, column-level lineage tracking                                         | Limited or no lineage tracking                                                  |
| **Audit Logging**               | Built-in, user-level audit logs via system tables                                | Limited auditing, requires external tools                                      |
| **Data Sharing**                | Supports Delta Sharing for secure, real-time sharing                             | No native sharing mechanism                                                    |
| **Multi-Cloud Support**         | Native support for AWS, Azure, GCP                                               | Limited to workspace’s cloud environment                                        |
| **Metadata Management**         | Unified metastore for all data assets (tables, files, ML models)                 | Primarily for tables and views                                                 |
| **Performance**                 | Optimized for low-latency metadata queries and large-scale data                  | Can be slower for large datasets                                               |
| **Security**                    | Standards-compliant (ANSI SQL), identity federation                              | Non-restrictive by default, requires careful configuration                      |

– **Migration**: Databricks recommends migrating from Hive Metastore to Unity Catalog for superior governance. Tools like UCX (Databricks Labs) assist in this process.

– **Example**: A team using Hive Metastore struggled with inconsistent permissions across workspaces. Switching to Unity Catalog centralized access control and added lineage tracking.

**Source**:,,[](https://learn.microsoft.com/en-us/azure/databricks/data-governance/unity-catalog/)%5B%5D(https://docs.databricks.com/aws/en/data-governance/unity-catalog/)%5B%5D(https://www.chaosgenius.io/blog/databricks-unity-catalog/)

#### 4. What are the main components of Unity Catalog?

Unity Catalog organizes data assets in a hierarchical structure with the following components:

– **Metastore**: The top-level container for metadata, serving as the centralized repository for all data assets in a region. Each metastore is linked to a cloud storage location (e.g., S3, ADLS Gen2) and shared across workspaces.
– **Catalog**: The first layer under the metastore, used to organize data assets by business unit, environment (e.g., dev, prod), or domain. Catalogs can have specific storage locations and access policies.
– **Schema (Database)**: The second layer, organizing tables, views, and volumes within a catalog. Schemas define permissions and logical groupings of assets.
– **Table**: The core data asset, stored in Delta Lake, Iceberg, or other formats. Tables can be managed (lifecycle controlled by Unity Catalog) or external (stored in external cloud storage).
– **Volume**: A non-tabular storage object for unstructured data (e.g., images, PDFs), governed by Unity Catalog.
– **View**: Virtual tables derived from SQL queries, supporting governance and access control.

– **Example**: A metastore named `company_metastore` contains a catalog `sales`, which has a schema `orders` with a table `customer_orders` and a volume for sales reports.

**Source**:,,[](https://learn.microsoft.com/en-us/azure/databricks/data-governance/unity-catalog/)%5B%5D(https://celerdata.com/glossary/unity-catalog)%5B%5D(https://www.gspann.com/resources/blogs/databricks-unity-catalog-a-practitioners-guide-to-secure-scalable-data-governance/)

—

### Architecture & Access Control

#### 5. Explain the hierarchical structure of Unity Catalog (Metastore > Catalog > Schema > Table).

Unity Catalog uses a three-level namespace to organize and govern data assets:

1. **Metastore**:
   – The highest level, acting as the central metadata repository for a region.
   – Links to a default cloud storage location (e.g., `s3://company-data`) for managed tables and logs.
   – Shared across multiple workspaces, ensuring consistent governance.
   – Example: `company_metastore` for all workspaces in AWS us-west-2.

2. **Catalog**:
   – Organizes data assets under the metastore, often by business unit, project, or environment (e.g., `prod`, `dev`, `finance`).
   – Can override metastore storage with a specific location (e.g., `s3://finance-prod`).
   – Example: `finance_catalog` for financial data.

3. **Schema (Database)**:
   – Groups related tables, views, and volumes within a catalog.
   – Defines permissions and organizes assets logically.
   – Example: `transactions` schema under `finance_catalog`.

4. **Table/Volume/View**:
   – Tables store structured data (e.g., `customer_transactions` in Delta format).
   – Volumes store unstructured data (e.g., financial reports in PDFs).
   – Views are virtual tables for queries (e.g., `active_customers` view).
   – Example: `customer_transactions` table in `transactions` schema.

– **Namespace Example**: `company_metastore.finance_catalog.transactions.customer_transactions`.

**Source**:,,[](https://learn.microsoft.com/en-us/azure/databricks/data-governance/unity-catalog/)%5B%5D(https://docs.databricks.com/aws/en/data-governance/unity-catalog/best-practices)%5B%5D(https://www.gspann.com/resources/blogs/databricks-unity-catalog-a-practitioners-guide-to-secure-scalable-data-governance/)

#### 6. How does Unity Catalog handle data access control?

Unity Catalog provides a centralized, fine-grained access control model using ANSI SQL standards and identity federation:

– **Permission Model**:
– Permissions are defined at the metastore, catalog, schema, table, row, or column level.
– Supports `GRANT` and `REVOKE` SQL commands for managing access.
– Uses roles, groups, users, or service principals for access assignment.

