Skip to content

Feature Request: Implement "On Behalf of User" Permissions for Agent Chat #26

Open
Feature
Open
Feature Request: Implement "On Behalf of User" Permissions for Agent Chat#26
Feature
Assignees
ian-liao-databricks
Labels
enhancementNew feature or request
@BlitzBricksterYY-db

Description

@BlitzBricksterYY-db
BlitzBricksterYY-db
opened on Mar 3, 2026

Problem Statement
Currently, when a user interacts with the chat agent, there may be a risk of data over-exposure if the agent retrieves and synthesizes information using a high-privileged service principal or a generic execution role. Users should only receive answers based on the data they are explicitly authorized to see.

Proposed Solution
We need to implement "On Behalf of User" execution for the agent chat. This ensures that when a user asks the agent a question, the agent's data retrieval and query execution processes are strictly governed by the user's own permissions.

Specifically, the implementation should:

  1. Pass-through Identity: Ensure the calling user's identity is securely passed to the agent's execution context.
  2. Access Control Integration: Enforce both Role-Based Access Control (RBAC) and Attribute-Based Access Control (ABAC) during the agent's retrieval phase.
  3. Restricted Results: Guarantee that the agent only accesses, summarizes, and returns information from records, tables, and documents that the specific user is permitted to view.

Impact
This will ensure strict enterprise-grade data governance and security compliance, allowing different users to safely interact with the same agent without the risk of unauthorized data exposure.

Metadata

Metadata

Assignees

Labels

enhancementNew feature or request

Type

Feature

Fields

No fields configured for Feature.

Projects

No projects

Milestone

No milestone

Relationships

None yet

Development

No branches or pull requests

Issue actions