In modern enterprise landscapes, especially in SAP-driven ecosystems, data security is not just about who can access a table—it’s about which rows a user is allowed to see.
Traditional Role-Based Access Control (RBAC) often falls short when:
Image generated using AI Core - Gemini Flash Lite Model
This is where Attribute-Based Access Control (ABAC) in SAP Databricks Unity Catalog becomes powerful.
In this blog, we will:
ABAC allows access decisions based on:
Instead of hardcoding rules per table, you define:
Tags + UDF + Policy = Dynamic Row-Level Security
ABAC has three main components:
| Component | Purpose |
| Governed Tags | Classify data |
| Row Filter UDFs | Define access logic |
| Policies | Bind logic to data |
Let’s take an example.
ZSALES_ORDER (similar to VBAK)ZCUSTOMER (similar to KNA1)ZEMPLOYEE (HR data)| Role | Access |
| Sales Team | Only sales data for their region |
| Finance Team | Only finance-related records |
| HR Admins | Full access |
| Executives | All data |
Tags represent metadata similar to SAP data classification fields.
CREATE TAG sensitivity VALUES ('high', 'medium', 'low');
CREATE TAG department VALUES ('sales', 'finance', 'hr');
CREATE TAG region VALUES ('EMEA', 'APAC', 'NA');Apply tags to simulate SAP dictionary semantics.
ALTER TABLE main.sap.zsales_order
SET TAGS ('department'='sales', 'region'='EMEA');
ALTER TABLE main.sap.zcustomer
SET TAGS ('sensitivity'='high', 'department'='finance');
ALTER TABLE main.sap.zemployee
SET TAGS ('sensitivity'='high', 'department'='hr');This is where business logic resides.
CREATE OR REPLACE FUNCTION main.sap.filter_by_department(dept STRING, region STRING)
RETURNS BOOLEAN
RETURN
CASE
WHEN is_account_group_member('Executives') THEN TRUE
WHEN is_account_group_member('HR_Admins') THEN TRUE
WHEN is_account_group_member('Finance_Team') AND dept = 'finance' THEN TRUE
WHEN is_account_group_member('Sales_Team') AND dept = 'sales'
AND region = current_user_region() THEN TRUE
ELSE FALSE
END;Now bind everything together.
CREATE POLICY sap_data_access_policy
ON CATALOG main
COMMENT 'Enterprise-wide SAP data access control'
ROW FILTER main.sap.filter_by_department
TO `All Users` EXCEPT `Data_Admins`, `Executives`
FOR TABLES
WHEN has_tag_value('sensitivity', 'high')
MATCH COLUMNS has_tag('department') AS dept,
has_tag('region') AS region
USING COLUMNS (dept, region);When someone queries:
SELECT * FROM main.sap.zsales_order;Unity Catalog executes:
department, region)is_account_group_member()Use ABAC if:
You must be a registered user to add a comment. If you've already registered, sign in. Otherwise, register and sign in.
| User | Count |
|---|---|
| 100 | |
| 49 | |
| 36 | |
| 26 | |
| 25 | |
| 23 | |
| 23 | |
| 22 | |
| 22 | |
| 22 |