Access governance for Databricks
Databricks scatters access across nested groups, service principals, and grants in every workspace. Mortar resolves who can really reach each catalog, schema, and table — and tells you when it changes. Answers that used to take days take seconds.
Invite-only during our design-partner program · No agents · EU-hosted
main.finance.salaries14 principalsWorks with the stack you already run
Why not just use what you have
The Account Console shows one workspace at a time. INFORMATION_SCHEMA shows one metastore. Neither expands nested groups. So the real answer lives in a spreadsheet someone rebuilds every quarter.
| Account Console | INFORMATION_SCHEMA | Spreadsheet export | Mortar | |
|---|---|---|---|---|
| Spans every workspace and account | ||||
| Resolves nested group membership | ||||
| Flags redundant & over-privileged grants | ||||
| Detects drift over time | ||||
| Answers on demand, in seconds |
How it works
Point Mortar at Databricks with a read-only service principal. No agents, nothing to deploy in your cloud.
Mortar resolves every grant, group, and principal across your workspaces and accounts in minutes.
See effective access, get alerted on drift, prove compliance, and expire access automatically.
What you get
Who can really reach every catalog, schema, and table — through nested groups and service principals, across every workspace and account. One map, not a quarter of spreadsheet archaeology.
Snapshot and diff every membership and permission change, attribute it to who made it (with a SQL warehouse connected), and post it to Slack — before it becomes an audit finding.
Policy-as-code over your real grants. Certification campaigns with audit-ready PDF evidence. A clean, queryable audit trail your assessor can actually use.
Time-boxed, just-in-time access approved in Slack and revoked automatically — so standing over-permission stops piling up between reviews.
Always on
Mortar scores your access posture on every scan and trends it over time, so over-permissioning and drift show up as a falling line — not as a surprise in your next audit.
Where teams use it
Run quarterly Unity Catalog reviews without the spreadsheet. Certify or revoke per group, with signed evidence the reviewer's name lands on.
See everything a departing employee can still reach across every workspace before you offboard them — and compare a new hire against a peer to spot exactly what they're missing, or shouldn't have.
SOC 2, HIPAA, PCI: prove who had access to what, and when. Turn the access-control evidence request into a one-click export.
Built to be trusted
Every tool that can fix access holds a powerful credential over the estate it audits — and becomes the richest target in it. Mortar is architected so that's structurally impossible, and you can verify each claim from your own tenant.
The identity that scans your estate cannot write — Mortar's write path won't accept its token at all. Structural, not a permission setting.
Approvals execute under the approver's own Databricks identity by default. An optional executor (off unless you enable it) acts only for verified group managers — every use attributed to the human and counted on the trust page.
Grant structure and membership — never the contents of your tables. Hosted in Frankfurt; credentials encrypted at rest and revocable by you at any time.
A tamper-evident audit trail with one-click integrity verification, and an in-product trust page that proves all of this from your own data.
Running a vendor security review? Read the security overview → or request the full pack.
Pricing
No feature ladder, no per-seat math, no workspace caps. The 14-day trial is the full product.
One Databricks account · unlimited workspaces
14-day full-product trial once you're in
Regulated & multi-account estates
Invoiced annually
$9,900/year locked for three years, direct founder support, and a fixed-price access audit as the no-commitment on-ramp.
Questions
Discovery is read-only, through a service principal that structurally cannot write. The only writes are access changes you explicitly approve — by default they execute under the approver's own identity, so your Databricks audit log names the person. An optional executor service principal (off by default) can act for verified group managers; every use is attributed to the approving human and counted on the in-product trust page.
A read-only service principal for scanning — account and workspace SCIM plus Unity Catalog reads. An optional SQL warehouse unlocks usage and lineage features (last-used grants, drift attribution).
Azure, AWS, and GCP Databricks. The engine is developed and live-tested against Azure Databricks with Unity Catalog.
Mortar is hosted in the EU (Frankfurt) and stores access metadata — groups, grants, principals — not the contents of your tables. The Databricks credentials you connect are encrypted at rest, and you can rotate or revoke them at any time.
No. There are no agents and nothing to install in your environment. Mortar reads the Databricks REST APIs and system tables you already have.
Those show one workspace or metastore at a time and don't expand nested group membership. Mortar resolves effective access across your whole account, flags over-permissioning, and watches it for drift.
We're onboarding a handful of design partners on Databricks Unity Catalog. Request access and we'll get you connected.