– **Access Control Types**:
– **Table-Level**: Grant `SELECT`, `MODIFY`, `CREATE`, etc., on tables.
– **Row-Level Security (RLS)**: Restrict rows based on user attributes or conditions.
– **Column-Level Security**: Mask or restrict access to specific columns.
– **Attribute-Based Access Control (ABAC)**: Use metadata tags (e.g., `PII`) to control access.

– **Identity Federation**:
– Integrates with identity providers (e.g., Azure AD, Okta) for unified user management.
– Synchronizes groups and users via SCIM for seamless access control.

– **Example**:
“`sql
GRANT SELECT ON TABLE finance_catalog.transactions.customer_transactions TO analysts_group;
GRANT MODIFY ON SCHEMA finance_catalog.transactions TO data_engineers_group;
“`

– **UI Support**: Permissions can also be managed via the Databricks Catalog Explorer.

**Source**:,,[](https://learn.microsoft.com/en-us/azure/databricks/data-governance/unity-catalog/)%5B%5D(https://www.advancinganalytics.co.uk/blog/2024/2/5/guide-to-databricks-unity-catalog)%5B%5D(https://www.secoda.co/learn/what-is-databricks-unity-catalog)

#### 7. What are the differences between Unity Catalog’s permission model and traditional ACLs in Hive?

| **Aspect**                      | **Unity Catalog Permission Model**                                      | **Hive Metastore ACLs**                                              |
|———————————|————————————————————————|———————————————————————-|
| **Scope**                       | Centralized, account-level across workspaces                           | Workspace-level, siloed per metastore                                 |
| **Granularity**                 | Fine-grained (catalog, schema, table, row, column, ABAC)               | Coarse-grained (table-level, limited column support)                  |
| **Syntax**                      | ANSI SQL (`GRANT`, `REVOKE`)                                           | Custom ACL syntax, less standardized                                  |
| **Identity Management**         | Identity federation (Azure AD, SCIM)                                   | Workspace-local users and groups                                     |
| **Auditability**                | Built-in audit logs via system tables                                  | Limited, requires external logging                                   |
| **Scalability**                 | Scales for multi-cloud, large datasets                                 | Limited scalability for complex environments                         |
| **Security Model**              | Secure by default, standards-compliant                                 | Non-restrictive by default, requires explicit configuration           |

– **Example**:
– **Unity Catalog**: `GRANT SELECT ON COLUMN customer_transactions.ssn TO managers_group;` (column-level).
– **Hive**: Limited to `GRANT SELECT ON TABLE customer_transactions TO user;` (table-level).

**Source**:,,[](https://learn.microsoft.com/en-us/azure/databricks/data-governance/unity-catalog/)%5B%5D(https://www.chaosgenius.io/blog/databricks-unity-catalog/)%5B%5D(https://nl.devoteam.com/expert-view/discover-the-power-of-databricks-unity-catalog-simplifying-data-governance/)

#### 8. What are the benefits of using Unity Catalog for fine-grained access control?

– **Granular Permissions**:
– Control access at row, column, or attribute levels, ensuring only authorized users see sensitive data (e.g., PII).
– Example: Mask `ssn` column for analysts but allow managers full access.

– **Compliance**:
– Meets regulatory requirements (GDPR, HIPAA) by restricting data access and logging all actions.
– Example: Audit logs show who accessed customer data for compliance audits.

– **Centralized Management**:
– Define policies once, apply across all workspaces, reducing administrative overhead.
– Example: A single policy restricts `finance_catalog` to the finance team across clouds.

– **Dynamic Policies**:
– Use ABAC to apply policies based on data tags or user attributes, adapting to changing needs.
– Example: Tag data as `confidential` and restrict access to `executive_group`.

– **Improved Security**:
– Secure by default, preventing unauthorized access compared to Hive’s open model.
– Example: Row-level filters ensure analysts only see data for their region.

**Source**:,,[](https://hexaware.com/blogs/comprehensive-guide-to-databricks-unity-catalog-features-setup-and-best-practices/)%5B%5D(https://procogia.com/databricks-unity-catalog/)%5B%5D(https://www.secoda.co/learn/what-is-databricks-unity-catalog)

—

### Security & Governance

#### 9. How does Unity Catalog help in achieving data governance and compliance?

Unity Catalog enhances data governance and compliance through:

– **Centralized Access Control**:
– Manages permissions across all workspaces, ensuring consistent policy enforcement.
– Example: A single policy restricts `customer_data` to compliance officers.

– **Audit Logging**:
– Captures user-level audit logs for all actions (e.g., data access, permission changes) via system tables.
– Example: Query `system.access.audit` to review who accessed sensitive data.

– **Data Lineage**:
– Tracks data flow from source to consumption, aiding in compliance audits and impact analysis.
– Example: Trace how `sales_data` was transformed for a regulatory report.

– **Fine-Grained Security**:
– Row-level, column-level, and ABAC ensure precise control over sensitive data.
– Example: Mask `credit_card` column for non-authorized users.

