πŸ”’ Guided

Pre-launch preview. Authorised access only.

Incorrect code

Guided by A Guide to Cloud
Explore AB-900 AI-901
Guided DP-750 Domain 2
Domain 2 β€” Module 1 of 5 20%
6 of 28 overall

DP-750 Study Guide

Domain 1: Set Up and Configure an Azure Databricks Environment

  • Azure Databricks: Your Lakehouse Platform Free
  • Choosing the Right Compute Free
  • Configuring Compute for Performance Free
  • Unity Catalog: The Three-Level Namespace Free
  • Tables, Views & External Catalogs Free

Domain 2: Secure and Govern Unity Catalog Objects

  • Securing Unity Catalog: Who Gets What
  • Secrets & Authentication
  • Data Discovery & Attribute-Based Access
  • Row Filters, Column Masks & Retention
  • Lineage, Audit Logs & Delta Sharing

Domain 3: Prepare and Process Data

  • Data Modeling: Ingestion Design Free
  • SCD, Granularity & Temporal Tables
  • Partitioning, Clustering & Table Optimization
  • Ingesting Data: Lakeflow Connect & Notebooks
  • Ingesting Data: SQL Methods & CDC
  • Streaming Ingestion: Structured Streaming & Event Hubs
  • Auto Loader & Declarative Pipelines
  • Cleansing & Profiling Data Free
  • Transforming & Loading Data
  • Data Quality & Schema Enforcement

Domain 4: Deploy and Maintain Data Pipelines and Workloads

  • Building Data Pipelines Free
  • Lakeflow Jobs: Create & Configure
  • Lakeflow Jobs: Schedule, Alerts & Recovery
  • Git & Version Control
  • Testing & Databricks Asset Bundles
  • Monitoring Clusters & Troubleshooting
  • Spark Performance: DAG & Query Profile
  • Optimizing Delta Tables & Azure Monitor

DP-750 Study Guide

Domain 1: Set Up and Configure an Azure Databricks Environment

  • Azure Databricks: Your Lakehouse Platform Free
  • Choosing the Right Compute Free
  • Configuring Compute for Performance Free
  • Unity Catalog: The Three-Level Namespace Free
  • Tables, Views & External Catalogs Free

Domain 2: Secure and Govern Unity Catalog Objects

  • Securing Unity Catalog: Who Gets What
  • Secrets & Authentication
  • Data Discovery & Attribute-Based Access
  • Row Filters, Column Masks & Retention
  • Lineage, Audit Logs & Delta Sharing

Domain 3: Prepare and Process Data

  • Data Modeling: Ingestion Design Free
  • SCD, Granularity & Temporal Tables
  • Partitioning, Clustering & Table Optimization
  • Ingesting Data: Lakeflow Connect & Notebooks
  • Ingesting Data: SQL Methods & CDC
  • Streaming Ingestion: Structured Streaming & Event Hubs
  • Auto Loader & Declarative Pipelines
  • Cleansing & Profiling Data Free
  • Transforming & Loading Data
  • Data Quality & Schema Enforcement

Domain 4: Deploy and Maintain Data Pipelines and Workloads

  • Building Data Pipelines Free
  • Lakeflow Jobs: Create & Configure
  • Lakeflow Jobs: Schedule, Alerts & Recovery
  • Git & Version Control
  • Testing & Databricks Asset Bundles
  • Monitoring Clusters & Troubleshooting
  • Spark Performance: DAG & Query Profile
  • Optimizing Delta Tables & Azure Monitor
Domain 2: Secure and Govern Unity Catalog Objects Premium ⏱ ~14 min read

Securing Unity Catalog: Who Gets What

Grant privileges, implement table and column-level access control, and configure row-level security β€” the core of Unity Catalog's security model.

How Unity Catalog security works

β˜• Simple explanation

Unity Catalog security works like a building with security badges.

Every person (user), robot (service principal), or team (group) gets a badge. The badge determines which floors (catalogs), rooms (schemas), and file cabinets (tables) they can access.

Permissions flow downward β€” if you have access to a floor, you can enter every room on that floor unless a specific room is locked. This is called privilege inheritance.

For extra sensitive data, you can lock individual drawers (columns) or show different drawer contents to different people (row-level security).

Unity Catalog uses a privilege-based security model with three types of principals: users (human accounts via Entra ID), service principals (application identities), and groups (collections of users/SPs). Privileges are granted on securable objects (metastore, catalog, schema, table, view, volume, function) and inherit downward through the hierarchy.

Beyond object-level access, Unity Catalog supports column-level access control (restrict which columns a principal can see), row-level security (filter rows based on the querying user), and dynamic data masking via row filters and column masks.

Principals: who can access data

Principal TypeWhat It IsExample
UserIndividual human identity (synced from Microsoft Entra ID)ravi.nair@datapulse.com
Service principalApplication identity for automated accesssp-etl-pipeline
GroupCollection of users and/or service principalsdata-engineers, bi-analysts

Best practice: Always grant permissions to groups, not individual users. When Mei Lin onboards a new analyst at Freshmart, she adds them to the bi-analysts group β€” they instantly inherit all the right permissions.

