Manage privileges in Unity Catalog

This article explains how to control access to data and other objects in Unity Catalog. To learn about how this model differs from access control in the Hive metastore, see Work with Unity Catalog and the legacy Hive metastore.

Who can manage privileges?

Initially, users have no access to data in a metastore. Azure Databricks account admins, workspace admins, and metastore admins have default privileges for managing Unity Catalog. See Admin privileges in Unity Catalog.

All securable objects in Unity Catalog have an owner. Object owners have all privileges on that object, including the ability to grant privileges to other principals. Owners can grant other users the MANAGE privilege on the object, which allows users to manage privileges on the object. See Manage Unity Catalog object ownership.

Privileges can be granted by either a metastore admin, a user with the MANAGE privilege on the object, the owner of an object, or the owner of the catalog or schema that contains the object. Account admins can also grant privileges directly on a metastore.

Workspace catalog privileges

If your workspace was enabled for Unity Catalog automatically, the workspace is attached to a metastore by default and a workspace catalog is created for your workspace in the metastore. Workspace admins are the default owners of the workspace catalog. As owners, they can manage privileges on the workspace catalog and all child objects.

All workspace users receive the USE CATALOG privilege on the workspace catalog. Workspace users also receive the USE SCHEMA, CREATE TABLE, CREATE VOLUME, CREATE MODEL, CREATE FUNCTION, and CREATE MATERIALIZED VIEW privileges on the default schema in the catalog.

For more information, see Automatic enablement of Unity Catalog.

Inheritance model

Securable objects in Unity Catalog are hierarchical, and privileges are inherited downward. The highest level object that privileges are inherited from is the catalog. This means that granting a privilege on a catalog or schema automatically grants the privilege to all current and future objects within the catalog or schema. For example, if you give a user the SELECT privilege on a catalog, then that user will be able to select (read) all tables and views in that catalog. Privileges that are granted on a Unity Catalog metastore are not inherited.

Unity Catalog object hierarchy

Owners of an object are automatically granted all privileges on that object. In addition, object owners can grant privileges on the object itself and on all of its child objects. This means that owners of a schema do not automatically have all privileges on the tables in the schema, but they can grant themselves privileges on the tables in the schema.

Note

If you created your Unity Catalog metastore during the public preview (before August 25, 2022), you might be on an earlier privilege model that doesn’t support the current inheritance model. You can upgrade to Privilege Model version 1.0 to get privilege inheritance. See Upgrade to privilege inheritance.

Show, grant, and revoke privileges

You can manage privileges for metastore objects using SQL commands, the Databricks CLI, the Databricks Terraform provider, or Catalog Explorer.

In the SQL commands that follow, replace these placeholder values:

  • <privilege-type> is a Unity Catalog privilege type. See Privilege types.
  • <securable-type>: The type of securable object, such as CATALOG or TABLE. See Securable objects
  • <securable-name>: The name of the securable. If the securable type is METASTORE, do not provide the securable name. It is assumed to be the metastore attached to the workspace.
  • <principal> is a user, service principal (represented by its applicationId value), or group. You must enclose users, service principals, and group names that include special characters in backticks (` `). See Principal.

Show grants on objects in a Unity Catalog metastore

Note

Currently, users with the MANAGE privilege on an object cannot view all grants for that object in the INFORMATION_SCHEMA. Instead, the INFORMATION_SCHEMA only shows grants their own grants on the object. This behavior will be corrected in the future.

Users with MANAGE privilege can view all grants on an object using SQL commands or Catalog Explorer. See Manage privileges in Unity Catalog.

Permissions required:

  • Metastore admins, users with the MANAGE privilege on the object, the owner of the object, or the owner of the catalog or schema that contains the object can see all grants on the object.
  • If you do not have the above permissions, you can view only your own grants on the object.

Catalog Explorer

  1. In your Azure Databricks workspace, click Catalog icon Catalog.
  2. Select the object, such as a catalog, schema, table, or view.
  3. Go to the Permissions tab.

SQL

Run the following SQL command in a notebook or SQL query editor. You can show grants on a specific principal, or you can show all grants on a securable object.

  SHOW GRANTS [principal] ON  <securable-type> <securable-name>

For example, the following command shows all grants on a schema named default in the parent catalog named main:

  SHOW GRANTS ON SCHEMA main.default;

The command returns:

  principal     actionType     objectType objectKey
  ------------- -------------  ---------- ------------
  finance-team   CREATE TABLE  SCHEMA     main.default
  finance-team   USE SCHEMA    SCHEMA     main.default

Show my grants on objects in a Unity Catalog metastore

Permissions required: You can always view your own grants on an object.

