Skip to content
NextLytics
Megamenü_2023_Über-uns

Shaping Business Intelligence

Whether clever add-on products for SAP BI, development of meaningful dashboards or implementation of AI-based applications - we shape the future of Business Intelligence together with you. 

Megamenü_2023_Über-uns_1

About us

As a partner with deep process know-how, knowledge of the latest SAP technologies as well as high social competence and many years of project experience, we shape the future of Business Intelligence in your company too.

Megamenü_2023_Methodik

Our Methodology

The mixture of classic waterfall model and agile methodology guarantees our projects a high level of efficiency and satisfaction on both sides. Learn more about our project approach.

Products
Megamenü_2023_NextTables

NextTables

Edit data in SAP BW out of the box: NextTables makes editing tables easier, faster and more intuitive, whether you use SAP BW on HANA, SAP S/4HANA or SAP BW 4/HANA.

Megamenü_2023_Connector

NextLytics Connectors

The increasing automation of processes requires the connectivity of IT systems. NextLytics Connectors allow you to connect your SAP ecosystem with various open-source technologies.

IT-Services
Megamenü_2023_Data-Science

Data Science & Engineering

Ready for the future? As a strong partner, we will support you in the design, implementation and optimization of your AI application.

Megamenü_2023_Planning

SAP Planning

We design new planning applications using SAP BPC Embedded, IP or SAC Planning which create added value for your company.

Megamenü_2023_Dashboarding

Business Intelligence

We help you with our expertise to create meaningful dashboards based on Tableau, Power BI, SAP Analytics Cloud or SAP Lumira. 

Megamenü_2023_Data-Warehouse-1

SAP Data Warehouse

Are you planning a migration to SAP HANA? We show you the challenges and which advantages a migration provides.

Business Analytics
Megamenü_2023_Procurement

Procurement Analytics

Transparent and valid figures are important, especially in companies with a decentralized structure. SAP Procurement Analytics allows you to evaluate SAP ERP data in SAP BI.

Megamenü_2023_Reporting

SAP HR Reporting & Analytics

With our standard model for reporting from SAP HCM with SAP BW, you accelerate business activities and make data from various systems available centrally and validly.

Megamenü_2023_Dataquality

Data Quality Management

In times of Big Data and IoT, maintaining high data quality is of the utmost importance. With our Data Quality Management (DQM) solution, you always keep the overview.

Career
Megamenü_2023_Karriere-2b

Working at NextLytics

If you would like to work with pleasure and don't want to miss out on your professional and personal development, we are the right choice for you!

Megamenü_2023_Karriere-1

Senior

Time for a change? Take your next professional step and work with us to shape innovation and growth in an exciting business environment!

Megamenü_2023_Karriere-5

Junior

Enough of grey theory - time to get to know the colourful reality! Start your working life with us and enjoy your work with interesting projects.

Megamenü_2023_Karriere-4-1

Students

You don't just want to study theory, but also want to experience it in practice? Check out theory and practice with us and experience where the differences are made.

Megamenü_2023_Karriere-3

Jobs

You can find all open vacancies here. Look around and submit your application - we look forward to it! If there is no matching position, please send us your unsolicited application.

Blog
NextLytics Newsletter
Subscribe for our monthly newsletter:
Sign up for newsletter
 

How to use YAML Anchors for cleaner Databricks Governance

In our previous article Azure Databricks Governance with Terraform and Databricks Bundles, we split Azure Databricks governance across three stages: Terraform provisions the cloud infrastructure, Databricks Declarative Automation Bundles (DAB) configure the platform´s permissions and the Python SDK handles what bundles can't express declaratively.

Governance in Databricks plays out across three permission levels: account, workspace, and Unity Catalog. This article zooms in on the last one (Unity Catalog), where most of the day-to-day grant work lives.

permission-levels_Databricks

That setup works well, until your platform grows. Once your medallion architecture spans bronze, silver, and gold catalogs, each with several schemas, one thing multiplies fast: the grants: blocks. The same workspace users READ or job runner WRITE permissions get copied onto every catalog and every schema. And copy-paste is where governance quietly breaks. Change one privilege and you have to find and update it in a dozen places.

This article introduces a small, native YAML feature that removes that repetition entirely: anchors.
(A quick reminder: YAML is the human-readable markup language that Databricks Asset Bundles are written in. Every databricks.yml and resource file in the bundle is YAML.)

What are YAML anchors and aliases?

Before applying anything to Databricks, it helps to see the mechanism on its own. YAML has related features for reusing content within a file.

An anchor (&name) marks a node so you can refer back to it. An alias (*name) then reuses that exact node somewhere else. A simple example:

default_grant: &read_access
  principal: workspace_users
  privileges: [USE_CATALOG, SELECT]

catalog_a:
  grants: *read_access
catalog_b:
  grants: *read_access

Here catalog_a and catalog_b both point at the same block defined once under &read_access. Change the anchor and both follow.

