When Databricks authentication is configured using Client Credentials (Client ID and Client Secret), HVR automatically injects the following parameter into the generated ODBC connection string:

Auth_Scope=all-apis

This value is currently hardcoded in the Databricks connection implementation and cannot be overridden through standard location properties.

Our  security policies prohibit the use of the all-apis scope. Their Databricks environment requires either:

• A custom scope value such as:
  Auth_Scope=2ff814a6-3304-4ab8-85cb-cd0e6f879c1d/.default
• Or a blank Auth_Scope value:
  Auth_Scope=
  

  The customer has confirmed that authentication succeeds when the hardcoded value is removed or replaced with the required scope.

  Below workarounds were evaluated:

  1. HVR_ODBC_CONNECT_STRING_ADD
  • Does not resolve the issue because it appends parameters rather than replacing the existing hardcoded value.
  • Results in duplicate entries such as:
    Auth_Scope=all-apis;Auth_Scope=
  2. HVR_ODBC_CONNECT_STRING
  • Functions technically but requires the entire connection string to be manually specified.
  • Exposes sensitive client credentials in the channel configuration and is not acceptable under Morgan Stanley security requirements.

  Requested Enhancement

  Provide a supported mechanism to override the Databricks Auth_Scope value, preferably through:

  • A dedicated Databricks location property (recommended), or
  • A supported environment variable/connection property override.

  The enhancement should allow:

  • Custom Auth_Scope values.
  • Blank Auth_Scope values when required.
  • Preservation of secure credential handling without requiring use of HVR_ODBC_CONNECT_STRING.

   

  This enhancement would support customers with strict security and compliance requirements while avoiding exposure of sensitive credentials in configuration settings. It would also provide greater flexibility for Databricks OAuth implementations that require scopes other than all-apis.