– **Regulatory Compliance**:
– Supports GDPR, HIPAA, CCPA with automated lineage, audit trails, and data masking.
– Example: Document data flows for GDPR compliance using lineage graphs.

– **Data Discovery**:
– Searchable metadata with access control ensures users only find authorized data.
– Example: Analysts search for `sales` tables but only see those they have access to.

**Source**:,,[](https://learn.microsoft.com/en-us/azure/databricks/data-governance/)%5B%5D(https://atlan.com/databricks-unity-catalog/)%5B%5D(https://www.secoda.co/learn/what-is-databricks-unity-catalog)

#### 10. What is attribute-based access control (ABAC) and how is it used in Unity Catalog?

– **Definition**: ABAC is a security model that grants access based on attributes (e.g., tags, user roles, data sensitivity) rather than static roles or groups. It uses metadata to dynamically enforce policies.

– **Usage in Unity Catalog**:
– Unity Catalog supports ABAC by allowing administrators to tag data assets (e.g., `PII`, `confidential`) and define policies based on these tags.
– Policies can combine user attributes (e.g., department, role) with data attributes for flexible access control.
– Example: A policy grants `SELECT` on tables tagged `public` to all users but restricts `sensitive` tables to `compliance_group`.

– **Syntax Example**:
“`sql
— Tag a table
ALTER TABLE finance_catalog.transactions.customer_data SET TAGS (‘sensitivity’ = ‘PII’);
— Grant access based on tag
GRANT SELECT ON ANY TABLE WITH TAG (‘sensitivity’ = ‘public’) TO analysts_group;
“`

– **Benefits**:
– Scales access control for large datasets.
– Adapts to dynamic environments (e.g., new data classifications).
– Simplifies policy management for compliance.

**Source**:,[](https://www.advancinganalytics.co.uk/blog/2024/2/5/guide-to-databricks-unity-catalog)%5B%5D(https://lakefs.io/blog/unity-catalog-guide-streamline-data-assets/)

#### 11. Can you audit or monitor data access in Unity Catalog? How?

Yes, Unity Catalog provides robust auditing and monitoring capabilities:

– **Audit Logs**:
– Automatically captures user-level actions (e.g., data access, permission changes, table creation) in system tables.
– Accessible via `system.access.audit` table.
– Example Query:
    “`sql
    SELECT user_identity, action_name, request_params
    FROM system.access.audit
    WHERE action_name = ‘select’
    AND request_params.table = ‘customer_transactions’;
    “`

– **Monitoring Tools**:
– Integrate audit logs with external SIEM tools (e.g., Splunk) for real-time monitoring.
– Configure alerts for suspicious activities (e.g., excessive `SELECT` operations).

– **Lineage Tracking**:
– Monitors data transformations and access patterns, aiding in troubleshooting and compliance.
– Example: Visualize lineage to see who accessed `sales_data` in a dashboard.

– **Best Practices**:
– Regularly review audit logs for anomalies.
– Deliver logs to a centralized security monitoring solution.
– Monitor create/alter/delete operations for governance.

**Source**:,,[](https://learn.microsoft.com/en-us/azure/databricks/data-governance/unity-catalog/)%5B%5D(https://www.chaosgenius.io/blog/databricks-unity-catalog/)%5B%5D(https://www.gspann.com/resources/blogs/databricks-unity-catalog-a-practitioners-guide-to-secure-scalable-data-governance/)

—

### Integration & Features

#### 12. How does Unity Catalog integrate with Lakehouse architecture?

Unity Catalog is a core component of the Databricks Lakehouse architecture, unifying data management, analytics, and AI:

– **Unified Governance**:
– Governs all lakehouse assets (tables, files, ML models, notebooks) in a single metastore.
– Example: Manage Delta tables and ML models under one `data_science_catalog`.

– **Delta Lake Integration**:
– Supports Delta Lake for managed tables, ensuring ACID transactions and governance.
– Example: `customer_transactions` table in Delta format benefits from versioning and governance.

– **Lakehouse Federation**:
– Enables querying external databases (e.g., MySQL, Snowflake) via foreign catalogs, governed by Unity Catalog.
– Example: Create a foreign catalog to query a PostgreSQL database with Unity Catalog permissions.

– **AI and ML Support**:
– Governs ML models and features in the Model Registry and Feature Store.
– Example: Restrict access to a fraud detection model to the data science team.

– **BI Tool Integration**:
– Connects with Tableau, Power BI, and Looker, enforcing governance policies.
– Example: Analysts query governed `sales_data` in Power BI without switching tools.

**Source**:,,[](https://docs.databricks.com/aws/en/data-governance/unity-catalog/)%5B%5D(https://www.databricks.com/blog/whats-new-unity-catalog-data-and-ai-summit-2023)%5B%5D(https://lakefs.io/blog/unity-catalog-guide-streamline-data-assets/)

#### 13. Does Unity Catalog support external tables and data lakes?

Yes, Unity Catalog supports external tables and data lakes:

– **External Tables**:
– Stored in external cloud storage (e.g., S3, ADLS Gen2, GCS) and registered in Unity Catalog.
– Supports formats like Delta, Parquet, Avro, CSV, etc.
– Governed by Unity Catalog’s access controls but lifecycle managed externally.
– Example:
    “`sql
    CREATE EXTERNAL TABLE finance_catalog.transactions.ext_sales
    USING DELTA
    LOCATION ‘s3://external-bucket/sales-data’;
    “`

– **Data Lakes**:
– Unity Catalog governs data lakes via external locations, which are cloud storage paths with associated credentials.
– Example: Define an external location `s3://company-data-lake` with a storage credential for secure access.