The key thing to understand is, that all of this is a feature of YAML itself. It's resolved by the YAML parser when the file is read, before Databricks ever sees the content. There's no bundle-specific magic involved; anchors work in any YAML file.

Why Databricks Bundle Grants Get Repetitive

Getting to the real setup now. In a medallion architecture, each layer is its own catalog: bronze, silver, gold and every catalog needs the same baseline access: workspace users can read, the job-runner service principal can create schemas. Written out plainly, a bundle ends up looking like this:

catalogs:
  bronze:
    name: bronze
    grants:
      - principal: workspace_users
        privileges: [USE_CATALOG]
      - principal: job_runner_sp
        privileges: [USE_CATALOG, CREATE_SCHEMA]
  silver:
    name: silver
    grants:
      - principal: workspace_users
        privileges: [USE_CATALOG]
      - principal: job_runner_sp
        privileges: [USE_CATALOG, CREATE_SCHEMA]
  gold:
    name: gold
    grants:
      - principal: workspace_users
        privileges: [USE_CATALOG]
      - principal: job_runner_sp
        privileges: [USE_CATALOG, CREATE_SCHEMA]

The same eight lines, three times over and that's before the schemas underneath each catalog repeat their own grant blocks. Now imagine a governance review decides the job-runner should also get BROWSE. You're editing the same change in three catalogs and every schema, hoping you catch them all. Miss one and gold silently drifts from bronze. This is the exact class of error Infrastructure-as-Code is supposed to prevent, yet copy-paste reintroduces it inside the YAML.

Using YAML Anchors to Keep Bundle Grants DRY

Here's the same setup rewritten with an anchor. Define the grants: block once, give it a name with &, then reference it with * on every catalog:

_common: &catalog_grants
  - principal: workspace_users
    privileges: [USE_CATALOG]
  - principal: job_runner_sp
    privileges: [USE_CATALOG, CREATE_SCHEMA]

catalogs:
  bronze:
    name: bronze
    grants: *catalog_grants
  silver:
    name: silver
    grants: *catalog_grants
  gold:
    name: gold
    grants: *catalog_grants

The eight repeated lines now live in exactly one place. That governance review that adds BROWSE? One edit to &catalog_grants and bronze, silver and gold all inherit it. No chance of one layer drifting from the others.

Anchors reuse a whole block exactly as it's defined. That has one consequence worth stating plainly: a grants: list is reused as a whole. YAML anchors don't append to a list, so if one catalog needs an extra principal, you define a second anchor rather than "extending" the first.
(Skip that and you're back to copy-pasting the block with one line changed, exactly what anchors were meant to avoid).

Anchors also compose with Databricks bundle variables. The anchored block can hold ${var...} placeholders, so structure is reused via the anchor while environment-specific values still come from your variables file:

_common: &catalog_grants
  - principal: ${var.group_workspace_users}
    privileges: ${var.catalog_privilege_use}

Anchors for shape, variables for values. That combination is the pattern worth internalizing. It's also what makes one bundle serve multiple environments: the same anchored blocks deploy to DEV, QA and PROD unchanged, while variables inject the right catalog names and privileges per environment.

before-after-YAML-anchor

YAML Anchors vs. Databricks Bundle Variables

At this point one question arises: don't Databricks bundle variables already do reuse? You've seen ${var.catalog_privilege_use} and ${resources.catalogs.silver.name} throughout the config. They look like the same idea, so why anchors too?

Because they operate at different stages. YAML anchors are resolved by the YAML parser the moment the file is read. Bundle variables (${...}) are resolved later, by the Databricks CLI, when it assembles and deploys the bundle. Anchors are expanded first; variable substitution happens afterward, on the already-expanded document.

That ordering leads to a clean rule of thumb:

  • use anchors for structure: a whole grants list, a shared cluster config

  • and variables for values: a catalog name, a privilege set, and the environment string.

Anchors and variables compose. An anchored block full of ${var...} placeholders is the sweet spot: the anchor guarantees every catalog gets the same shape, while variables keep the actual names environment-aware across environments.

Takeaway:

  • if you're repeating a block, reach for an anchor

  • if you're repeating a value, reach for a variable

Mixing them up, trying to make a variable point at a block, or hard-coding values an anchor should carry, is where configs get brittle.

Common YAML Anchor Pitfalls in Databricks Bundles

Anchors are a sharp tool, but a few edges are worth knowing before you lean on them.

  • Anchors are file-scoped. An anchor defined in schemas.yml cannot be referenced from catalogs.yml. The alias simply won't resolve. This is why, in a real multi-file bundle, you sometimes see what looks like the "same" block defined twice, once per file. It's not an oversight; it's the scoping rule. If you want true cross-file reuse, that's the job of bundle variables, not anchors.

  • Readability has a limit. An alias like *general_privileges is only clear if the reader can quickly find &general_privileges. Scatter anchors across a long file and every reviewer has to scroll hunting for the definition. The DRY win turns into a comprehension cost.

