Govern Unity Catalog Objects
Make data discoverable with comments
A catalog with hundreds of tables is only useful if people can find the right one, and the cheapest way to make a table findable is to describe it. In Unity Catalog you attach a plain-language description to any securable object with a comment, and that text becomes part of the object's metadata rather than a note in a separate wiki.
Set a table's description with the COMMENT ON[1] command or the COMMENT clause of CREATE/ALTER TABLE; set a column's description with ALTER TABLE ... ALTER COLUMN ... COMMENT, which is the only way to document an individual column (Add comments to data and AI assets[2]). You can also edit any comment in Catalog Explorer, where saving one runs an ALTER statement under the covers. A table comment documents what the dataset is; per-column comments document each field.
Because a comment is stored as Unity Catalog metadata, it survives schema changes and shows up wherever the catalog is searched. Any user with the BROWSE privilege can read it, and the text feeds Catalog Explorer search and the natural-language answers in AI/BI Genie (Add comments to data and AI assets[2]). You write the description once and every discovery surface reuses it, so a user understands a table without opening the files behind it.
For a large or legacy catalog, writing every description by hand is the bottleneck. Catalog Explorer can propose AI-generated comments (also called AI-generated documentation) for a table and for each of its columns; a data steward reviews the suggestion and clicks Accept, or edits it first (Add AI-generated comments to Unity Catalog objects[3]). The review step is the point: the model proposes and a human approves, so a big catalog gets documented quickly without publishing text nobody checked.
Describe a table and one of its columns
This adds a dataset-level description and a column description; the rest of the schema is unchanged:
COMMENT ON TABLE sales.orders IS 'One row per confirmed customer order';
ALTER TABLE sales.orders ALTER COLUMN email COMMENT 'Customer contact email';
-- ...
COMMENT ON TABLE sets the table description, and the ALTER COLUMN ... COMMENT form is what documents the email column specifically.
Row filters and column masks
Two Unity Catalog controls limit what a principal sees inside a table at query time, and the exam turns on telling them apart: a row filter removes whole rows, and a column mask rewrites individual values. Both are SQL user-defined functions (UDFs) that Unity Catalog evaluates on every query, and both attach to the table itself, so a query through any SQL warehouse, notebook, or client sees the same enforcement (Row filters and column masks[4]).
A row filter is a boolean SQL UDF bound to a table with ALTER TABLE <table> SET ROW FILTER. Unity Catalog runs the function once per row and keeps the row only when it returns TRUE; a row where the function returns FALSE is excluded from the result (Row filters and column masks[4]). Use it for row-level security, such as limiting each analyst to their own region's records. What a row filter cannot do is show part of a value: it decides whole rows in or out, with nothing in between.
A column mask is a SQL UDF bound to one column with ALTER TABLE <table> ALTER COLUMN <col> SET MASK. It takes the column value and returns either the original or a redacted version, so every row is still returned but the sensitive column is rewritten, for example revealing only the last four digits of a card or only the domain after the @ in an email (Row filters and column masks[4]). Reach for a column mask exactly when a row filter is too blunt, when the row must stay visible but one field must be partly hidden.
That distinction drives a least-privilege point worth internalizing. Masking a sensitive column while leaving table SELECT in place lets the query run and return every row, with only the protected field redacted. Revoking access instead is coarser and breaks any query that references the column, so a masked column follows least privilege where a revoke does not.
One hard boundary decides many questions: row filters and column masks attach to base tables (and, through ABAC policies — attribute-based access control rules introduced in the next section — to materialized views and streaming tables), but you cannot place them on a standard view (Row filters and column masks, Limitations[4]). If a stem puts SET MASK on a CREATE VIEW, it is wrong; to filter or mask through a view, use a dynamic view[5] whose logic lives in the view definition.
The order of enforcement is easiest to see as a pipeline: the base table's rows enter, the row filter drops the ones its UDF rejects, the column mask rewrites the protected values in the rows that remain, and the caller receives a filtered, redacted result.
Scale protection with ABAC and governed tags
Configuring SET ROW FILTER or SET MASK on every table stops scaling the moment you have hundreds of them. Attribute-based access control (ABAC) solves that by protecting data based on a tag instead of a table name: you tag the sensitive data once, write one policy, and it covers every table that carries the tag, today and in the future (Attribute-based access control in Unity Catalog[6]).
The vocabulary ABAC evaluates is the governed tag: an account-level tag key with a defined set of allowed values, plus permissions that control who may assign it (Governed tags[7]). Governed tags are enforced across every workspace in the account, so a pii or classification tag means the same thing everywhere. An account can hold up to 1,000 governed tags, each with up to 50 allowed values (Governed tags[7]).
An ABAC policy is the enforcement half. You attach a policy at a catalog, schema, or table, and its condition targets a governed tag; when an object carries the matching tag, the policy applies its row filter or column mask automatically, to every current and future object that matches (Attribute-based access control in Unity Catalog[6]). This is the contrast the exam probes: a table-level SET MASK protects one table and must be repeated on the next, while one ABAC policy on a pii tag governs an entire catalog at once. ABAC also supports materialized views and streaming tables, which the table-level form does not (ABAC vs table-level controls[8]).
Tagging scales because tags flow downhill. A governed tag applied to a catalog or schema is inherited by the objects within it, so tagging a schema propagates the attribute to its tables without touching each one (Governed tags, Inheritance[7]). One exception is easy to misread and worth pinning down: inheritance reaches the tables inside a catalog or schema but not individual table columns, so a column-level classification has to be tagged on the column directly. Put together, you tag a catalog, attach one policy, and both the tag and its protection reach every descendant table automatically.
The picture is a hierarchy: the tag sits at the top, inheritance carries it down to the tables, and the policy attached at the catalog applies to every object the tag reaches.
Trace lineage and audit access
Governance is not only about restricting access; it is about answering "where did this data come from" and "who touched it." Unity Catalog answers both automatically, so you query the record instead of building one.
Data lineage is captured automatically for queries and workflows run on Azure Databricks, down to the column level, with no configuration, and it is aggregated across every workspace attached to the metastore (Lineage in Unity Catalog[9]). In Catalog Explorer, the Lineage tab renders an interactive graph of upstream and downstream tables, columns, notebooks, jobs, and dashboards, alongside the object's owner and history. Before you change or drop a column, that graph is the impact analysis: it shows exactly which downstream tables and dashboards depend on it.
Audit logs record access rather than structure. Every action against a securable is written to the system.access.audit[10] system table, which captures the principal (user_identity), the securable, and the action taken (action_name, for example getTable), and holds both account-level and workspace-level events. Its free retention period is 365 days (System tables reference[11]), so one query answers "who read this table last month" across the account.
For retention beyond a year, or to route events into an existing monitoring stack, configure Azure diagnostic settings on the workspace. Diagnostic settings stream the same Azure Databricks audit (diagnostic) logs to a Log Analytics workspace, an Azure storage account, or an Azure Event Hubs namespace, which is how you get long-term archival, Azure Monitor querying, and alerting (Configure diagnostic log delivery[12]).