Catalog Explorer

  1. In your Azure Databricks workspace, click Catalog icon Catalog.
  2. Select the object, such as a catalog, schema, table, or view.
  3. Go to the Permissions tab. If you are not an object owner or metastore admin, you can view only your own grants on the object.

SQL

Run the following SQL command in a notebook or SQL query editor to show your grants on an object.

  SHOW GRANTS `<user>@<domain-name>` ON  <securable-type> <securable-name>

Grant permissions on objects in a Unity Catalog metastore

Permissions required: Metastore admin, the MANAGE privilege on the object, the owner of the object, or the owner of the catalog or schema that contains the object.

Catalog Explorer

  1. In your Azure Databricks workspace, click Catalog icon Catalog.
  2. Select the object, such as a catalog, schema, table, or view.
  3. Go to the Permissions tab.
  4. Click Grant.
  5. Enter the email address for a user or the name of a group.
  6. Select the permissions to grant.
  7. Click OK.

SQL

Run the following SQL command in a notebook or SQL query editor.

  GRANT <privilege-type> ON <securable-type> <securable-name> TO <principal>

For example, the following command grants a group named finance-team access to create tables in a schema named default with the parent catalog named main:

  GRANT CREATE TABLE ON SCHEMA main.default TO `finance-team`;
  GRANT USE SCHEMA ON SCHEMA main.default TO `finance-team`;
  GRANT USE CATALOG ON CATALOG main TO `finance-team`;

Note that registered models are a type of function. To grant a privilege on a model, you must use GRANT ON FUNCTION. For example, to grant the group ml-team-acme the EXECUTE privilege on the model prod.ml_team.iris_model, you’d use:

  GRANT EXECUTE ON FUNCTION prod.ml_team.iris_model TO `ml-team-acme`;

Revoke permissions on objects in a Unity Catalog metastore

Permissions required: Metastore admin, the MANAGE privilege on the object, the owner of the object, or the owner of the catalog or schema that contains the object.

Catalog Explorer

  1. In your Azure Databricks workspace, click Catalog icon Catalog.
  2. Select the object, such as a catalog, schema, table, or view.
  3. Go to the Permissions tab.
  4. Select a privilege that has been granted to a user, service principal, or group.
  5. Click Revoke.
  6. To confirm, click Revoke.

SQL

Run the following SQL command in a notebook or SQL query editor.

  REVOKE <privilege-type> ON <securable-type> <securable-name> TO <principal>

For example, the following command revokes a group named finance-team access to create tables in a schema named default with the parent catalog named main:

  REVOKE CREATE TABLE ON SCHEMA main.default TO `finance-team`;

Show grants on a metastore

Permissions required: Metastore admin or account admin. You can also view your own grants on a metastore.

Catalog Explorer

  1. In your Azure Databricks workspace, click Catalog icon Catalog.
  2. Next to the Catalog Explorer page label, click the icon next to the metastore name.
  3. Go to the Permissions tab.

SQL

Run the following SQL command in a notebook or SQL query editor. You can show grants on a specific principal, or you can show all grants on a metastore.

  SHOW GRANTS [principal] ON METASTORE

Grant permissions on a metastore

Permissions required: Metastore admin or account admin.

Catalog Explorer

  1. In your Azure Databricks workspace, click Catalog icon Catalog.
  2. Next to the Catalog Explorer page label, click the icon next to the metastore name.
  3. On the Permissions tab, click Grant.
  4. Enter the email address for a user or the name of a group.
  5. Select the permissions to grant.
  6. Click OK.

SQL

  1. Run the following SQL command in a notebook or SQL query editor.

    GRANT <privilege-type> ON METASTORE TO <principal>;
    

    When you grant privileges on a metastore, you do not include the metastore name, because the metastore that is attached to your workspace is assumed.

Revoke permissions on a metastore

Permissions required: Metastore admin or account admin..

Catalog Explorer

  1. In your Azure Databricks workspace, click Catalog icon Catalog.
  2. Next to the Catalog Explorer page label, click the icon next to the metastore name.
  3. On the Permissions tab, select a user or group and click Revoke.
  4. To confirm, click Revoke.

SQL

  1. Run the following SQL command in a notebook or SQL query editor.

    REVOKE <privilege-type> ON METASTORE FROM <principal>;
    

    When you revoke privileges on a metastore, you do not include the metastore name, because the metastore that is attached to your workspace is assumed.