  • Debug against the expanded document, not the source. What you wrote isn't quite what Databricks deploys. The parser has expanded every alias first. When a grant looks wrong, run databricks bundle validate and inspect the fully-resolved output. That's the version that actually matters.

  • Don't anchor what appears once. An anchor referenced a single time adds indirection without saving anything. Anchors earn their keep through repetition. If a block isn't repeated, leave it inline.

YAML Anchor Best Practices for Databricks Teams

If anchors are going to live in a bundle that several people maintain, a little discipline keeps them an asset rather than a puzzle.

  • Adopt a naming convention for anchors that signals scope and intent. Something like &catalog_grants or &schema_read reads far better than &block1. The alias should tell a reviewer what they'll get without scrolling to the definition.

  • Keep anchor definitions discoverable. Define them near the top of the file, or in a clearly marked conventions block, so there's one obvious place to look (_common). An anchor buried between two unrelated resources is the one people miss.

  • Remember that a change to a shared anchor is a big change. Editing &catalog_grants once updates bronze, silver and gold together. Useful, but worth a careful review before you commit.

And always validate before you deploy. Run databricks bundle validate in CI so the fully-expanded configuration is checked on every change: the same environment-aware, approval-gated approach we walked through in part one of this article. Anchors reduce the surface for mistakes; a validation step catches the ones that slip through.

Cleaner Databricks Governance with YAML Anchors: Our Conclusion

YAML anchors won't show up in a Databricks release note or a governance framework. They're a small, native feature of the config language itself. But that's exactly why they matter for admins. As your medallion architecture grows from a handful of resources to bronze, silver and gold catalogs with schemas, volumes and grants underneath each, the real risk is that the repetition quietly drifts out of sync. Anchors collapse that repetition into a single source of truth, so a governance change is one edit instead of a dozen.

For your notes: anchors for structure, variables for values and validation before every deployment. Used with that discipline, anchors make bundles shorter, reviews clearer, and Unity Catalog governance consistent across environments, which is the whole point of doing this declaratively in the first place.

This wraps up our look at keeping Databricks Asset Bundles maintainable at scale. If you're building out platform governance and want a partner who's been through the sharp edges, we are happy to help.

FAQ - YAML Anchors for Databricks

Here you can find some of the most frequently asked questions about YAML Anchors for Databricks Governance.

What are YAML anchors and aliases? Anchors and aliases are a native YAML feature for reusing content within a file. An anchor (&name) marks a block so it can be referenced elsewhere with an alias (*name). They are part of the YAML standard itself, not a Databricks-specific feature, so they work in any YAML file, including Databricks bundle configuration.
Why should Databricks admins use YAML anchors? In a medallion architecture with bronze, silver and gold catalogs and many schemas, the same grant blocks get copied across every resource. Anchors let you define such a block once and reference it everywhere, so a governance change is a single edit instead of a dozen, which reduces the risk of one layer silently drifting out of sync.
What is the difference between YAML anchors and Databricks bundle variables? They operate at different stages. YAML anchors are expanded by the YAML parser when the file is read, before the Databricks CLI substitutes bundle variables (${var...}). The rule of thumb: use anchors for structure (a whole grants block) and variables for values (catalog names, privileges, environment). They compose well, an anchored block can contain variable placeholders
Can YAML anchors be shared across multiple files in a bundle? No. Anchors are file-scoped: an anchor defined in one file cannot be referenced from another. This is why multi-file bundles sometimes define the "same" block more than once. For reuse across files, use bundle variables instead of anchors.
Can a YAML anchor add a single entry to an existing list? No. A grants: list is reused as a whole. Anchors don't append to a list. If one catalog or schema needs an extra principal, define a second anchor rather than trying to extend the first.
How can I verify how anchors are resolved before deploying? Run databricks bundle validate. The command checks the fully-expanded configuration. The version after all anchors and aliases have been resolved so you can confirm the deployed result matches your intent before pushing to QA or PROD.

 

,

avatar

Thomas

Thomas is a Data & AI Consultant with more than 8 years of experience in data engineering, machine learning and cloud platforms. He has designed and delivered scalable data and AI solutions across industries including healthcare, biotech, logistics, energy and manufacturing. He enjoys being outdoors regardless of the weather: hiking, cycling, swimming, SUPing or ice skating.

Got a question about this blog?
Ask Thomas

How to use YAML Anchors for cleaner Databricks Governance
10:08

Blog - NextLytics AG 

Welcome to our blog. In this section we regularly report on news and background information on topics such as SAP Business Intelligence (BI), SAP Dashboarding with Lumira Designer or SAP Analytics Cloud, Machine Learning with SAP BW, Data Science and Planning with SAP Business Planning and Consolidation (BPC), SAP Integrated Planning (IP) and SAC Planning and much more.

Subscribe to our newsletter

Related Posts

Recent Posts