By default the audit log records that an operation happened but not the text of what ran. Enabling verbose audit logging adds fine-grained command events, the notebook and jobs runCommand actions and the Databricks SQL commandSubmit and commandFinish actions, which capture notebook-cell and SQL-warehouse command activity that standard logging omits (Enable verbose audit logs[13]). Turn it on when an audit needs the actual queries, not just the fact that a query ran.
Two destinations for one event are worth picturing: every audit event lands in the queryable system table, and, if you configure it, the same event also streams out through diagnostic settings to one of three Azure sinks.
Time travel, retention, and VACUUM
Delta time travel lets you query or restore an earlier version of a table, but it only reaches as far back as two retention windows allow, and running VACUUM can close that window for good. Two table properties set the windows, and confusing them is a classic trap.
delta.logRetentionDuration controls how long the transaction-log history is kept, and it defaults to 30 days (Table properties reference[14]). Because time travel resolves a version or timestamp against that log, this property bounds how far back a time-travel query can reference. delta.deletedFileRetentionDuration controls how long data files that have been logically removed are kept before VACUUM may delete them, and it defaults to 7 days (interval 1 week) (Table properties reference[14]). The two govern different things: one keeps the log (how far back you can name a version), the other keeps the files (whether that version's data still exists on storage).
VACUUM is where recoverability meets cost. It permanently removes data files that are no longer referenced by the latest table version and are older than the retention threshold, which reclaims storage and ensures deleted records are truly gone (Remove unused data files with vacuum[15]). The trade-off is stated plainly in the docs: the ability to query table versions older than the retention period is lost after running VACUUM (Remove unused data files with vacuum[15]). Once the files for a version are purged you can no longer time-travel to it, even if a log entry still names it.
The practical rule follows directly. To preserve the ability to roll back or audit older versions, raise delta.deletedFileRetentionDuration before you run VACUUM, and keep delta.logRetentionDuration at least as long as the history you want to name. To reclaim storage or guarantee a deleted record is unrecoverable, run VACUUM and accept that the older versions go with it.
Lengthen the recoverability window before vacuuming
This raises both retention windows so older versions stay recoverable; the values shown are examples, not the defaults:
ALTER TABLE sales.orders SET TBLPROPERTIES (
'delta.deletedFileRetentionDuration' = 'interval 30 days',
'delta.logRetentionDuration' = 'interval 30 days'
);
-- ...
delta.deletedFileRetentionDuration is the window VACUUM honors before it may purge files, and delta.logRetentionDuration bounds the versions time travel can name.
Share selected data with OpenSharing
When you give another team or company read access to specific tables, the goal is to expose exactly those tables and nothing else. OpenSharing (previously Delta Sharing) does that with a share: a read-only collection that holds only the tables or views you add, granted to a named recipient (What is OpenSharing?[16]). The recipient sees the objects in the share and never the rest of the metastore, and you can add, remove, or revoke access at any time.
How the recipient authenticates depends on who they are, and this is the distinction the exam tests. If the recipient works in another Unity Catalog-enabled Databricks workspace, use Databricks-to-Databricks sharing: you create a recipient of authentication type DATABRICKS, matched to the recipient's metastore by a sharing identifier (a cloud:region:uuid string) (Create data recipients for OpenSharing[17]). No bearer token is created or managed, and identity verification, authentication, and auditing are handled by the platform over a secure Databricks-managed channel. That is the whole advantage: nothing to rotate.
If the recipient is on any other platform, or has no Unity Catalog-enabled workspace, use open sharing (the Databricks-to-Open protocol) with a recipient of authentication type TOKEN. Azure Databricks generates a long-lived bearer token, a credential file that includes the token, and an activation link that you send over a secure channel; the recipient downloads the credential and uses it to authenticate (Create a recipient using bearer tokens[18]). Because that token grants read access, it must be kept secret and rotated if it is ever exposed. Only this open-sharing path issues a token; Databricks-to-Databricks does not, which is why "eliminate token management" always points to the Databricks-to-Databricks answer.
One governance interaction is worth flagging: a provider cannot share a table that has table-level row filters or column masks applied (What is OpenSharing?, Limitations[16]). To share a redacted slice, expose a dynamic view rather than the protected base table.
Exam-pattern recognition
Most govern-objects questions hand you a goal and a constraint, then ask for the single control that satisfies both. Read the stem for the signal and match it.
- Hide whole rows by identity (region, department, owner): attach a row filter with
ALTER TABLE ... SET ROW FILTER. If the same rule must cover many tables by classification, use an ABAC policy on a governed tag instead. - Reveal only part of a value (last four digits, email domain): a column mask with
ALTER TABLE ... ALTER COLUMN ... SET MASK. A row filter cannot do partial redaction. - Let the query keep running while a sensitive column is hidden: mask the column and keep table
SELECT; do not revoke column access, which errors the query. - Apply one rule across a whole catalog, including tables added later: a governed tag plus an ABAC policy at the catalog or schema, not per-table configuration.
- Put a filter or mask on a view: not allowed on a standard view; the controls attach to tables, or you use a dynamic view.
- Find out who read a table: query
system.access.audit(365-day retention). To keep logs longer or to alert, stream them via Azure diagnostic settings to Log Analytics. - Capture the actual command text that ran: enable verbose audit logging (
runCommand,commandSubmit,commandFinish). - Trace what a column feeds before you drop it: the Catalog Explorer Lineage tab, which captures column-level lineage automatically.
- Keep the ability to roll back older versions: raise
delta.deletedFileRetentionDurationbeforeVACUUM; onceVACUUMpurges the files, time travel to those versions is gone. - Share tables with another Databricks org without managing tokens: OpenSharing Databricks-to-Databricks (recipient type
DATABRICKS). For a non-Databricks partner, open sharing issues a bearer token you must secure and rotate.
Choosing a Unity Catalog data-protection control
| Control | What it hides | Attached with | Scales across tables? | Query still runs? |
|---|---|---|---|---|
| Row filter | Whole rows the UDF rejects | ALTER TABLE ... SET ROW FILTER | No, one table at a time | Yes |
| Column mask | Part of a column value | ALTER TABLE ... ALTER COLUMN ... SET MASK | No, one column at a time | Yes |
| ABAC policy | Rows or columns on tag-matched objects | CREATE POLICY on a catalog or schema by governed tag | Yes, many tables at once | Yes |
| Revoke SELECT | All access to the table or column | REVOKE SELECT | Grant-scoped | No, the query errors |
Decision tree
Sharp facts the exam loves — give these one last read before exam day.
Cheat sheet
Sharp facts the exam loves — scan these before test day.
- Table and column descriptions are added with the COMMENT clause
Descriptions for discovery are set with the COMMENT clause or COMMENT ON and can be edited in Catalog Explorer; a table comment documents the dataset and per-column comments document each field, all stored as Unity Catalog metadata.
