"Invalid call to dataType on unresolved object" error when querying tables with ABAC applied

Ensure column mask return types match column data types.

Written by aishwarya.ghosh

Last published at: February 12th, 2026

Problem

While working in Databricks SQL Analytics, you attempt to query a table that has attribute-based access control (ABAC) applied to one or more columns. You get the following error:

"Invalid call to dataType on unresolved object" (SQLSTATE: XX000). 

You notice that jobs running with service principals (SP) in the ABAC excluded list still execute successfully. 

Cause

Your ABAC policy configuration is incorrect and/or columns are not resolving correctly. 

Jobs running with service principals that are exempt from ABAC (by being on the ABAC excluded list) do not encounter this issue because they bypass certain access controls.

Incorrect ABAC policy configuration

When ABAC is not properly set up, Databricks may struggle to resolve the data types of the columns subject to ABAC, resulting in the observed error. 

Columns not resolving correctly 

Databricks relies on the correct resolution of column data types to execute queries. When ABAC is applied, its masking or filtering can lead to an issue with how the columns are resolved, resulting in the unresolved object error.

Solution

Ensure masking functions or UDFs return the exact same data type as the column they secure. 

For example, if you use the following code:

CREATE FUNCTION core_dev.internal.udf_mask_array_empty(data ARRAY<STRING>)
RETURNS ARRAY<STRING>
LANGUAGE SQL
RETURN array();

Then apply the following command:

ALTER TABLE core_dev.tmp.yujia_test_abac_sql_function ALTER COLUMN b SET MASK core_dev.internal.udf_mask_array_empty;

Masking columns with sensitive tags

For masking columns with sensitive tags, each column type must have a dedicated mask function. The following table clarifies which data type returns which value. Apply the appropriate mask function to each column individually.​

For this data type…

the function returns… 

STRING

""

ARRAY<STRING>

array()

INT

NULL or 0

FLOAT

NULL or 0.0

Additional information 

  • If a schema or catalog inherits a mask and also applies explicit masks, ensure they are compatible. 
  • Remove or modify policies that cause ambiguous mask resolution. 
  • Always update references to reflect only live columns and tags, avoiding deleted or renamed attributes.​
     

Best practices

  • Limit ABAC policy matches by making MATCH COLUMNS clauses specific, so only relevant columns are included. 
  • Review tags and policy logic to ensure no accidental multi-column mask application occurs.
     

For more information on ABAC, review the Unity Catalog attribute-based access control (ABAC) (AWSAzureGCP) documentation.