– **Benefits**:
– Access existing data without copying.
– Apply governance to external data sources.
– Support for multi-cloud data lakes.

**Source**:,,[](https://rajanieshkaushikk.com/2023/12/10/unity-catalog-unlocking-powerful-advanced-data-control-in-databricks/)%5B%5D(https://celerdata.com/glossary/unity-catalog)%5B%5D(https://docs.databricks.com/aws/en/data-governance/unity-catalog/best-practices)

#### 14. How does Unity Catalog support Delta Sharing and what are its use cases?

– **Delta Sharing Overview**:
– Delta Sharing is an open protocol for secure, real-time data sharing without duplication, integrated with Unity Catalog.
– Unity Catalog manages and audits sharing behavior, ensuring governance.

– **Implementation**:
– **Shares**: Create a share to bundle data assets (e.g., tables, views).
    “`sql
    CREATE SHARE sales_share;
    ALTER SHARE sales_share ADD TABLE finance_catalog.transactions.sales_data;
    “`
– **Recipients**: Grant access to recipients (internal or external users).
    “`sql
    GRANT SELECT ON SHARE sales_share TO recipient@company.com;
    “`
– **Access**: Recipients access shared data via Databricks, Python, or other platforms supporting Delta Sharing.

– **Use Cases**:
– **Cross-Organization Sharing**: Share market data with partners without copying.
– **Internal Collaboration**: Share `sales_data` between marketing and finance teams.
– **Marketplace**: Publish data products on Databricks Marketplace.
– **Analytics**: Enable BI tools (e.g., Tableau) to query shared data.

– **Example**: A retailer shares `inventory_data` with suppliers via Delta Sharing, with Unity Catalog enforcing access controls.

**Source**:,,[](https://learn.microsoft.com/en-us/azure/databricks/data-governance/unity-catalog/)%5B%5D(https://learn.microsoft.com/en-us/azure/databricks/data-governance/unity-catalog/best-practices)%5B%5D(https://procogia.com/databricks-unity-catalog/)

—

### Practical Usage

#### 15. How do you create a catalog, schema, or table in Unity Catalog via SQL or UI?

– **Via SQL**:
– **Create Catalog**:
    “`sql
    CREATE CATALOG IF NOT EXISTS finance_catalog
    LOCATION ‘s3://finance-prod’
    COMMENT ‘Catalog for financial data’;
    “`
– **Create Schema**:
    “`sql
    CREATE SCHEMA IF NOT EXISTS finance_catalog.transactions
    COMMENT ‘Schema for transaction data’;
    “`
– **Create Table**:
    “`sql
    CREATE TABLE finance_catalog.transactions.customer_transactions
    (
      id INT,
      amount DECIMAL(10,2),
      customer_id STRING
    )
    USING DELTA
    COMMENT ‘Customer transaction data’;
    “`

– **Via UI (Catalog Explorer)**:
1. Log in to Databricks workspace.
2. Navigate to **Catalog Explorer** in the sidebar.
3. **Create Catalog**:
     – Click **Create Catalog**, enter name (e.g., `finance_catalog`), select storage location, and add comments.
4. **Create Schema**:
     – Select `finance_catalog`, click **Create Schema**, enter name (e.g., `transactions`).
5. **Create Table**:
     – Select `transactions` schema, click **Create Table**, define columns (e.g., `id`, `amount`), and choose Delta format.

– **Example**: A data engineer creates `sales_catalog.sales.orders` via SQL and verifies it in Catalog Explorer.

**Source**:,[](https://www.cloudopsnow.in/step-by-step-guide-to-setting-up-unity-catalog-in-databricks/)%5B%5D(https://docs.databricks.com/aws/en/data-governance/unity-catalog/best-practices)

#### 16. Have you implemented Unity Catalog in any of your projects? What challenges did you face?

As an AI, I haven’t personally implemented Unity Catalog, but I can describe common experiences based on industry practices and challenges reported in documentation and community feedback.

– **Implementation Example**:
– **Project**: A financial services company implemented Unity Catalog to govern customer data across AWS and Azure workspaces.
– **Steps**:
    – Set up a metastore in AWS S3 and linked it to multiple workspaces.
    – Migrated Hive Metastore tables to Unity Catalog using UCX tools.
    – Defined catalogs for `retail` and `corporate` business units.
    – Applied row-level security to restrict data by region.