15 questions test this
- You have a Unity Catalog catalog that contains more than 5,000 tables migrated from a legacy system, and almost none of them have descriptions. You need to document the tables quickly so they become d
- You are authoring a CREATE TABLE statement for a new managed Delta table named Inventory in Unity Catalog. Governance requires that the dataset's description be captured as Unity Catalog metadata at t
- You have an Azure Databricks workspace enabled for Unity Catalog. The catalog ops_prod contains a managed Delta table named Assets that was repurposed months ago, but its existing table description st
- You are authoring a notebook that runs a CREATE TABLE statement to build a new managed Delta table named Inventory in a Unity Catalog schema. Company policy requires that every new table ship with a d
- You have an Azure Databricks workspace enabled for Unity Catalog. The catalog analytics_prod contains fully commented tables and columns. A data-discovery team must be able to browse these objects and
- You have an Azure Databricks workspace enabled for Unity Catalog. Your team currently keeps the definitions of tables and columns in an external wiki, but consumers browsing Catalog Explorer still can
- You have an Azure Databricks workspace enabled for Unity Catalog. The catalog crm_prod contains a managed Delta table named Accounts whose columns have cryptic names such as c_id, mrr, and geo. Requir
- You have a Unity Catalog Delta table named catalog1.schema1.Payments with a column named amt. You need to attach the description 'Payment amount in USD' to the amt column so it is stored as column met
- In a Unity Catalog catalog, a colleague applied several tags to a table named Shipments hoping to describe what the table is for, but data consumers browsing Catalog Explorer still cannot read a plain
- You have a Unity Catalog managed Delta table named Customers in a catalog named crm_cat. The table has columns cust_id, dob, and rfm_score, but analysts do not understand what the individual fields me
- You have an Azure Databricks workspace enabled for Unity Catalog. A catalog named sales_cat contains a managed Delta table named Orders. When data consumers browse the catalog, they cannot tell what O
- You have a Unity Catalog metastore with several catalogs and schemas. When users browse the catalog tree in Catalog Explorer, they cannot tell the purpose of a schema named finance_gold. You need to a
- Contoso, Inc. has an Azure Databricks workspace enabled for Unity Catalog. The catalog sales_prod contains a Delta table named Orders that was created with no description, so analysts browsing Catalog
- You have an Azure Databricks workspace named Workspace1 that is enabled for Unity Catalog and for AI-assistive features. A newly onboarded catalog named mktg_prod contains a wide managed Delta table n
- You have added table and column comments to several tables in a Unity Catalog catalog named analytics_cat to improve discoverability. A group of business users must be able to see these descriptions w
- AI-generated comments propose table and column descriptions for review
Catalog Explorer can suggest AI-generated table and column descriptions that a data steward reviews and accepts, accelerating the documentation of large catalogs so that objects become discoverable more quickly.
7 questions test this
- You have a Unity Catalog catalog that contains more than 5,000 tables migrated from a legacy system, and almost none of them have descriptions. You need to document the tables quickly so they become d
- A data steward uses the AI generate option in Catalog Explorer to document a Unity Catalog table. Your governance policy requires that a person verify each description for accuracy before it is stored
- A team wants to identify and label which columns in a Unity Catalog table contain PII such as email addresses and national ID numbers. A colleague proposes generating AI comments in Catalog Explorer t
- You have an Azure Databricks workspace that is enabled for AI-assistive features and Unity Catalog. A recently migrated catalog named retail_raw contains several thousand tables and columns that have
- You have an Azure Databricks workspace enabled for AI-assistive features and Unity Catalog. A newly created catalog named finance_raw contains many undocumented tables and columns. A data steward assu
- You have an Azure Databricks workspace enabled for AI-assistive features and Unity Catalog. In Catalog Explorer, a data steward opens a wide table and clicks AI generate above the column list, and a s
- You have an Azure Databricks workspace named Workspace1 that is enabled for Unity Catalog and for AI-assistive features. A newly onboarded catalog named mktg_prod contains a wide managed Delta table n
- Descriptions persist as metadata and power search and discovery
Because comments persist as Unity Catalog metadata they survive schema evolution and surface in Catalog Explorer search and AI/BI Genie, letting users find and understand data without opening the underlying files.
- Governed tags are the account-level attribute vocabulary ABAC builds on
Governed tags are a centrally defined, account-level set of tag keys and allowed values, with permissions controlling who may apply each tag; they are the attributes that attribute-based access control policies evaluate to decide protection.
14 questions test this
- You are a governance admin for an Azure Databricks account that is enabled for Unity Catalog. Before any attribute-based access control (ABAC) policies are written, you must establish the classificati
- Your governance team created an account-level governed tag named pii. A data steward must apply pii:ssn to columns in the prod.hr schema and already holds APPLY TAG on those tables, yet every attempt
- In a Unity Catalog metastore, a governance team must guarantee that sensitive columns tagged pii stay masked across an entire catalog. A specific concern is that individual table owners have previousl
- Contoso operates an Azure Databricks account with three Unity Catalog metastores in different regions. The governance team must establish one classification vocabulary of tag keys such as sensitivity,
- You have a Unity Catalog catalog named sales whose tables each include a column tagged region. You must ensure that members of the EMEA analyst group see only rows where region is EMEA, that the rule
- You have a Unity Catalog catalog named prod that contains 60 tables across several schemas, and new tables are added every week. Columns holding Social Security numbers are tagged pii:ssn. You must en
- You manage a Unity Catalog catalog named finance that contains dozens of Delta tables, and new tables are added every week. Several columns across these tables hold personally identifiable information
- Your organization has one Azure Databricks account that contains multiple Unity Catalog metastores in different regions. The data-governance team wants a single classification taxonomy to serve as the
- In your ABAC design, a column mask policy on the prod catalog masks every column tagged pii:email. A security reviewer notes that the mask applies only where the pii:email tag is present and asks how
- You are preparing governed tags to drive ABAC in a Unity Catalog account. Analysts have historically labeled sensitivity by typing free-form values such as Confidential, confidential, and CONF, and th
- In your Azure Databricks account, different teams tag sensitive columns inconsistently, using PII, pii, and personal for the same concept, which breaks ABAC policies that expect a fixed vocabulary. Yo
- You plan to protect every table under the finance catalog with an ABAC policy keyed on a domain:finance classification. To minimize tagging effort, you assign the governed tag domain:finance only to t
- In an ABAC-governed Unity Catalog account, protection of pii columns depends on the governed tag pii being present on those columns. A security review warns that some data creators could remove the pi
- You have an Azure Databricks account that uses governed tags as the attributes for ABAC. A team of data stewards must be able to classify tables and columns by applying the existing governed tag class
- An ABAC policy applies filters or masks automatically to every tag-matched object
An attribute-based access control (ABAC) policy is attached at a catalog, schema, or table and uses governed-tag conditions to apply a row filter or column mask to every current and future object carrying the matching tag, so one policy governs many tables at once.
Trap ABAC scales a single tag-driven policy across many tables; a table-level SET MASK or SET ROW FILTER must be configured on each table individually.
