Production-ready governance templates for Databricks Unity Catalog.
Implement enterprise-grade data governance in hours, not months.



1. Overview
2. Architecture
3. Quick Start
10. FAQ
11. Contributing
12. License
The Unity Catalog Governance Pack provides a complete, ready-to-deploy governance
framework for Databricks Unity Catalog environments. It includes:
automation for setting up and auditing permissions across catalogs, schemas, and tables.
Confidential, Restricted) with automated PII scanning, tagging, and coverage reporting.
data portability, consent tracking, subject access requests) and CCPA (opt-out tracking,
data disclosure) with detailed compliance checklists including SOC 2 Type II.
and encryption patterns for defense-in-depth.
and dashboard data generation for continuous governance monitoring.
framework using the Databricks Terraform provider.
| Problem | Solution |
|---|---|
| No standardized access control | Five-tier RBAC with permission matrix |
| Unknown PII exposure | Automated PII scanner with 7+ detection patterns |
| GDPR/CCPA compliance gaps | Ready-to-run compliance scripts |
| Manual governance auditing | Automated governance scanner and dashboard |
| Inconsistent tagging | Tag propagation and policy enforcement |
| No infrastructure-as-code | Complete Terraform module |
+------------------------------------------------------------------+
| Unity Catalog Metastore |
| |
| +------------------+ +------------------+ +------------------+ |
| | Catalog: prod | | Catalog: dev | | Catalog: staging| |
| | +------------+ | | +------------+ | | +------------+ | |
| | | Schema: | | | | Schema: | | | | Schema: | | |
| | | customers | | | | customers | | | | customers | | |
| | +------------+ | | +------------+ | | +------------+ | |
| | | Schema: | | | | Schema: | | | | Schema: | | |
| | | analytics | | | | analytics | | | | analytics | | |
| | +------------+ | | +------------+ | | +------------+ | |
| +------------------+ +------------------+ +------------------+ |
+------------------------------------------------------------------+
| | |
v v v
+------------------------------------------------------------------+
| Governance Layer |
| |
| +-----------+ +----------------+ +-------------+ +----------+ |
| | RBAC | | Classification | | Compliance | | Security | |
| | Roles & | | Tags & PII | | GDPR, CCPA | | RLS, Col | |
| | Groups | | Scanning | | Automation | | Masking | |
| +-----------+ +----------------+ +-------------+ +----------+ |
| |
| +-----------+ +----------------+ +---------------------------+ |
| | Automation| | Terraform | | Monitoring & | |
| | Scanner & | | IaC Module | | Dashboards | |
| | Enforcer | | | | | |
| +-----------+ +----------------+ +---------------------------+ |
+------------------------------------------------------------------+
1. DEPLOY -> Terraform provisions UC resources, groups, grants
2. CLASSIFY -> PII Scanner identifies sensitive data, applies tags
3. SECURE -> Row-level security + column masking applied
4. COMPLY -> GDPR/CCPA handlers registered for data subject requests
5. MONITOR -> Governance scanner runs on schedule, generates reports
6. ENFORCE -> Policy enforcer blocks non-compliant operations
7. AUDIT -> Permission auditor validates RBAC matrix continuously
databricks-sdk installedpip install databricks-sdk pyyaml pandasexport DATABRICKS_HOST="https://your-workspace.cloud.databricks.com"
export DATABRICKS_TOKEN="your-personal-access-token"# Review and customize the role definitions
vi rbac/role_definitions.yaml
# Apply roles via SQL
databricks workspace import rbac/setup_roles.sql /Shared/governance/setup_roles
# Or use the Python automation
python rbac/setup_roles.py --catalog prod --dry-run
python rbac/setup_roles.py --catalog prod# Scan a specific catalog
python classification/pii_scanner.py --catalog prod --schema customers
# Scan everything
python classification/pii_scanner.py --catalog prod --all-schemas-- Run in Databricks SQL
-- See classification/apply_tags.sql for full examples
ALTER TABLE prod.customers.profiles
SET TAGS ('classification' = 'confidential', 'contains_pii' = 'true');cd terraform/
cp terraform.tfvars.example terraform.tfvars
# Edit terraform.tfvars with your values
terraform init
terraform plan
terraform applyFollow this guide to get unity catalog governance pack up and running in your environment.
Location: rbac/
The RBAC module implements a five-tier role hierarchy designed for enterprise
data platforms:
| Role | Description | Typical Members |
|---|---|---|
admin | Full metastore and catalog management | Platform team leads |
engineer | Create/modify schemas and tables | Data engineers |
analyst | Read access + create views/functions | Data analysts, scientists |
viewer | Read-only access to approved datasets | Business users, dashboards |
service_account | Scoped access for automated pipelines | ETL jobs, CI/CD |
Role Inheritance: Each role inherits all permissions of the roles below it
in the hierarchy. Admins inherit engineer permissions, engineers inherit analyst
permissions, and so on.
