CPE × Databricks — Integration Workflow Demo

Live walkthrough: your app calls CPE adapter routes → CPE reads Unity Catalog (read-only) → returns policy_context.databricks → your app attaches it to POST /cpe/v1/actions/verify. Test console · Jira console

Integration flow

Step 1

User action

Analyst runs SQL, job, or admin change in Databricks.

Step 2

Your app

Gateway or notebook extension calls CPE with actor + catalog scope.

Step 3

CPE adapter

Read-only Unity Catalog / jobs / clusters APIs.

Step 4

policy_context

Risk score + signals returned (no warehouse mutation).

Step 5

Verify & enforce

Merge into verify; challenge/deny on high-risk lakehouse actions.

CPE policy engine Databricks workspace (live PAT)

Scenario

Sensitive SQL query data-context · read catalog/schema metadata

Run production job job-context · job + cluster policy signals

Unity Catalog grant admin-context · higher baseline risk (medium+)

Run live demo

API base

x-api-key

User email

Catalog

Schema

Table (optional)

Adapter response

Run the demo to fetch live policy_context from your workspace.

How your app represents this on verify

{
  "action": { "action_type": "databricks.sql.query_sensitive" },
  "policy_context": {
    "databricks": { /* from adapter — see left panel */ }
  }
}

With CPE_DATABRICKS_POLICY_ACTIVE=true, high/critical risk can return decision: challenge on verify. Adapter-only mode (false) still returns context for your UI.