14 questions test this
- You have an Azure Databricks account with Unity Catalog. A catalog named corp contains several schemas, including a schema named hr whose tables have columns labeled with a governed tag. You need a si
- In a Unity Catalog metastore, a governance team must guarantee that sensitive columns tagged pii stay masked across an entire catalog. A specific concern is that individual table owners have previousl
- You created an ABAC column mask policy on the prod catalog that masks pii:ssn columns for the analysts group, and you confirmed that the masking function works. After deployment, analysts report they
- You have a Unity Catalog catalog named sales whose tables each include a column tagged region. You must ensure that members of the EMEA analyst group see only rows where region is EMEA, that the rule
- A governance admin created an ABAC column mask policy at a catalog to mask pii-tagged columns for the analyst group. The analysts report that they cannot query the tables at all and receive an error i
- You have a Unity Catalog catalog named prod that contains 60 tables across several schemas, and new tables are added every week. Columns holding Social Security numbers are tagged pii:ssn. You must en
- You have a Unity Catalog catalog named sales whose tables each contain a column that is labeled with the governed tag region. Requirements: members of the EMEA team must see only the rows whose region
- You manage a Unity Catalog catalog named finance that contains dozens of Delta tables, and new tables are added every week. Several columns across these tables hold personally identifiable information
- You have an Azure Databricks catalog named finance whose tables include a column labeled with the governed tag pii:card, and new tables carrying that tag are onboarded every week. Analysts must be abl
- In your ABAC design, a column mask policy on the prod catalog masks every column tagged pii:email. A security reviewer notes that the mask applies only where the pii:email tag is present and asks how
- You are preparing governed tags to drive ABAC in a Unity Catalog account. Analysts have historically labeled sensitivity by typing free-form values such as Confidential, confidential, and CONF, and th
- You plan to protect every table under the finance catalog with an ABAC policy keyed on a domain:finance classification. To minimize tagging effort, you assign the governed tag domain:finance only to t
- In an ABAC-governed Unity Catalog account, protection of pii columns depends on the governed tag pii being present on those columns. A security review warns that some data creators could remove the pi
- A catalog owner attached an ABAC row filter policy to the prod catalog that hides sensitive rows from most analysts. A table owner within prod wants their own team to see all rows of one table and ask
- Tags assigned to a parent object are inherited by child objects
A governed tag applied to a catalog or schema is inherited by the schemas and tables beneath it, but not by individual table columns, so tagging a parent propagates the attribute that ABAC policies and discovery rely on to descendant tables; a column-level classification must be tagged on the column directly.
- A row filter removes whole rows via ALTER TABLE ... SET ROW FILTER
A row filter is a boolean SQL UDF attached with ALTER TABLE SET ROW FILTER; the function is evaluated per row and returns TRUE to keep the row or FALSE/NULL to drop it, so it controls which entire rows a principal sees at query time.
Trap A row filter removes whole rows and cannot reveal only part of a column value; use a column mask for partial redaction.
20 questions test this
- You have an Azure Databricks workspace enabled for Unity Catalog. A catalog named sales_cat contains a table named Orders that stores sales records for every region in a region column. Business analys
- You have an Azure Databricks workspace enabled for Unity Catalog. A table named Members has a passport_number column. A reporting team must keep running their existing SELECT * queries against Members
- You have an Azure Databricks workspace that is enabled for Unity Catalog and contains a managed Delta table named Payroll with a salary column. Requirements: analysts must run their existing reports,
- You have an Azure Databricks workspace that is enabled for Unity Catalog and contains a managed Delta table named Ledger. Each user must be exposed only the rows for the business units they are author
- You have an Azure Databricks workspace enabled for Unity Catalog. A table named Customers contains a phone_number column. A support team must continue to query every customer row in Customers but must
- You have an Azure Databricks workspace enabled for Unity Catalog. A managed Delta table named Invoices holds records for every branch in a branch column. Requirements: each sales representative must s
- You have an Azure Databricks workspace that is enabled for Unity Catalog and contains a managed Delta table named Transactions that is loaded by a production pipeline and queried by auditors. Requirem
- You have an Azure Databricks workspace that is enabled for Unity Catalog and contains a managed Delta table named Projects that is the single source of truth for all project records. Requirements: ext
- You have an Azure Databricks workspace that is enabled for Unity Catalog and contains a managed Delta table named Cases with a confidential flag. Requirements: members of the Contractors group must no
- You have an Azure Databricks workspace that is enabled for Unity Catalog and contains a managed Delta table named Contacts whose phone, email, and ssn columns must all be redacted to non-privileged us
- You have an Azure Databricks workspace that is enabled for Unity Catalog and contains a managed Delta table named Accounts with an account_number column. Requirements: support analysts must still see
- You have an Azure Databricks workspace enabled for Unity Catalog. A managed Delta table named Customers contains name, address, and country columns and is queried by several regional support teams. Re
- You have an Azure Databricks workspace that is enabled for Unity Catalog and contains a managed Delta table named Leads with an email column. Requirements: marketing analysts must be able to analyze t
- You have an Azure Databricks workspace that is enabled for Unity Catalog and contains a managed Delta table named Orders with a region column. Requirements: regional analysts must query Orders directl
- You have an Azure Databricks workspace enabled for Unity Catalog. A table named Accounts has an owner_email column. Each analyst must see only the rows where owner_email matches their own login, all d
- You have an Azure Databricks workspace enabled for Unity Catalog. A managed Delta table named Applicants contains an ssn column. Requirements: analysts must be able to see only the last four character
- You have an Azure Databricks workspace enabled for Unity Catalog. A table named HR_Records must be governed so that: analysts see only the rows for their own region; within the rows they can see, the
- You have an Azure Databricks workspace that is enabled for Unity Catalog and contains a managed Delta table named Members with a country column and a national_id column. Requirements: analysts must se
- You have an Azure Databricks workspace that is enabled for Unity Catalog and contains a managed Delta table named Patients with a diagnosis column. Requirements: members of the CareTeam group must see
- You have an Azure Databricks workspace enabled for Unity Catalog. A managed Delta table named Deals stores opportunities for every region in a region column. Analysts already hold the SELECT privilege
- A column mask redacts values via ALTER TABLE ... ALTER COLUMN ... SET MASK
A column mask is a SQL UDF attached with ALTER TABLE ALTER COLUMN SET MASK; it rewrites each returned value at query time, for example showing only the text after the @ in an email or only the last four digits of a card, while every row is still returned.
Trap Masking only sensitive columns while keeping table SELECT follows least privilege and lets queries run without errors, unlike revoking column access.
