One of the biggest challenges in security-conscious enterprises is getting timely access to the right data. Data owners often juggle a flood of requests, while data consumers wait days—or even weeks—for approvals, slowing down analysis and decision-making. With Unity Catalog’s new Request for Access feature, you can eliminate bottlenecks by enabling self-service access requests directly from within Databricks, so the right people get the right data, faster, without sacrificing governance.
In this blog, we’ll explore how admin teams can get started by setting up access request destinations, explain how users can make access requests, and provide guidance on having a distributed model for access approvals with central admin oversight.
How Request for Access in Unity Catalog works
Request for Access streamlines data access provisioning for multiple personas:
- Data Consumers: No more guessing who to ask or where to send a ticket.
- Data Owners / Stewards: A streamlined approval process that reduces back-and-forth and keeps governance intact.
- Data Admins: A self-service system that scales, so you spend less time firefighting access requests.
Route access requests to the right place
Before users can request access, admins must configure access request destinations. These can be set at the catalog or schema level, and the configuration is inherited by all objects within them (tables, views, models, etc.).
You can choose from three destination types:
- Email Destinations: Send access request details to one or more email addresses.
- External Destinations: Route requests to Slack, Microsoft Teams, or any system that accepts incoming webhooks (e.g., Jira, ServiceNow).
- Redirect URL Destination: Redirect users to your organization’s external access request system instead of the in-product form.
💡Tip: Admins can set catalog owners as the default email destination for all catalogs via a toggle in the workspace admin page.
Request permissions right from where you work in Databricks
Once destinations are set, your users can request permissions from several in-product surfaces:
- Catalog Explorer: Request access to objects you can browse (via the BROWSE privilege) or have a direct link to.
- Authoring surfaces: When running a query that fails with an insufficient_permissions error, request access to the referenced tables directly.
- AI/BI Dashboards: In dashboards without embedded credentials, request read access to missing datasets directly from the panel.
Users can request access for themselves or on behalf of another user, group, or service principal. Requests are automatically sent to the destination set up by the admin.
User requesting access from catalog explorer:
User requesting access from a dashboard panel:
Review and approve with control
When a request is made, the configured destination receives all relevant details including the requester’s name, object name, permissions requested, who the request is on behalf of (if different than requester), and reason for the request.
Approvers can click Open Permission Settings to go directly to the approval screen, where they have two options:
- Add Principal to Group: Add the requester to a group that already has permissions. Requires the group-manager role.
- Grant Privileges to Principal: Directly grant permissions on the object to the requesting user or group. Requires MANAGE privilege or ownership.
Using the group approach allows users that do not have ownership / MANAGE privilege on an object in Unity Catalog to approve access requests for it. It can also be used by admins to keep control over what permissions can be provisioned to users (e.g. a group with only SELECT ensures only read access is granted).
Get Started with Request for Access
By enabling Request for Access in Unity Catalog, you can democratize data discovery, streamline data access approvals, and empower teams to work with data faster, while maintaining governance.
To get started:
