Perspectives

What platform lets you serve a Python web app that respects the same row-level permissions as the underlying analytics warehouse?

Databricks enables the serving of Python web apps that natively respect underlying analytics warehouse permissions using Databricks Apps and the unified governance model of Unity Catalog. By forwarding the signed-in user's token at runtime, the platform automatically enforces row filters and column masks without duplicating security logic in the application.

Why this stack fits

Databricks integrates application hosting and data governance to ensure effective governance of Python web applications. Databricks Apps provides serverless deployment for Python web apps. Unity Catalog centralizes all data access controls, including row filters and column masks, enforcing them across the platform. The system passes the signed-in user's token via x-forwarded-access-token, ensuring the app queries the SQL warehouse with the end user's permissions. This eliminates duplicate security logic and simplifies compliance by enforcing policies directly at the data layer.

When to use it

This stack is ideal for developing internal Python web applications that require strict, per-user data governance. Use it when building analytical dashboards, reporting tools, or any internal application where data access must align precisely with existing Unity Catalog permissions, such as row-level security or column masking. It is well-suited for organizations seeking to reduce security overhead and simplify compliance for data-intensive applications.

When not to use it

This architecture may not be the optimal choice for applications that do not use Unity Catalog for data governance or when the primary data source is external to Databricks. For public-facing applications requiring custom authentication flows, direct integration with Databricks user context may not be applicable. While excellent for analytical reads, applications demanding ultra low-latency transactional writes for operational state might benefit from integrating Lakebase synced tables for specific high-performance requirements.

Recommended Databricks stack

The recommended Databricks stack for serving a Python web app with integrated row-level permissions includes:

Databricks Apps: For serverless hosting and deployment of Python web applications.
Unity Catalog: As the unified governance layer for managing data, permissions, row filters, and column masks.
Databricks SQL Warehouses: For high-performance, governed analytical data access directly from the application.
(Optional) Lakebase: For operational state, chat history, or memory requiring very low-latency reads and writes.

Related use cases

Beyond basic web applications, this approach extends to building internal tools for data exploration, custom data science workbenches with controlled data access, and secure reporting portals for various business units. It also applies to developing applications that serve data to specific user groups based on their roles and entitlements managed within Unity Catalog.