20 questions test this
- You have an Azure Databricks workspace enabled for Unity Catalog. A catalog named sales_cat contains a table named Orders that stores sales records for every region in a region column. Business analys
- You have an Azure Databricks workspace enabled for Unity Catalog. A table named Members has a passport_number column. A reporting team must keep running their existing SELECT * queries against Members
- You have an Azure Databricks workspace that is enabled for Unity Catalog and contains a managed Delta table named Payroll with a salary column. Requirements: analysts must run their existing reports,
- You have an Azure Databricks workspace that is enabled for Unity Catalog and contains a managed Delta table named Ledger. Each user must be exposed only the rows for the business units they are author
- You have an Azure Databricks workspace enabled for Unity Catalog. A table named Customers contains a phone_number column. A support team must continue to query every customer row in Customers but must
- You have an Azure Databricks workspace enabled for Unity Catalog. A managed Delta table named Invoices holds records for every branch in a branch column. Requirements: each sales representative must s
- You have an Azure Databricks workspace that is enabled for Unity Catalog and contains a managed Delta table named Transactions that is loaded by a production pipeline and queried by auditors. Requirem
- You have an Azure Databricks workspace that is enabled for Unity Catalog and contains a managed Delta table named Projects that is the single source of truth for all project records. Requirements: ext
- You have an Azure Databricks workspace that is enabled for Unity Catalog and contains a managed Delta table named Cases with a confidential flag. Requirements: members of the Contractors group must no
- You have an Azure Databricks workspace that is enabled for Unity Catalog and contains a managed Delta table named Contacts whose phone, email, and ssn columns must all be redacted to non-privileged us
- You have an Azure Databricks workspace that is enabled for Unity Catalog and contains a managed Delta table named Accounts with an account_number column. Requirements: support analysts must still see
- You have an Azure Databricks workspace enabled for Unity Catalog. A managed Delta table named Customers contains name, address, and country columns and is queried by several regional support teams. Re
- You have an Azure Databricks workspace that is enabled for Unity Catalog and contains a managed Delta table named Leads with an email column. Requirements: marketing analysts must be able to analyze t
- You have an Azure Databricks workspace that is enabled for Unity Catalog and contains a managed Delta table named Orders with a region column. Requirements: regional analysts must query Orders directl
- You have an Azure Databricks workspace enabled for Unity Catalog. A table named Accounts has an owner_email column. Each analyst must see only the rows where owner_email matches their own login, all d
- You have an Azure Databricks workspace enabled for Unity Catalog. A managed Delta table named Applicants contains an ssn column. Requirements: analysts must be able to see only the last four character
- You have an Azure Databricks workspace enabled for Unity Catalog. A table named HR_Records must be governed so that: analysts see only the rows for their own region; within the rows they can see, the
- You have an Azure Databricks workspace that is enabled for Unity Catalog and contains a managed Delta table named Members with a country column and a national_id column. Requirements: analysts must se
- You have an Azure Databricks workspace that is enabled for Unity Catalog and contains a managed Delta table named Patients with a diagnosis column. Requirements: members of the CareTeam group must see
- You have an Azure Databricks workspace enabled for Unity Catalog. A managed Delta table named Deals stores opportunities for every region in a region column. Analysts already hold the SELECT privilege
- Row filters and column masks attach to base tables, not to standard views
Table-level row filters and column masks are attached to base tables and cannot be placed on a standard view, while ABAC policies extend the same row-filter and column-mask protection to materialized views and streaming tables; once attached they are enforced for every query through any SQL warehouse, notebook, or client.
- delta.deletedFileRetentionDuration sets the VACUUM retention window
The table property delta.deletedFileRetentionDuration defines how long removed data files are retained before VACUUM is permitted to delete them, defaulting to 7 days; raising it lengthens the window during which older versions stay recoverable.
18 questions test this
- You have an Azure Databricks workspace enabled for Unity Catalog. It contains a Unity Catalog managed Delta table named Orders on which predictive optimization runs VACUUM automatically. A new complia
- You have an Azure Databricks workspace with a Delta table named Transactions. The data governance team requires that time-travel queries reliably return any table version from the last 90 days, no mor
- You have an Azure Databricks workspace with a managed Delta table named Inventory. You need to lengthen the window during which data files removed by an update or delete stay physically present so tha
- You have a Delta table named Events. A colleague set delta.logRetentionDuration to interval 90 days expecting to be able to time travel 90 days back, but VACUUM runs on Events on the default schedule.
- You have a Delta table named Payments. A team currently reclaims storage by running VACUUM Payments RETAIN 336 HOURS by hand, but they sometimes forget the clause and files are purged at the 7-day def
- You have an Azure Databricks workspace that is enabled for Unity Catalog and contains a Unity Catalog managed Delta table named LedgerHistory. Auditors must be able to query the table at any point in
- You have a Delta table named Shipments. Data files are retained well beyond 45 days because delta.deletedFileRetentionDuration was raised. An analyst runs a SELECT ... TIMESTAMP AS OF query for a date
- You have an Azure Databricks workspace with a managed Delta table named Warehouse. Some ETL jobs against Warehouse run for two to three days and write files that are not committed until the job finish
- You have a managed Delta table named Telemetry in Unity Catalog. A nightly job runs VACUUM on Telemetry with default settings. Analysts report that TIMESTAMP AS OF queries succeed for the last few day
- You have an Azure Databricks workspace with a Delta table named Ledger. Auditors must be able to reference older table versions by version number and timestamp for as long as the commit history is kep
- You have a managed Delta table named Inventory in Unity Catalog. After a bad batch load, you try to run RESTORE TABLE Inventory TO VERSION AS OF an older version from three weeks ago, but the command
- You have a Delta table named AccessLogs. A data-minimization policy states that no time-travel query may reference any table version older than 15 days, and the version history should not be kept beyo
- You have a Delta table named Clickstream. A daily OPTIMIZE job compacts small files, and VACUUM then reclaims the pre-compaction files on the default schedule. Data scientists report that time travel
- You have an Azure Databricks workspace with a Delta table named Sales. Auditors must be able to run DESCRIBE HISTORY on Sales and see the operation history stretching back 60 days. The data files are
- You have a managed Delta table named Contacts in Unity Catalog. A data-minimization policy states that the table's operation history metadata must not be kept longer than 14 days, but the ability to r
- You have a managed Delta table named Events in Unity Catalog. An engineer set only delta.logRetentionDuration to a large value expecting longer time travel, but TIMESTAMP AS OF queries against Events
- You have an Azure Databricks workspace enabled for Unity Catalog that contains a managed Delta table named Orders. Predictive optimization runs VACUUM on Orders automatically. Analysts must be able to
- You have a Delta table named Customers that stores personal data. To support time travel, delta.deletedFileRetentionDuration was previously raised to interval 60 days, so files removed by deletes now
- delta.logRetentionDuration bounds how far back time travel can go
The table property delta.logRetentionDuration controls how long transaction-log history is kept, defaulting to 30 days, which bounds the versions and timestamps that time-travel queries can reference.
