User Guide

Connect Single Origin to Databricks

Single Origin reads metadata only from your Databricks workspace — catalog, schema, table, view, and column information plus comments and lineage exposed through Unity Catalog. It never reads the contents of your tables.
Previously this required exporting Parquet files and uploading them to S3. That step is gone. You now connect Single Origin by granting a dedicated service principal the Unity Catalog BROWSE privilege, which is purpose-built for metadata discovery. The setup takes a few minutes and nothing leaves your environment.

What you're granting

You grant a service principal representing Single Origin the following. None of these grant access to the data inside your tables.

GrantScopeWhat it allows
BROWSECatalogDiscover objects and view their metadata — names, schemas, columns, comments, tags, lineage, and information_schema — without read access to the underlying data. Works independently of USE CATALOG / USE SCHEMA.
CAN USE on a SQL warehouseWorkspaceCompute to run the metadata queries. This is compute access only; it grants no access to data.
Workspace accessWorkspaceAllows the service principal to connect to the workspace.

BROWSE is the Unity Catalog privilege designed for exactly this: it lets a principal see that objects exist and read their metadata while keeping data access fully restricted.

Before you start

You'll need:

  • An account admin or metastore admin (to grant BROWSE), plus a workspace admin (to add the service principal and grant warehouse access).
  • A service principal for Single Origin. Create one in the account console under User management → Service principals, then generate an OAuth secret (client ID + secret) for it. You'll share the client ID and secret with Single Origin; Single Origin connects using OAuth machine-to-machine authentication.
  • A SQL warehouse Single Origin can use to run metadata queries (a Small or 2X-Small is sufficient).
  • Your workspace URL and the warehouse's HTTP path (find both under the warehouse's Connection details tab).

Throughout the steps below, is the service principal's application ID (a UUID), not its display name.

Option 1 — Catalog Explorer and workspace UI

  1. Add the service principal to the workspace. In the account console, open Workspaces → your workspace → Permissions, and add the Single Origin service principal.
  2. Grant BROWSE on each catalog. In your workspace, click Catalog, select a catalog, open the Permissions tab, click Grant, choose the Single Origin service principal, and select BROWSE. Repeat for every catalog you want Single Origin to see.
  3. Grant warehouse access. Open SQL Warehouses, select the warehouse, open Permissions, and give the service principal Can use.

Option 2 — SQL

Run once per catalog you want Single Origin to see (in a notebook or the SQL editor):

GRANT BROWSE ON CATALOG `<catalog_name>` TO `<single-origin-application-id>`;

BROWSE is granted at the catalog level and covers all objects within that catalog. Warehouse access and workspace access are set in the UI (Option 1), the Databricks CLI, or Terraform (Option 3) — they aren't GRANT statements.

Option 3 — Terraform

If you manage Databricks with the Databricks Terraform provider, the equivalent configuration is below.

Resource arguments vary by provider version. Adjust them to match the provider version you've pinned. 

# Grant BROWSE on each catalog Single Origin should see
resource "databricks_grant" "single_origin_browse" {
  for_each = toset(["<catalog_name>"]) # add more catalogs as needed

  catalog    = each.value
  principal  = "<single-origin-application-id>"
  privileges = ["BROWSE"]
}

# Let the service principal use the SQL warehouse
resource "databricks_permissions" "single_origin_warehouse" {
  sql_endpoint_id = "<warehouse_id>"

  access_control {
    service_principal_name = "<single-origin-application-id>"
    permission_level       = "CAN_USE"
  }
}

Finish up

Once the grants are in place, share the following with your Single Origin contact (or enter them in the onboarding flow): your workspace URL, the warehouse HTTP path, and the service principal's client ID and OAuth secret. We'll connect and begin reading metadata — no further action needed on your side.

Revoking access

Remove Single Origin's access at any time. To revoke metadata access, run once per catalog:

REVOKE BROWSE ON CATALOG `<catalog_name>` FROM `<single-origin-application-id>`;

To fully cut off the connection, delete the service principal's OAuth secret (or the service principal itself) in the account console, which immediately ends its ability to authenticate.

Updated about 1 hour ago