– **Challenges Faced**:
– **Migration Complexity**: Migrating large Hive Metastore datasets required careful planning to avoid downtime. UCX helped but needed customization for specific table formats.
– **Permission Management**: Transitioning from workspace-local groups to account-level groups was time-consuming due to existing role complexity.
– **Performance Tuning**: Initial metadata queries were slow for large catalogs; resolved by optimizing storage locations and indexing.
– **User Training**: Data teams needed training to adopt ANSI SQL for permissions and understand ABAC.

– **Solutions**:
– Used Databricks UI wizards for smaller migrations.
– Automated group synchronization with SCIM.
– Implemented best practices (e.g., catalog-level storage) for performance.

**Source**:,[](https://learn.microsoft.com/en-us/azure/databricks/data-governance/unity-catalog/)%5B%5D(https://docs.databricks.com/aws/en/data-governance/unity-catalog/)

#### 17. What are best practices when using Unity Catalog in a multi-tenant environment?

– **Catalog Segregation**:
– Create separate catalogs for each tenant (e.g., `tenant1_catalog`, `tenant2_catalog`) to enforce data isolation.
– Example: `finance_catalog` for finance team, `hr_catalog` for HR.

– **Storage Isolation**:
– Define tenant-specific storage locations at the catalog or schema level.
– Example: `s3://tenant1-prod` for `tenant1_catalog`.

– **Access Control**:
– Use group-based permissions with identity federation (e.g., Azure AD groups).
– Example: Grant `SELECT` on `tenant1_catalog` to `tenant1_users_group`.

– **Workspace-Catalog Bindings**:
– Bind sensitive catalogs to specific workspaces (e.g., `prod_workspace` for `prod_catalog`).
– Example: Restrict `hr_catalog` to HR’s workspace.

– **Audit and Monitoring**:
– Regularly review audit logs for cross-tenant access attempts.
– Example: Query `system.access.audit` for unauthorized `SELECT` actions.

– **Delta Sharing for Sharing**:
– Use Delta Sharing for secure data sharing between tenants instead of direct access.
– Example: Share `tenant1_sales` with `tenant2` via a share.

– **Performance Optimization**:
– Use managed tables for better governance and performance.
– Optimize metadata queries with proper indexing and partitioning.

**Source**:,[](https://learn.microsoft.com/en-us/azure/databricks/data-governance/unity-catalog/best-practices)%5B%5D(https://docs.databricks.com/aws/en/data-governance/unity-catalog/best-practices)

—

### Advanced Features & Functionalities

#### 1. How does Unity Catalog support row-level and column-level security?

– **Row-Level Security (RLS)**:
– Restricts access to specific rows based on user attributes or conditions using row filters.
– Defined via SQL functions or predicates.
– **Syntax Example**:
    “`sql
    CREATE FUNCTION region_filter() RETURNS BOOLEAN
    RETURN current_user() IN (‘user1@company.com’, ‘user2@company.com’)
           OR current_user_department() = ‘Sales’;

    ALTER TABLE finance_catalog.transactions.sales
    SET ROW FILTER region_filter;
    “`
– **Use Case**: Restrict sales data to regional managers (e.g., only `US` region data for `us_manager`).

– **Column-Level Security**:
– Masks or restricts access to specific columns using dynamic data masking.
– Defined via SQL policies or permissions.
– **Syntax Example**:
    “`sql
    CREATE FUNCTION mask_ssn(ssn STRING) RETURNS STRING
    RETURN CASE WHEN is_account_group_member(‘managers_group’) THEN ssn
                ELSE ‘XXX-XXX-XXXX’ END;

    ALTER TABLE finance_catalog.transactions.customer_data
    ALTER COLUMN ssn SET MASK mask_ssn;
    “`
– **Use Case**: Mask `ssn` column for analysts but show full data to managers.

– **Practical Example**:
– A healthcare company uses RLS to restrict patient data to doctors in specific departments and masks `patient_id` for non-clinical staff.

**Source**:,,[](https://hexaware.com/blogs/comprehensive-guide-to-databricks-unity-catalog-features-setup-and-best-practices/)%5B%5D(https://www.databricks.com/blog/whats-new-unity-catalog-data-and-ai-summit-2023)%5B%5D(https://procogia.com/databricks-unity-catalog/)

#### 2. What are data lineage features in Unity Catalog? How does it track lineage across notebooks, jobs, and workflows?

– **Data Lineage Features**:
– Automatically tracks data flow from source to consumption, capturing transformations at table and column levels.
– Includes notebooks, jobs, dashboards, and workflows in lineage graphs.
– Provides end-to-end visibility for auditing, debugging, and compliance.

– **How It Tracks Lineage**:
– **Query Parsing**: Uses SQL and Spark query logs to extract lineage metadata.
– **Asset Integration**: Links tables, views, notebooks, and jobs to show data dependencies.
– **Visual Graphs**: Displays lineage in Catalog Explorer or REST API for external tools.
– **Access Control**: Restricts lineage visibility based on user permissions.