18 questions test this
- You have an Azure Databricks workspace enabled for Unity Catalog. It contains a Unity Catalog managed Delta table named Orders on which predictive optimization runs VACUUM automatically. A new complia
- You have an Azure Databricks workspace with a Delta table named Transactions. The data governance team requires that time-travel queries reliably return any table version from the last 90 days, no mor
- You have an Azure Databricks workspace with a managed Delta table named Inventory. You need to lengthen the window during which data files removed by an update or delete stay physically present so tha
- You have a Delta table named Events. A colleague set delta.logRetentionDuration to interval 90 days expecting to be able to time travel 90 days back, but VACUUM runs on Events on the default schedule.
- You have a Delta table named Payments. A team currently reclaims storage by running VACUUM Payments RETAIN 336 HOURS by hand, but they sometimes forget the clause and files are purged at the 7-day def
- You have an Azure Databricks workspace that is enabled for Unity Catalog and contains a Unity Catalog managed Delta table named LedgerHistory. Auditors must be able to query the table at any point in
- You have a Delta table named Shipments. Data files are retained well beyond 45 days because delta.deletedFileRetentionDuration was raised. An analyst runs a SELECT ... TIMESTAMP AS OF query for a date
- You have a managed Delta table named Telemetry in Unity Catalog. A nightly job runs VACUUM on Telemetry with default settings. Analysts report that TIMESTAMP AS OF queries succeed for the last few day
- You have an Azure Databricks workspace with a Delta table named Ledger. Auditors must be able to reference older table versions by version number and timestamp for as long as the commit history is kep
- You have a managed Delta table named Inventory in Unity Catalog. After a bad batch load, you try to run RESTORE TABLE Inventory TO VERSION AS OF an older version from three weeks ago, but the command
- You have a Delta table named AccessLogs. A data-minimization policy states that no time-travel query may reference any table version older than 15 days, and the version history should not be kept beyo
- You have a managed Delta table named AuditLog in a Unity Catalog catalog. A compliance policy requires that DESCRIBE HISTORY on AuditLog can list write operations going back several months for review,
- You have a Delta table named Clickstream. A daily OPTIMIZE job compacts small files, and VACUUM then reclaims the pre-compaction files on the default schedule. Data scientists report that time travel
- You have an Azure Databricks workspace with a Delta table named Sales. Auditors must be able to run DESCRIBE HISTORY on Sales and see the operation history stretching back 60 days. The data files are
- You have a managed Delta table named Contacts in Unity Catalog. A data-minimization policy states that the table's operation history metadata must not be kept longer than 14 days, but the ability to r
- You have a managed Delta table named Events in Unity Catalog. An engineer set only delta.logRetentionDuration to a large value expecting longer time travel, but TIMESTAMP AS OF queries against Events
- You have a managed Delta table named Metrics in Unity Catalog. A compliance rule requires that DESCRIBE HISTORY on Metrics keep listing write operations for the last 90 days, and this listing must rem
- You have a Delta table named Customers that stores personal data. To support time travel, delta.deletedFileRetentionDuration was previously raised to interval 60 days, so files removed by deletes now
- Running VACUUM permanently deletes old files and forfeits earlier time travel
VACUUM permanently removes data files that are no longer referenced by the latest table state and are older than the retention threshold, after which you can no longer time-travel to a version whose files were purged, trading storage cost against recoverability.
- Unity Catalog captures lineage automatically down to the column level
For queries and workflows run on Azure Databricks, Unity Catalog captures runtime data lineage automatically down to the column level with no configuration, and aggregates it across every workspace attached to the metastore.
12 questions test this
- You have an Azure Databricks workspace enabled for Unity Catalog. A Salesforce extract is loaded by an external ETL tool into a Unity Catalog table named bronze.crm.leads, and a Power BI report consum
- Your company has two Azure Databricks workspaces, WorkspaceA and WorkspaceB, that are both attached to the same Unity Catalog metastore. An ETL job in WorkspaceA writes a Unity Catalog table named sal
- You have an Azure Databricks workspace enabled for Unity Catalog. A Delta table named gold.finance.revenue has a column named net_revenue, and an analyst reports an unexpected value in it. Before you
- You have an Azure Databricks workspace that is enabled for Unity Catalog. The managed table silver.customers contains a column named customer_email that is classified as PII. To scope a privacy review
- You have an Azure Databricks workspace enabled for Unity Catalog with automatic data lineage. You plan to rename a heavily referenced table from prod.core.cust to prod.core.customer with ALTER TABLE .
- You have two Azure Databricks workspaces, Workspace1 and Workspace2, that are both attached to the same Unity Catalog metastore named metastore1. A job in Workspace2 writes to the managed table sales.
- You have an Azure Databricks workspace that is enabled for Unity Catalog. A data engineer with broad privileges and a business analyst who holds only the SELECT privilege on finance.gl both open the L
- You have an Azure Databricks workspace named Workspace1 that is enabled for Unity Catalog. The managed table gold.retail.order_summary is populated by several notebooks and Lakeflow Jobs and feeds mul
- You have an Azure Databricks workspace named Workspace1 that is attached to a Unity Catalog metastore. A data engineering team runs Spark SQL and DataFrame ETL notebooks on Azure Databricks compute th
- You have an Azure Databricks workspace that is enabled for Unity Catalog. For a compliance audit you must demonstrate where the regulated column in the managed table pii.accounts originates and every
- You have an Azure Databricks workspace enabled for Unity Catalog. A business analyst who has SELECT on the relevant tables wants to visually explore, in the workspace UI and without writing code, the
- You have an Azure Databricks workspace that is enabled for Unity Catalog. A governance team needs a daily report of the upstream and downstream dependencies for several hundred tables across the metas
- Catalog Explorer shows owner, history, dependencies, and upstream/downstream lineage
The Catalog Explorer Lineage tab renders an interactive graph of upstream and downstream tables, columns, notebooks, jobs, and dashboards alongside the object owner and history, so you can trace dependencies before changing or deleting an object.
16 questions test this
- You have an Azure Databricks workspace enabled for Unity Catalog. A Salesforce extract is loaded by an external ETL tool into a Unity Catalog table named bronze.crm.leads, and a Power BI report consum
- Your company has two Azure Databricks workspaces, WorkspaceA and WorkspaceB, that are both attached to the same Unity Catalog metastore. An ETL job in WorkspaceA writes a Unity Catalog table named sal
- You have an Azure Databricks workspace enabled for Unity Catalog. A Delta table named gold.finance.revenue has a column named net_revenue, and an analyst reports an unexpected value in it. Before you
- You have an Azure Databricks workspace that is enabled for Unity Catalog. The managed table silver.customers contains a column named customer_email that is classified as PII. To scope a privacy review
- You have an Azure Databricks workspace that is enabled for Unity Catalog. Before you change the schema of gold.revenue, you need a single interactive view that shows both the upstream tables that feed
- You have an Azure Databricks workspace enabled for Unity Catalog with automatic data lineage. You plan to rename a heavily referenced table from prod.core.cust to prod.core.customer with ALTER TABLE .
