Granting to Databricks Unity Catalog groups
Immuta subscription policies will now grant to Immuta dynamically generated Databricks Unity Catalog groups instead of individual users.
What's changing
For these subscription types, Immuta will create groups in your Databricks environment which represent the realized permutations of access based on existing policies against user attributes and groups and create a single grant per each of those groups. Manual grants to individual users will continue to be issued as direct user grants in Databricks Unity Catalog.
This does not change at all how Immuta policies are authored and evaluated; it is simply an implementation detail of how the grant is executed in Databricks.
Why this change?
This update streamlines the grant process, better aligns with Databricks Unity Catalog grant limits, and allows you to operate at a greater scale.
Impact
This update requires the Immuta service principal to be a Unity Catalog workspace admin in order to create and manage groups. To learn more about this change and how to grant the necessary permission, see the documentation.
Timeline
🗓 The release of this feature will follow Immuta’s behavior change release process. The specific dates for each phase in that process are outlined below.
- Opt-in period: 2/2/26 - 3/1/26
- On by default period: 3/2/26 - 4/1/26
- Enabled for all accounts: 4/2/26
