Implementing Row-Level Security using ABAC in SAP Databricks

In modern enterprise landscapes, especially in SAP-driven ecosystems, data security is not just about who can access a table—it’s about which rows a user is allowed to see.

Traditional Role-Based Access Control (RBAC) often falls short when:

Data spans multiple domains (Finance, HR, Sales)Access depends on business attributes (department, region, sensitivity)Governance must scale across hundreds of tables

Image generated using AI Core – Gemini Flash Lite Model

This is where Attribute-Based Access Control (ABAC) in SAP Databricks Unity Catalog becomes powerful.

In this blog, we will:

Understand ABAC-based Row-Level Security (RLS)Compare it with classic approachesImplement it step-by-stepApply it to an SAP dictionary dataset (like MARA, KNA1, etc.)

CREATE TAG sensitivity VALUES (‘high’, ‘medium’, ‘low’);
CREATE TAG department VALUES (‘sales’, ‘finance’, ‘hr’);
CREATE TAG region VALUES (‘EMEA’, ‘APAC’, ‘NA’);

ALTER TABLE main.sap.zsales_order
SET TAGS (‘department’=’sales’, ‘region’=’EMEA’);

ALTER TABLE main.sap.zcustomer
SET TAGS (‘sensitivity’=’high’, ‘department’=’finance’);

ALTER TABLE main.sap.zemployee
SET TAGS (‘sensitivity’=’high’, ‘department’=’hr’);

CREATE OR REPLACE FUNCTION main.sap.filter_by_department(dept STRING, region STRING)
RETURNS BOOLEAN
RETURN
CASE
WHEN is_account_group_member(‘Executives’) THEN TRUE
WHEN is_account_group_member(‘HR_Admins’) THEN TRUE
WHEN is_account_group_member(‘Finance_Team’) AND dept = ‘finance’ THEN TRUE
WHEN is_account_group_member(‘Sales_Team’) AND dept = ‘sales’
AND region = current_user_region() THEN TRUE
ELSE FALSE
END;

CREATE POLICY sap_data_access_policy
ON CATALOG main
COMMENT ‘Enterprise-wide SAP data access control’
ROW FILTER main.sap.filter_by_department
TO `All Users` EXCEPT `Data_Admins`, `Executives`

FOR TABLES
WHEN has_tag_value(‘sensitivity’, ‘high’)

MATCH COLUMNS has_tag(‘department’) AS dept,
has_tag(‘region’) AS region

USING COLUMNS (dept, region);

SELECT * FROM main.sap.zsales_order;

​ In modern enterprise landscapes, especially in SAP-driven ecosystems, data security is not just about who can access a table—it’s about which rows a user is allowed to see.Traditional Role-Based Access Control (RBAC) often falls short when:Data spans multiple domains (Finance, HR, Sales)Access depends on business attributes (department, region, sensitivity)Governance must scale across hundreds of tablesImage generated using AI Core – Gemini Flash Lite ModelThis is where Attribute-Based Access Control (ABAC) in SAP Databricks Unity Catalog becomes powerful.In this blog, we will:Understand ABAC-based Row-Level Security (RLS)Compare it with classic approachesImplement it step-by-stepApply it to an SAP dictionary dataset (like MARA, KNA1, etc.)What is ABAC in SAP Databricks?ABAC allows access decisions based on:Attributes of data (tags like department, sensitivity)Attributes of users (group membership)Policies that connect themInstead of hardcoding rules per table, you define:Tags + UDF + Policy = Dynamic Row-Level SecurityArchitecture OverviewABAC has three main components:ComponentPurposeGoverned TagsClassify dataRow Filter UDFsDefine access logicPoliciesBind logic to dataSample Scenario: Business RequirementLet’s take an example.Tables (SAP Dictionary-like)ZSALES_ORDER (similar to VBAK)ZCUSTOMER (similar to KNA1)ZEMPLOYEE (HR data)RequirementRoleAccessSales TeamOnly sales data for their regionFinance TeamOnly finance-related recordsHR AdminsFull accessExecutivesAll dataStep 1: Create Governed TagsTags represent metadata similar to SAP data classification fields.CREATE TAG sensitivity VALUES (‘high’, ‘medium’, ‘low’);
CREATE TAG department VALUES (‘sales’, ‘finance’, ‘hr’);
CREATE TAG region VALUES (‘EMEA’, ‘APAC’, ‘NA’);Step 2: Tag SAP TablesApply tags to simulate SAP dictionary semantics.ALTER TABLE main.sap.zsales_order
SET TAGS (‘department’=’sales’, ‘region’=’EMEA’);

ALTER TABLE main.sap.zcustomer
SET TAGS (‘sensitivity’=’high’, ‘department’=’finance’);

ALTER TABLE main.sap.zemployee
SET TAGS (‘sensitivity’=’high’, ‘department’=’hr’);Step 3: Create Row Filter UDFThis is where business logic resides.CREATE OR REPLACE FUNCTION main.sap.filter_by_department(dept STRING, region STRING)
RETURNS BOOLEAN
RETURN
CASE
WHEN is_account_group_member(‘Executives’) THEN TRUE
WHEN is_account_group_member(‘HR_Admins’) THEN TRUE
WHEN is_account_group_member(‘Finance_Team’) AND dept = ‘finance’ THEN TRUE
WHEN is_account_group_member(‘Sales_Team’) AND dept = ‘sales’
AND region = current_user_region() THEN TRUE
ELSE FALSE
END;Step 4: Create ABAC PolicyNow bind everything together.CREATE POLICY sap_data_access_policy
ON CATALOG main
COMMENT ‘Enterprise-wide SAP data access control’
ROW FILTER main.sap.filter_by_department
TO `All Users` EXCEPT `Data_Admins`, `Executives`

FOR TABLES
WHEN has_tag_value(‘sensitivity’, ‘high’)

MATCH COLUMNS has_tag(‘department’) AS dept,
has_tag(‘region’) AS region

USING COLUMNS (dept, region);What Happens at Runtime?When someone queries:SELECT * FROM main.sap.zsales_order;Unity Catalog executes:Checks applicable policiesValidates tags (department, region)Extracts tagged columnsPasses values into UDFEvaluates user group via is_account_group_member()Filters rows dynamicallyWhen to Use ABACUse ABAC if:You have multiple SAP datasetsData is shared across domainsGovernance needs to scaleYou integrate SAP + SAP Datasphere / Databricks   Read More Technology Blog Posts by SAP articles 

#SAP

#SAPTechnologyblog