Privilege hierarchy

Privileges flow down the Unity Catalog namespace:

Metastore
  └── Catalog (GRANT on catalog β†’ inherits to all schemas/tables below)
        └── Schema (GRANT on schema β†’ inherits to all tables below)
              └── Table / View / Volume / Function

Common privileges

PrivilegeWhat It AllowsSecurable Objects
SELECTRead dataTable, View
MODIFYInsert, update, delete dataTable
CREATE TABLECreate tables within a schemaSchema
CREATE SCHEMACreate schemas within a catalogCatalog
USE CATALOGAccess objects in the catalogCatalog
USE SCHEMAAccess objects in the schemaSchema
ALL PRIVILEGESFull accessAny securable
EXECUTERun a functionFunction
-- Grant a group permission to read all tables in a schema
GRANT USE CATALOG ON CATALOG prod_sales TO `bi-analysts`;
GRANT USE SCHEMA ON SCHEMA prod_sales.reports TO `bi-analysts`;
GRANT SELECT ON SCHEMA prod_sales.reports TO `bi-analysts`;

-- Grant a service principal full access to raw data
GRANT ALL PRIVILEGES ON SCHEMA prod_sales.raw TO `sp-etl-pipeline`;

-- Revoke access
REVOKE SELECT ON TABLE prod_sales.curated.customer_pii FROM `bi-analysts`;
πŸ’‘ Exam tip: USE CATALOG + USE SCHEMA are required

A common exam trap: granting SELECT on a table is not enough. The principal also needs:

  1. USE CATALOG on the parent catalog
  2. USE SCHEMA on the parent schema
  3. SELECT on the table

Without all three, the query fails with a β€œcatalog not found” or β€œschema not found” error. The exam tests this with scenarios where a user has SELECT but can’t see the table.

Table and column-level access control

Column-level access

Restrict which columns specific users can see:

-- Analyst group can see orders but NOT customer_email or credit_card
GRANT SELECT (order_id, order_date, amount, region)
  ON TABLE prod_sales.curated.orders
  TO `bi-analysts`;

When a BI analyst queries the table, they only see the four granted columns. Attempting to SELECT customer_email returns an access denied error.

Row-level security

Row-level security filters rows based on who’s querying. Dr. Sarah Okafor uses this at Athena Group so each regional manager only sees their own region’s data:

-- Create a row filter function
CREATE FUNCTION prod_sales.functions.region_filter(region_col STRING)
RETURN IF(
  IS_ACCOUNT_GROUP_MEMBER('global-admins'),
  TRUE,  -- admins see everything
  region_col = CURRENT_USER_ATTRIBUTE('region')  -- others see only their region
);

-- Apply the row filter to a table
ALTER TABLE prod_sales.curated.daily_revenue
  SET ROW FILTER prod_sales.functions.region_filter ON (region);

Now when a user in the APAC group queries daily_revenue, they only see APAC rows. Global admins see all rows.

Compute access permissions

Compute resources also have access controls:

PermissionWhat It Allows
CAN ATTACH TOUse the cluster to run notebooks
CAN RESTARTRestart the cluster
CAN MANAGEFull control (configure, start, stop, delete)
Dr. Sarah Okafor grants:
- data-engineers group β†’ CAN MANAGE on dev clusters
- bi-analysts group β†’ CAN ATTACH TO on shared SQL warehouse
- sp-etl-pipeline β†’ CAN ATTACH TO on job clusters

Exam tip: Compute permissions are separate from data permissions. A user needs BOTH compute access (to run queries) AND data access (to read tables).

Question

What three things does a user need to query a table in Unity Catalog?

Click or press Enter to reveal answer

Answer

1) USE CATALOG on the parent catalog, 2) USE SCHEMA on the parent schema, 3) SELECT on the table. Missing any one of these causes an access denied error.

Click to flip back
Question

What is the difference between column-level access and row-level security?

Click or press Enter to reveal answer

Answer

Column-level access restricts WHICH COLUMNS a user can see (GRANT SELECT on specific columns). Row-level security restricts WHICH ROWS a user can see (using a row filter function that evaluates per-user context).

Click to flip back
Question

Why should you grant permissions to groups rather than individual users?

Click or press Enter to reveal answer

Answer

Groups simplify permission management β€” add/remove users from the group and they instantly inherit/lose permissions. Granting to individuals creates maintenance overhead and inconsistency as teams change.

Click to flip back

🎬 Video coming soon

Knowledge check

Knowledge Check

A BI analyst at Freshmart reports they can't find the 'prod_sales' catalog when running queries. Mei Lin checks and confirms the analyst has SELECT on the table they need. What is the most likely cause?
Knowledge Check

Dr. Sarah Okafor needs to ensure that each regional sales manager at Athena Group can only see data from their own region when querying the daily_revenue table. Global admins should see all regions. Which approach should she use?

Next up: Secrets & Authentication β€” Azure Key Vault integration, service principals, and managed identities.

← Previous

Tables, Views & External Catalogs

Next β†’

Secrets & Authentication

Guided

I learn, I simplify, I share.

A Guide to Cloud YouTube Feedback

© 2026 Sutheesh. All rights reserved.

Guided is an independent study resource and is not affiliated with, endorsed by, or officially connected to Microsoft. Microsoft, Azure, and related trademarks are property of Microsoft Corporation. Always verify information against Microsoft Learn.