Skip to main content

Terraform Install

Unity Catalog Required

SAT v0.5.0 and higher requires Unity Catalog. Make sure Unity Catalog is enabled in your Databricks environment before installing SAT.

Note

We welcome your feedback and comments — please reach out to us at sat@databricks.com or open a GitHub issue.

Please review the Project Support section for important information on support and usage terms.

SAT can be set up on any of the cloud platforms where Databricks is hosted using Terraform. Please follow the setup guide specific to your cloud provider:

Permissions Analysis Setup

After installing SAT, complete the Permissions Analysis app setup as follows:

1. Deploy the app using the Databricks CLI

Deploy the app source code to the running app:

For DABS installations:

databricks apps deploy sat-permissions-exp --source-code-path /Workspace/Applications/SAT/files/app/brickhound

For Terraform installations:

databricks apps deploy sat-permissions-exp --source-code-path /Workspace/Repos/Applications/SAT_TF/app/brickhound
Note

The app compute may take a few minutes to start. Please make sure that Compute > Apps > sat-permissions-exp is "running" in your workspace before proceeding to the next step.

2. App resources and user authorization

The SQL warehouse, secrets, and the sql user-authorization scope required by the app are declared automatically by the SAT install (Terraform's databricks_app resource and the equivalent DABS apps resource). No manual UI configuration is required for new installs.

To verify the configuration applied correctly, open Compute → Apps → sat-permissions-exp → Edit and confirm:

SectionExpected entries
App resourceswarehouse (SQL warehouse, Can use), analysis_schema_name (secret, Can read), sql-warehouse-id (secret, Can read)
User authorizationsql scope present

3. Grant Unity Catalog permissions

The app uses on-behalf-of-user authentication, so each caller's queries run as that user — Unity Catalog enforces the caller's grants on the Permissions Analysis tables. Grant SELECT on those tables to the user(s) or group who will run permissions analyses:

GRANT SELECT ON TABLE `<catalog>`.`<schema>`.brickhound_vertices             TO `<admin_group>`;
GRANT SELECT ON TABLE `<catalog>`.`<schema>`.brickhound_edges                TO `<admin_group>`;
GRANT SELECT ON TABLE `<catalog>`.`<schema>`.brickhound_collection_metadata  TO `<admin_group>`;
Tip

Replace <catalog>, <schema>, and <admin_group> with the values used during your SAT install. The full setup, including the user-authorization scope and how the friendly no-access banner behaves, is documented on the Permissions Analysis page.