Upcoming behavior change: granting to Databricks Unity Catalog groups
Immuta subscription policies will now grant to Immuta-generated Databricks Unity Catalog groups instead of individual users.
⚡ What's changing
When users are granted access to a data source by a subscription policy, Immuta will create groups in your Databricks environment that represent the permutations of access based on existing policies against user attributes and groups and create a single grant per each of those groups. Manual grants to individual users will continue to be issued as direct user grants in Databricks Unity Catalog.
This does not change at all how Immuta policies are authored and evaluated; it is simply an implementation detail of how the grant is executed in Databricks.
Once this is enabled for your account, your Immuta-managed Databricks grants will be automatically migrated to use group grants. Once the group grants are in place, the legacy direct grants will be automatically revoked.
🔎 Why this change?
This update streamlines the grant process, better aligns with Databricks Unity Catalog grant limits, and allows you to operate at a greater scale.
🗓 Impact and timeline
This update requires the Immuta service principal to be a Unity Catalog workspace admin in order to create and manage groups. To learn more about this change and how to grant the necessary permission, see the documentation.
The release of this feature will follow Immuta’s behavior change release process. The specific dates for each phase in that process are outlined below.
All Unity Catalog customers must grant Immuta workspace admin privileges before opting in. For customers who have provided the required privileges, Immuta will begin to roll out this change beginning on 4/2/26, and over the following weeks.
- Opt-in period: 2/2/26 - 4/1/26
- On-by-default period: Beginning 4/2/26
