Access governance for Databricks

Stop guessing who can access your data.

Databricks scatters access across nested groups, service principals, and grants in every workspace. Mortar resolves who can really reach each catalog, schema, and table — and tells you when it changes. Answers that used to take days take seconds.

Invite-only during our design-partner program · No agents · EU-hosted

TABLEmain.finance.salaries14 principals
analytics-readers
direct grant
SELECT
data-engineers
via platform-admins
ALL PRIVILEGES
j.rivera@acme.com
via finance-analysts
SELECT
svc-etl-legacy
direct grant
ALL PRIVILEGES
Resolved across 4 workspaces · 2 accounts0.4s

Works with the stack you already run

DatabricksUnity CatalogSlackPagerDutyOpsgenieOktaMicrosoft EntraAzureAWSGCP

Why not just use what you have

“Who can access this?” has no good answer in Databricks today.

The Account Console shows one workspace at a time. INFORMATION_SCHEMA shows one metastore. Neither expands nested groups. So the real answer lives in a spreadsheet someone rebuilds every quarter.

Account ConsoleINFORMATION_SCHEMASpreadsheet exportMortar
Spans every workspace and account
Resolves nested group membership
Flags redundant & over-privileged grants
Detects drift over time
Answers on demand, in seconds

How it works

Connected to governed in an afternoon.

01

Connect a workspace

Point Mortar at Databricks with a read-only service principal. No agents, nothing to deploy in your cloud.

02

Run a scan

Mortar resolves every grant, group, and principal across your workspaces and accounts in minutes.

03

Govern with confidence

See effective access, get alerted on drift, prove compliance, and expire access automatically.

What you get

The four things Databricks leaves you to figure out.

01

Effective access, resolved.

Who can really reach every catalog, schema, and table — through nested groups and service principals, across every workspace and account. One map, not a quarter of spreadsheet archaeology.

02

Drift caught on every scan.

Snapshot and diff every membership and permission change, attribute it to who made it (with a SQL warehouse connected), and post it to Slack — before it becomes an audit finding.

03

Compliance you can prove.

Policy-as-code over your real grants. Certification campaigns with audit-ready PDF evidence. A clean, queryable audit trail your assessor can actually use.

04

Access that expires on its own.

Time-boxed, just-in-time access approved in Slack and revoked automatically — so standing over-permission stops piling up between reviews.

Access posture
82 +6
Healthy
Drift events · last 30 days
3
escalations
12
grants expired
0
stale reviews

Always on

One number for whether access is getting better or worse.

Mortar scores your access posture on every scan and trends it over time, so over-permissioning and drift show up as a falling line — not as a surprise in your next audit.

Where teams use it

Built for the moments access actually matters.

Access reviews & certification

Run quarterly Unity Catalog reviews without the spreadsheet. Certify or revoke per group, with signed evidence the reviewer's name lands on.

Joiners, movers & leavers

See everything a departing employee can still reach across every workspace before you offboard them — and compare a new hire against a peer to spot exactly what they're missing, or shouldn't have.

Audit & compliance prep

SOC 2, HIPAA, PCI: prove who had access to what, and when. Turn the access-control evidence request into a one-click export.

Built to be trusted

The governance tool that can't become your biggest risk.

Every tool that can fix access holds a powerful credential over the estate it audits — and becomes the richest target in it. Mortar is architected so that's structurally impossible, and you can verify each claim from your own tenant.

Read-only by architecture

The identity that scans your estate cannot write — Mortar's write path won't accept its token at all. Structural, not a permission setting.

Changes run human-first

Approvals execute under the approver's own Databricks identity by default. An optional executor (off unless you enable it) acts only for verified group managers — every use attributed to the human and counted on the trust page.

Metadata only, EU-hosted

Grant structure and membership — never the contents of your tables. Hosted in Frankfurt; credentials encrypted at rest and revocable by you at any time.

Verifiable, not just claimed

A tamper-evident audit trail with one-click integrity verification, and an in-product trust page that proves all of this from your own data.

Running a vendor security review? Read the security overview → or request the full pack.

Pricing

One plan. Everything included.

No feature ladder, no per-seat math, no workspace caps. The 14-day trial is the full product.

Mortar

$29,988/ year

One Databricks account · unlimited workspaces

  • Effective-access map across every workspace & account
  • Risk findings with the exact fix for each
  • Drift detection, attributed and alerted
  • Access reviews, just-in-time access & certification campaigns
  • Audit-ready evidence PDFs + tamper-evident audit log
  • Policies-as-code · SCIM provisioning · auditor share links

14-day full-product trial once you're in

Enterprise

Custom

Regulated & multi-account estates

  • Everything in Mortar
  • Multiple Databricks accounts
  • Dedicated or in-region deployment
  • Custom security review, DPA, SLA & priority support

Invoiced annually

Design partner program — five seats

$9,900/year locked for three years, direct founder support, and a fixed-price access audit as the no-commitment on-ramp.

Ask about a seat

Questions

The things every buyer asks first.

Does Mortar write to my Databricks workspace?

Discovery is read-only, through a service principal that structurally cannot write. The only writes are access changes you explicitly approve — by default they execute under the approver's own identity, so your Databricks audit log names the person. An optional executor service principal (off by default) can act for verified group managers; every use is attributed to the approving human and counted on the in-product trust page.

What permissions does it need?

A read-only service principal for scanning — account and workspace SCIM plus Unity Catalog reads. An optional SQL warehouse unlocks usage and lineage features (last-used grants, drift attribution).

Which clouds are supported?

Azure, AWS, and GCP Databricks. The engine is developed and live-tested against Azure Databricks with Unity Catalog.

Where does my data live? Do you store credentials?

Mortar is hosted in the EU (Frankfurt) and stores access metadata — groups, grants, principals — not the contents of your tables. The Databricks credentials you connect are encrypted at rest, and you can rotate or revoke them at any time.

Do I have to deploy anything in my cloud?

No. There are no agents and nothing to install in your environment. Mortar reads the Databricks REST APIs and system tables you already have.

How is this different from Unity Catalog or the Account Console?

Those show one workspace or metastore at a time and don't expand nested group membership. Mortar resolves effective access across your whole account, flags over-permissioning, and watches it for drift.

Stop guessing. Start governing.

We're onboarding a handful of design partners on Databricks Unity Catalog. Request access and we'll get you connected.

Mortar — Access governance for Databricks