Files:
role_definitions.yaml - Complete role hierarchy with descriptions and member patternspermission_matrix.yaml - Granular permissions per role for every securable object typesetup_roles.sql - Databricks SQL statements to create groups and apply grantssetup_roles.py - Python SDK automation with dry-run support and rollbackaudit_permissions.py - Validates current state matches the expected permission matrixUsage:
from rbac.setup_roles import RBACManager
manager = RBACManager(catalog="prod")
manager.setup_all_roles(dry_run=True) # Preview changes
manager.setup_all_roles(dry_run=False) # Apply changesLocation: classification/
Implements a four-tier data classification framework aligned with common
enterprise standards:
| Tier | Label | Description | Example |
|---|---|---|---|
| 1 | Public | No restrictions, safe for external sharing | Product catalog |
| 2 | Internal | Internal use only, no PII | Aggregated metrics |
| 3 | Confidential | Contains PII or business-sensitive data | Customer profiles |
| 4 | Restricted | Highly sensitive, regulatory requirements | Payment data, SSNs |
PII Detection Capabilities:
The pii_scanner.py detects the following PII types using a combination of
regex pattern matching and column name heuristics:
Files:
classification_framework.yaml - Tier definitions, handling requirements, retention policiesapply_tags.sql - SQL templates for applying classification tagspii_scanner.py - Automated PII detection enginepii_patterns.yaml - Configurable regex patterns and column name heuristicsclassification_report.py - Coverage report generatorLocation: compliance/
Production-ready compliance implementations for GDPR and CCPA, with audit
checklists for SOC 2 Type II.
#### GDPR (General Data Protection Regulation)
right_to_deletion.py - Implements Article 17 (right to erasure) with Delta LakeDELETE operations across all tables containing user data, with full audit logging
data_portability.py - Implements Article 20 (data portability) by exporting alluser data in JSON and CSV formats
consent_tracking.sql - Schema and queries for managing user consent recordsdata_subject_request.py - Unified handler for all data subject access requests#### CCPA (California Consumer Privacy Act)
do_not_sell.py - Manages opt-out flags and ensures data is excluded fromthird-party sharing pipelines
data_disclosure.py - Generates comprehensive data disclosure reports showingall data collected about a consumer
#### Compliance Checklists
gdpr_checklist.md - 40+ item GDPR compliance checklistccpa_checklist.md - 30+ item CCPA compliance checklistsoc2_checklist.md - SOC 2 Type II controls mapping to Unity Catalog featuresLocation: security/
Defense-in-depth security patterns for Unity Catalog:
row_level_security.sql): Dynamic views that filterrows based on the current user's group membership, supporting multi-tenant
data isolation patterns.
column_masking.sql): Three masking strategies:***)network_security.md): Guide for private endpoints,IP access lists, VNet injection, and network peering.
encryption_guide.md): Patterns for encryption at rest(customer-managed keys) and in transit (TLS, workspace encryption).
Location: automation/
Continuous governance monitoring and enforcement:
tag_propagation.py - When a source table is tagged, automatically propagatetags to all downstream tables discovered via Unity Catalog lineage.
governance_scanner.py - Scans workspace for governance violations:policy_enforcer.py - Blocks operations that violate governance policies:governance_dashboard.py - Generates JSON metrics for dashboarding:Location: terraform/
Infrastructure-as-Code module for deploying the complete governance framework:
module "governance" {
source = "./terraform"
catalogs = ["prod", "staging", "dev"]
admin_group = "data-platform-admins"
engineer_group = "data-engineers"
analyst_group = "data-analysts"
viewer_group = "data-viewers"
enable_audit_log = true
}Resources Created:
All configuration is driven by YAML files that you customize before deployment:
roles:
admin:
description: "Full metastore and catalog management"
members:
- "platform-lead@your-org.com"patterns:
email:
regex: "[a-zA-Z0-9._%+-]+@[a-zA-Z0-9.-]+\\.[a-zA-Z]{2,}"
column_hints: ["email", "e_mail", "email_address"]databricks_host = "https://your-workspace.cloud.databricks.com"
catalogs = ["prod", "staging", "dev"]Use ADF to orchestrate governance scans on a schedule:
{
"name": "GovernanceScanPipeline",
"activities": [
{
"name": "RunGovernanceScanner",
"type": "DatabricksNotebook",
"linkedServiceName": "AzureDatabricks",
"typeProperties": {
"notebookPath": "/Shared/governance/governance_scanner"
}
}
]
}Create a scheduled job for continuous governance monitoring:
# Schedule governance scanner as a Databricks job
job_config = {
"name": "governance-scanner-daily",
"schedule": {
"quartz_cron_expression": "0 0 6 * * ?",
"timezone_id": "UTC"
},
"tasks": [
{
"task_key": "scan",
"python_wheel_task": {
"package_name": "governance_pack",
"entry_point": "scan"
}
}
]
}Configure the governance scanner to send alerts:
scanner = GovernanceScanner(catalog="prod")
violations = scanner.scan_all()
if violations:
# Send to webhook
webhook_url = dbutils.secrets.get("governance", "slack-webhook")
send_alert(webhook_url, violations)1. Deploy Terraform module to create catalogs, groups, and base permissions
2. Run setup_roles.py to configure RBAC across all catalogs
3. Validate with audit_permissions.py
1. Run PII scanner across all schemas
2. Review findings and apply classification tags
3. Generate classification coverage report
4. Set up column masking for sensitive fields
1. Deploy consent tracking schema
2. Configure GDPR right-to-deletion handlers
3. Set up CCPA opt-out tracking
4. Run through compliance checklists
1. Deploy governance scanner as a scheduled job
2. Enable tag propagation for lineage-based tagging
3. Activate policy enforcer for new table creation
4. Set up governance dashboard
1. Review governance dashboard weekly
2. Address violations flagged by the scanner
3. Re-run PII scanner monthly for new data
4. Update compliance checklists quarterly
Get the full Unity Catalog Governance Pack and unlock everything.
Get the complete guide with every chapter unlocked, including code samples, diagrams, and best practices.
Access all interactive tools with complete data, all workload profiles, and the full scenario library.
Downloadable source code, configuration files, and working examples from every chapter.
Free updates for life. Every new chapter, tool, and improvement included.