- You have an Azure Databricks workspace that is enabled for Unity Catalog. You must decommission the managed table bronze.raw_events, but first you have to identify the complete downstream dependency g
- You have an Azure Databricks workspace that is enabled for Unity Catalog. Before you request a change to the managed table sales.orders, a data steward must (1) find the object's current owner so the
- You have an Azure Databricks workspace enabled for Unity Catalog. A table named finance.reporting.gl_summary is about to be modified. Before making the change, you must find out who currently owns the
- You have an Azure Databricks workspace named Workspace1 that is enabled for Unity Catalog. The managed table gold.retail.order_summary is populated by several notebooks and Lakeflow Jobs and feeds mul
- You have an Azure Databricks workspace enabled for Unity Catalog. A dashboard built on gold.sales.daily_totals suddenly shows inflated numbers. You need to trace daily_totals back through its transfor
- You have an Azure Databricks workspace named Workspace1 that is attached to a Unity Catalog metastore. A data engineering team runs Spark SQL and DataFrame ETL notebooks on Azure Databricks compute th
- You have an Azure Databricks workspace enabled for Unity Catalog. A user named userA has the SELECT privilege on the table lineage_demo.sales.menu but no privileges on the downstream table lineage_dem
- You have an Azure Databricks workspace that is enabled for Unity Catalog. For a compliance audit you must demonstrate where the regulated column in the managed table pii.accounts originates and every
- You have an Azure Databricks workspace enabled for Unity Catalog. A business analyst who has SELECT on the relevant tables wants to visually explore, in the workspace UI and without writing code, the
- You have an Azure Databricks workspace that is enabled for Unity Catalog. A governance team needs a daily report of the upstream and downstream dependencies for several hundred tables across the metas
- Unity Catalog audit events are queryable in the system.access.audit table
The system.access.audit system table records account- and workspace-level audit events, capturing which principal accessed which securable and what action was taken, and retains them for up to one year for security and compliance analysis.
15 questions test this
- You have an Azure Databricks workspace named Workspace1 on the Premium plan. Your Azure operations team needs to analyze Workspace1 audit activity together with logs from other Azure resources, run ad
- You have an Azure Databricks workspace named Workspace1 on the Premium plan that is enabled for Unity Catalog. Your security operations team already uses Azure Monitor to investigate telemetry from th
- You have an Azure Databricks workspace named Workspace1 that is enabled for Unity Catalog and attached to a metastore named Metastore1. Your security team must review which principal accessed each Uni
- You have an Azure Databricks workspace enabled for Unity Catalog. A security engineer investigating an incident needs to see, for a sensitive catalog, every GRANT and REVOKE performed on its securable
- The security policy at Contoso forbids copying audit data outside the Azure Databricks platform because of the sensitive information it contains. The governance team still needs to analyze which princ
- An engineer at Proseware is asked to make the Azure Databricks workspace's audit logs available to the organization's Azure Monitor tooling. They previously enabled compute log delivery to a Unity Cat
- Woodgrove Bank runs an Azure Databricks account with several workspaces in the same Azure region, all attached to one Unity Catalog metastore. During a compliance review, an auditor asks for a single
- Contoso, Inc. has an Azure Databricks workspace attached to a Unity Catalog metastore and enabled for system tables. A compliance officer must build a quarterly report, using SQL in the lakehouse, tha
- Fabrikam streams its Azure Databricks workspace-level diagnostic logs to a Log Analytics workspace through Azure diagnostic settings. During an audit, the security team finds that account-level events
- You have an Azure Databricks workspace enabled for Unity Catalog. You query the system.access.audit table to investigate activity, but the records for notebook and Databricks SQL commands do not inclu
- Litware must retain the raw Azure Databricks workspace audit logs for seven years to satisfy a financial regulation, at the lowest possible storage cost. The archived logs will be read only rarely, du
- You have an Azure Databricks account with several workspaces attached to one metastore, and you already deliver each workspace's audit logs to Azure Monitor through diagnostic settings. During a compl
- You have an Azure Databricks workspace on the Premium plan. Your security operations center runs a third-party (non-Microsoft) SIEM product and must ingest the workspace audit events in near real time
- You have an Azure Databricks workspace on the Premium plan. Your compliance team must retain the raw audit logs for seven years at the lowest possible storage cost. The archived logs will not be queri
- You have an Azure Databricks workspace enabled for Unity Catalog. An auditor asks for a report of all governance actions performed against securables over the last eight months. The solution must not
- Azure diagnostic settings deliver Databricks audit logs to Log Analytics
Configuring Azure diagnostic settings on the workspace streams Azure Databricks diagnostic (audit) logs to a Log Analytics workspace, a storage account, or Event Hubs for long-term retention, querying, and alerting in Azure Monitor.
14 questions test this
- You have an Azure Databricks workspace named Workspace1 on the Premium plan. Your Azure operations team needs to analyze Workspace1 audit activity together with logs from other Azure resources, run ad
- You have an Azure Databricks workspace named Workspace1 on the Premium plan that is enabled for Unity Catalog. Your security operations team already uses Azure Monitor to investigate telemetry from th
- You have an Azure Databricks workspace named Workspace1 that is enabled for Unity Catalog and attached to a metastore named Metastore1. Your security team must review which principal accessed each Uni
- The security policy at Contoso forbids copying audit data outside the Azure Databricks platform because of the sensitive information it contains. The governance team still needs to analyze which princ
- An engineer at Proseware is asked to make the Azure Databricks workspace's audit logs available to the organization's Azure Monitor tooling. They previously enabled compute log delivery to a Unity Cat
- Woodgrove Bank runs an Azure Databricks account with several workspaces in the same Azure region, all attached to one Unity Catalog metastore. During a compliance review, an auditor asks for a single
- Fabrikam streams its Azure Databricks workspace-level diagnostic logs to a Log Analytics workspace through Azure diagnostic settings. During an audit, the security team finds that account-level events
- You have an Azure Databricks workspace enabled for Unity Catalog. You query the system.access.audit table to investigate activity, but the records for notebook and Databricks SQL commands do not inclu
- Litware must retain the raw Azure Databricks workspace audit logs for seven years to satisfy a financial regulation, at the lowest possible storage cost. The archived logs will be read only rarely, du
- Compliance at Litware requires that raw Azure Databricks workspace audit logs be retained for seven years at the lowest possible storage cost. The archived logs will be retrieved only rarely, for occa
- You have an Azure Databricks account with several workspaces attached to one metastore, and you already deliver each workspace's audit logs to Azure Monitor through diagnostic settings. During a compl
- A platform team at Contoso wants a single, workspace-level configuration that can route Azure Databricks audit logs to whichever Azure service each consumer needs - a storage account for archival, an
- You have an Azure Databricks workspace on the Premium plan. Your security operations center runs a third-party (non-Microsoft) SIEM product and must ingest the workspace audit events in near real time
- You have an Azure Databricks workspace on the Premium plan. Your compliance team must retain the raw audit logs for seven years at the lowest possible storage cost. The archived logs will not be queri
- Verbose audit logging adds notebook and SQL command events
Enabling verbose audit logging records additional fine-grained events such as commandSubmit, commandFinish, and runCommand, capturing notebook-cell and SQL-warehouse command activity that standard audit logging omits.
- Databricks-to-Databricks sharing needs no token when the recipient has Unity Catalog
When the recipient also has a Unity Catalog-enabled workspace, a recipient of authentication type DATABRICKS shares data over a secure Databricks-managed channel identified by a sharing identifier, so no bearer token is created or managed and identity, authentication, and auditing are handled by the platform.
Trap Databricks-to-Databricks sharing eliminates token management; only open sharing to a non-Databricks recipient issues a bearer token.
15 questions test this
- You have an Azure Databricks workspace that is enabled for Unity Catalog and manages a Delta table named Orders. You must share Orders with an external analytics firm that does not use Databricks and
- You have an Azure Databricks workspace enabled for Unity Catalog and must share the same Delta table with two recipients. RecipientA works in a separate Unity Catalog-enabled Databricks workspace. Rec
- You have an Azure Databricks workspace enabled for Unity Catalog and already use Databricks-to-Databricks sharing to share tables with a partner business unit on another Unity Catalog metastore. An au
- You have an Azure Databricks workspace named Providerws that is enabled for Unity Catalog and manages a Delta table named Sales1. A partner organization runs its own Azure Databricks workspace that is
- You have an Azure Databricks workspace enabled for Unity Catalog and a Delta table named Metrics. You must share Metrics with an external analytics partner who does not use Databricks and has no acces
- You have an Azure Databricks workspace enabled for Unity Catalog and want to set up Databricks-to-Databricks sharing with a recipient team that also uses a Unity Catalog-enabled workspace. Before you
- You have an Azure Databricks workspace enabled for Unity Catalog and need to share assets with a data science team in a different Databricks account on another cloud whose workspace is enabled for Uni
- Your company shares Delta tables with a subsidiary that runs Databricks on a different cloud and in a separate Databricks account. Both your metastore and the subsidiary's metastore are enabled for Un
- Your data platform team manages two Unity Catalog metastores in the same Azure Databricks account: metastore A, which holds a curated Sales catalog, and metastore B, used by another business unit. You
- You share data with an external partner who does not use Databricks. Your security team forbids managing any long-lived shared secret and wants the partner's own identity provider to issue short-lived
- You have an Azure Databricks workspace enabled for Unity Catalog. You need to share not only Delta tables but also a Databricks notebook, a Unity Catalog volume, and a registered Unity Catalog model w
- Contoso operates an Azure Databricks workspace named Analyticsws that is enabled for Unity Catalog and manages a curated Delta table named Revenue. A partner subsidiary, Fabrikam, runs its own Azure D
- You have an Azure Databricks workspace enabled for Unity Catalog and share a table with an external partner using Databricks-to-Open sharing with a bearer token. The partner's contract has ended and y
- You have an Azure Databricks workspace enabled for Unity Catalog. You must share a set of Delta tables with a partner so that the partner can use their own Unity Catalog to grant and revoke access to
- You have an Azure Databricks workspace named Workspace1 that is enabled for Unity Catalog and contains a catalog named SalesCatalog that you must share with a partner team. The partner team works in i
- Open sharing uses a bearer token and credential file for non-Databricks recipients
Open sharing (the Databricks-to-open protocol) reaches recipients on any platform by authenticating a recipient of type TOKEN using a long-lived bearer token or OIDC federation; for a token, Databricks generates a credential file delivered via an activation link that must be secured and rotated.
16 questions test this
- You have an Azure Databricks workspace that is enabled for Unity Catalog and manages a Delta table named Orders. You must share Orders with an external analytics firm that does not use Databricks and
- You have an Azure Databricks workspace enabled for Unity Catalog and must share the same Delta table with two recipients. RecipientA works in a separate Unity Catalog-enabled Databricks workspace. Rec
- You have an Azure Databricks workspace named Providerws that is enabled for Unity Catalog and manages a Delta table named Sales1. A partner organization runs its own Azure Databricks workspace that is
- You have an Azure Databricks workspace enabled for Unity Catalog and use Databricks-to-Open sharing to share a table with an external recipient using a bearer token. You discover that the recipient's
- You have an Azure Databricks workspace enabled for Unity Catalog and share a table with an external partner using Databricks-to-Open sharing with a bearer token. Compliance now requires that the partn
- You have an Azure Databricks workspace enabled for Unity Catalog and a Delta table named Metrics. You must share Metrics with an external analytics partner who does not use Databricks and has no acces
- You have an Azure Databricks workspace enabled for Unity Catalog and must share data with an external partner that does not use Databricks. Your security policy states that no long-lived static shared
- Your company shares Delta tables with a subsidiary that runs Databricks on a different cloud and in a separate Databricks account. Both your metastore and the subsidiary's metastore are enabled for Un
- Your data platform team manages two Unity Catalog metastores in the same Azure Databricks account: metastore A, which holds a curated Sales catalog, and metastore B, used by another business unit. You
- You have an Azure Databricks workspace enabled for Unity Catalog and share a Delta table with an external partner using Databricks-to-Open sharing with a bearer token. The partner does not use Databri
- You share data with an external partner who does not use Databricks. Your security team forbids managing any long-lived shared secret and wants the partner's own identity provider to issue short-lived
- You have an Azure Databricks workspace enabled for Unity Catalog. You need to share not only Delta tables but also a Databricks notebook, a Unity Catalog volume, and a registered Unity Catalog model w
- Contoso operates an Azure Databricks workspace named Analyticsws that is enabled for Unity Catalog and manages a curated Delta table named Revenue. A partner subsidiary, Fabrikam, runs its own Azure D
- You have an Azure Databricks workspace enabled for Unity Catalog and share a table with an external partner using Databricks-to-Open sharing with a bearer token. The partner's contract has ended and y
- You have an Azure Databricks workspace enabled for Unity Catalog. You must share a set of Delta tables with a partner so that the partner can use their own Unity Catalog to grant and revoke access to
- You have an Azure Databricks workspace named Workspace1 that is enabled for Unity Catalog and contains a catalog named SalesCatalog that you must share with a partner team. The partner team works in i
A secure OpenSharing (previously Delta Sharing) strategy creates a share, adds only the specific tables or views to be exposed, and grants that share to a defined recipient, so the recipient receives read-only access to just the shared objects rather than to the whole metastore.
References
- COMMENT ON
- Add comments to data and AI assets
- Add AI-generated comments to Unity Catalog objects
- Row filters and column masks
- Create a dynamic view
- Attribute-based access control in Unity Catalog
- Governed tags
- When to use ABAC vs table-level row filters and column masks
- Lineage in Unity Catalog
- Audit log system table reference
- System tables reference
- Configure diagnostic log delivery
- Enable verbose audit logs
- Table properties reference
- Remove unused data files with vacuum
- What is OpenSharing?
- Create data recipients for OpenSharing (Databricks-to-Databricks sharing)
- Create a recipient object for non-Databricks users using bearer tokens (Databricks-to-Open sharing)