– **Example**:
– A notebook queries `raw_sales` to create `processed_sales`, used in a dashboard. Unity Catalog tracks:
    – Source: `raw_sales` table.
    – Transformation: Notebook query.
    – Output: `processed_sales` table and dashboard.
– Query lineage:
    “`sql
    SELECT * FROM system.lineage.table_lineage
    WHERE table_name = ‘processed_sales’;
    “`

– **Use Case**:
– Troubleshoot a dashboard delay by tracing lineage to identify a slow notebook query.

**Source**:,,[](https://docs.databricks.com/aws/en/data-governance/unity-catalog/)%5B%5D(https://lakefs.io/blog/unity-catalog-guide-streamline-data-assets/)%5B%5D(https://nl.devoteam.com/expert-view/discover-the-power-of-databricks-unity-catalog-simplifying-data-governance/)

#### 3. What is the difference between managed and external tables in Unity Catalog? How does it impact data governance?

| **Aspect**                  | **Managed Tables**                                              | **External Tables**                                             |
|—————————–|—————————————————————-|—————————————————————-|
| **Storage**                 | Stored in Unity Catalog’s managed storage (e.g., metastore root)| Stored in external cloud storage (e.g., S3, ADLS Gen2)         |
| **Lifecycle Management**    | Fully managed by Unity Catalog (creation, deletion, retention) | Lifecycle managed externally, Unity Catalog governs access     |
| **Format**                  | Always Delta Lake                                              | Supports Delta, Parquet, Avro, CSV, etc.                      |
| **Governance**              | Tighter control, optimized for governance                      | Governed but less control over external changes               |
| **Use Case**                | New tables for governed environments                           | Existing data lakes or third-party systems                    |

– **Governance Impact**:
– **Managed Tables**:
    – Stronger governance due to full lifecycle control.
    – Example: `customer_data` table in managed storage ensures no external tampering.
– **External Tables**:
    – Flexible for integrating existing data but requires external location governance.
    – Example: Govern `ext_sales` in S3 with Unity Catalog ACLs but monitor external changes.

– **Example**:
“`sql
— Managed Table
CREATE TABLE finance_catalog.transactions.managed_sales (id INT, amount DECIMAL);
— External Table
CREATE EXTERNAL TABLE finance_catalog.transactions.ext_sales
USING DELTA
LOCATION ‘s3://external-bucket/sales-data’;
“`

**Source**:,[](https://celerdata.com/glossary/unity-catalog)%5B%5D(https://docs.databricks.com/aws/en/data-governance/unity-catalog/best-practices)

#### 4. How does Unity Catalog handle identity federation across different workspaces and clouds?

– **Identity Federation Overview**:
– Unity Catalog integrates with identity providers (e.g., Azure AD, Okta) to centralize user and group management across workspaces and clouds.
– Uses SCIM (System for Cross-domain Identity Management) to synchronize identities.

– **Implementation**:
– **SCIM Configuration**:
    – Configure SCIM in the Databricks Account Console to sync groups from Azure AD.
    – Example: Sync `analysts_group` to Databricks for access control.
– **Account-Level Groups**:
    – Replace workspace-local groups with account-level groups for consistent permissions.
    – Example: Grant `SELECT` on `finance_catalog` to `analysts_group` across all workspaces.
– **Multi-Cloud Support**:
    – Policies apply across AWS, Azure, and GCP via a unified metastore.
    – Example: A user in Azure AD accesses `sales_catalog` in AWS and GCP workspaces.

– **Example**:
– Configure SCIM to sync `data_engineers` group, then:
    “`sql
    GRANT MODIFY ON CATALOG sales_catalog TO data_engineers;
    “`

– **Benefits**:
– Simplifies user management.
– Ensures consistent access policies across clouds.
– Reduces risk of orphaned permissions.

**Source**:,[](https://www.advancinganalytics.co.uk/blog/2024/2/5/guide-to-databricks-unity-catalog)%5B%5D(https://medium.com/%40gilesmiddleton_37180/unity-catalog-in-the-enterprise-the-rise-of-the-delta-mesh-e98c88d0ccc3)

#### 5. Can Unity Catalog be used in multi-cloud or cross-region setups? How does Databricks ensure consistency?

– **Multi-Cloud Support**:
– Unity Catalog operates across AWS, Azure, and GCP, providing a unified governance layer.
– Each metastore is region-specific but can govern data across clouds within the same region.
– Example: A metastore in AWS us-west-2 governs S3 and ADLS Gen2 data.

– **Cross-Region Setups**:
– Unity Catalog restricts one metastore per region due to latency and compliance.
– Use Delta Sharing to share data between metastores in different regions.
– Example: Share `sales_data` from us-west-2 to eu-central-1 via a Delta Share.

– **Consistency Mechanisms**:
– **Centralized Metastore**: Ensures metadata consistency across workspaces.
– **Identity Federation**: Syncs users and groups via SCIM for uniform access.
– **Delta Sharing**: Maintains governance for cross-region sharing without duplication.
– **Audit Logs**: Tracks actions across clouds for monitoring consistency.

– **Example**:
– A company uses Unity Catalog in AWS (us-west-2) and Azure (eastus) with a metastore in each region. Delta Sharing enables secure data exchange while audit logs ensure compliance.

**Source**:,,[](https://www.credencys.com/blog/databricks-unity-catalog-explained/)%5B%5D(https://www.databricks.com/blog/governing-cybersecurity-data-across-multiple-clouds-and-regions-using-unity-catalog-delta)%5B%5D(https://docs.databricks.com/aws/en/data-governance/unity-catalog/best-practices)

—

### Delta Sharing & Data Mesh

#### 9. Explain how Delta Sharing is implemented in Unity Catalog. What are the producer-consumer patterns?

– **Implementation**:
– **Shares**: Producers create shares to bundle data assets (tables, views).
    “`sql
    CREATE SHARE analytics_share;
    ALTER SHARE analytics_share ADD TABLE sales_catalog.transactions.sales_data;
    “`
– **Recipients**: Consumers (internal or external) are granted access to shares.
    “`sql
    GRANT SELECT ON SHARE analytics_share TO partner@external.com;
    “`
– **Access**: Consumers query shared data via Databricks, Python, or Delta Sharing clients (e.g., pandas, Excel).
– **Governance**: Unity Catalog enforces access controls and audits sharing activities.

– **Producer-Consumer Patterns**:
– **Internal Sharing**:
    – **Producer**: Data engineering team creates `processed_sales` table.
    – **Consumer**: Analytics team queries the table for dashboards.
    – Example: Share `sales_data` between finance and marketing teams.
– **External Sharing**:
    – **Producer**: Retail company shares `inventory_data` with suppliers.
    – **Consumer**: Suppliers query data via a Delta Sharing client.
    – Example: Share real-time inventory updates without copying data.
– **Marketplace**:
    – **Producer**: Data provider publishes `market_trends` on Databricks Marketplace.
    – **Consumer**: External companies subscribe to the data.
    – Example: Monetize industry data via secure shares.

– **Example**: A logistics company shares `delivery_data` with clients, with Unity Catalog logging all access for compliance.

**Source**:,,[](https://learn.microsoft.com/en-us/azure/databricks/data-governance/unity-catalog/)%5B%5D(https://procogia.com/databricks-unity-catalog/)%5B%5D(https://nl.devoteam.com/expert-view/discover-the-power-of-databricks-unity-catalog-simplifying-data-governance/)

#### 10. Can you use Unity Catalog to enable a Data Mesh architecture? How would you design the domains and access boundaries?

– **Data Mesh Overview**:
– Data Mesh is a decentralized data architecture where data is owned and managed by domain-oriented teams, with centralized governance for interoperability.

– **Unity Catalog’s Role**:
– **Domain Ownership**: Catalogs represent data domains (e.g., `sales_domain`, `hr_domain`), owned by respective teams.
– **Centralized Governance**: Unity Catalog enforces access policies, lineage, and auditing across domains.
– **Data Sharing**: Delta Sharing enables domains to share data products securely.
– **Interoperability**: Lakehouse Federation integrates external data sources into domains.

– **Design Approach**:
– **Define Domains**:
    – Create catalogs for each business domain (e.g., `sales_catalog`, `marketing_catalog`).
    – Example: `sales_catalog` for sales data, owned by the sales team.
– **Access Boundaries**:
    – Assign ownership to domain-specific groups (e.g., `sales_owners` for `sales_catalog`).
    – Grant `MANAGE` permissions to domain owners for their catalog.
    – Example:
      “`sql
      GRANT ALL PRIVILEGES ON CATALOG sales_catalog TO sales_owners;
      “`
– **Data Products**:
    – Each domain creates governed tables or views as data products.
    – Example: `sales_catalog.transactions.aggregated_sales` as a data product.
– **Sharing**:
    – Use Delta Sharing to share data products between domains or externally.
    – Example: Share `aggregated_sales` with `marketing_catalog` via a share.
– **Governance**:
    – Apply ABAC for dynamic access (e.g., tag `sensitive` data).
    – Monitor access via audit logs.
    – Example: Audit `system.access.audit` for cross-domain access.

– **Example**:
– A retail company implements Data Mesh with `inventory_domain`, `sales_domain`, and `customer_domain` catalogs. Each domain team manages its data, shares products via Delta Sharing, and Unity Catalog ensures compliance.

**Source**:,,[](https://learn.microsoft.com/en-us/azure/databricks/data-governance/unity-catalog/best-practices)%5B%5D(https://www.databricks.com/blog/whats-new-unity-catalog-data-and-ai-summit-2023)%5B%5D(https://medium.com/%40gilesmiddleton_37180/unity-catalog-in-the-enterprise-the-rise-of-the-delta-mesh-e98c88d0ccc3)

—

### Real-World Scenarios / Situational

#### 13. You need to give read access to a specific table in Unity Catalog to a partner company securely. How would you do that?

– **Steps**:
1. **Create a Share**:
     – Bundle the table in a Delta Share.
     “`sql
     CREATE SHARE partner_share;
     ALTER SHARE partner_share ADD TABLE sales_catalog.transactions.sales_data;
     “`
2. **Create a Recipient**:
     – Define the partner as a recipient.
     “`sql
     CREATE RECIPIENT partner_company WITH EMAIL ‘partner@company.com’;
     “`
3. **Grant Access**:
     – Grant `SELECT` on the share to the recipient.
     “`sql
     GRANT SELECT ON SHARE partner_share TO partner_company;
     “`
4. **Share Access Details**:
     – Provide the partner with a Delta Sharing token or URL (generated via Databricks UI).
5. **Monitor Access**:
     – Audit access via `system.access.audit` to ensure compliance.

– **Security Measures**:
– Use row-level or column-level security to limit exposed data.
– Example: Mask `customer_id` column in `sales_data`.
– Rotate sharing tokens periodically.

– **Example**: A retailer shares `sales_data` with a logistics partner, ensuring only non-sensitive columns are accessible and logging all queries.

**Source**:,[](https://procogia.com/databricks-unity-catalog/)%5B%5D(https://nl.devoteam.com/expert-view/discover-the-power-of-databricks-unity-catalog-simplifying-data-governance/)

#### 14. Your organization has multiple business units needing isolation and secure access. How would Unity Catalog help you model that?

– **Solution**:
– **Catalogs for Business Units**:
    – Create separate catalogs for each unit (e.g., `finance_catalog`, `hr_catalog`, `sales_catalog`).
    – Example: `finance_catalog` for financial data, `hr_catalog` for employee data.
– **Storage Isolation**:
    – Assign unit-specific storage locations (e.g., `s3://finance-prod`, `s3://hr-prod`).
    – Example:
      “`sql
      CREATE CATALOG finance_catalog LOCATION ‘s3://finance-prod’;
      “`
– **Access Control**:
    – Assign group-based permissions to each catalog.
    – Example:
      “`sql
      GRANT ALL PRIVILEGES ON CATALOG finance_catalog TO finance_group;
      GRANT SELECT ON CATALOG sales_catalog TO sales_group;
      “`
– **Workspace Bindings**:
    – Bind sensitive catalogs to specific workspaces for additional isolation.
    – Example: Bind `hr_catalog` to `hr_workspace`.
– **Row/Column Security**:
    – Apply RLS or column masking for sensitive data.
    – Example: Restrict `hr_catalog.employee_data` to HR managers.
– **Delta Sharing**:
    – Share data between units securely.
    – Example: Share `sales_catalog.aggregated_sales` with `finance_catalog`.
– **Auditing**:
    – Monitor cross-unit access via audit logs.
    – Example: Query `system.access.audit` for unauthorized attempts.

– **Example**: A conglomerate isolates `retail`, `healthcare`, and `logistics` units with separate catalogs, ensuring data privacy while allowing controlled sharing.

**Source**:,[](https://learn.microsoft.com/en-us/azure/databricks/data-governance/unity-catalog/best-practices)%5B%5D(https://docs.databricks.com/aws/en/data-governance/unity-catalog/best-practices)

#### 15. You encountered an access denial error in Unity Catalog. How would you troubleshoot it?

– **Steps to Troubleshoot**:
1. **Check Error Message**:
     – Review the error for details (e.g., “Permission denied on table `sales_data`”).
2. **Verify Permissions**:
     – Query the effective permissions for the user.
     “`sql
     SHOW GRANTS ON TABLE sales_catalog.transactions.sales_data;
     “`
     – Ensure the user or their group has `SELECT` privilege.
3. **Check Catalog/Schema Permissions**:
     – Verify permissions on parent catalog and schema.
     “`sql
     SHOW GRANTS ON CATALOG sales_catalog;
     SHOW GRANTS ON SCHEMA sales_catalog.transactions;
     “`
4. **Review Row/Column Filters**:
     – Check if RLS or column masking is restricting access.
     “`sql
     SHOW ROW FILTERS ON TABLE sales_catalog.transactions.sales_data;
     “`
5. **Audit Logs**:
     – Query `system.access.audit` for recent denials.
     “`sql
     SELECT * FROM system.access.audit
     WHERE action_name = ‘deny’
     AND request_params.table = ‘sales_data’;
     “`
6. **Identity Issues**:
     – Confirm the user’s identity is synced via SCIM and matches the expected group.
7. **Workspace Bindings**:
     – Ensure the table’s catalog is accessible in the user’s workspace.
8. **Escalate**:
     – If unresolved, check with the metastore admin or review storage credentials.

– **Example**:
– A user gets “Permission denied” on `sales_data`. Audit logs show they lack `SELECT` on `sales_catalog`. Granting the permission resolves the issue:
    “`sql
    GRANT SELECT ON CATALOG sales_catalog TO user@company.com;
    “`

**Source**:,[](https://www.chaosgenius.io/blog/databricks-unity-catalog/)%5B%5D(https://www.gspann.com/resources/blogs/databricks-unity-catalog-a-practitioners-guide-to-secure-scalable-data-governance/)

—

This response provides a comprehensive overview of Unity Catalog, addressing each question with detailed explanations, examples, and references to authoritative sources. Let me know if you need further clarification or additional details!

Share this:

Related

Leave a comment Cancel reply