Manage Unity Catalog object ownership
Each securable object in Unity Catalog has an owner. The owner can be any principal: a user, service principal, or account group. The principal that creates an object becomes its initial owner. An object’s owner has all privileges on the object, such as SELECT
and MODIFY
on a table, in addition to the permission to grant privileges to other principals. An object’s owner has the ability to drop the object.
Owner privileges
Owners of an object are automatically granted all privileges on that object. In addition, object owners can grant privileges on the object itself and on all of its child objects. This means that owners of a schema do not automatically have all privileges on the tables in the schema, but they can grant themselves privileges on the tables in the schema.
Note
There is one exception to the rule that owners have all privileges on an object: to avoid accidental data exfiltration, schema owners do not have the EXTERNAL USE SCHEMA
privilege by default. See Control external access to data in Unity Catalog.
Metastore and catalog ownership
Metastore admins are the owners of the metastore. The metastore admin role is optional. Metastore admins can reassign ownership of the metastore by transferring the metastore admin role, see Assign a metastore admin.
If your workspace was enabled for Unity Catalog automatically, the workspace is attached to a metastore by default and a workspace catalog is created for your workspace in the metastore. Workspace admins are the default owners and can reassign ownership of the workspace catalog. In these workspaces, there is no metastore admin assigned by default, but account admins can grant the metastore admin role if needed. See Metastore admins.
For more information about admin privileges in Unity Catalog, see Admin privileges in Unity Catalog.
Ownership versus the MANAGE
privilege
MANAGE
(Public Preview) is a privilege that is similar to object ownership. It grants a user the ability to edit, drop, and manage privileges on the object. However, users with the MANAGE
privilege on an object are not automatically granted all privileges on that object. As they do with other privileges, users require USE CATALOG
on the object’s parent catalog and USE SCHEMA
on the object’s parent schema. For example, to grant permissions on a table, users must have the MANAGE
privilege on that table and USE CATALOG
privileges on its parent catalog, along with USE SCHEMA
privileges on its parent schema.
An object’s only can only be a single principal, including a group, whereas MANAGE
can be granted to multiple principals.
To avoid accidental privilege escalation, ALL PRIVILEGES
does not include the MANAGE
privilege
View an object’s owner
You can use Catalog Explorer or SQL statements to view an object’s owner.
Permissions required: Any user with the BROWSE
privilege on the object or a parent of the object can view the object owner.
Catalog Explorer
In your Azure Databricks workspace, click Catalog.
Select the object, such as a catalog, schema, table, view, volume, external location, or storage credential.
How to navigate to the object depends on the object. Catalogs, schemas, and the contents of schemas (such as tables and volumes) are selectable in the left Catalog pane. You can find other objects, such as external locations or Delta Sharing shares, by clicking the gear icon above the Catalog pane and selecting the object category from the menu.
For most objects, the owner is displayed on the Overview tab on the object details page. For some objects, such as external locations, it is displayed at the top of the object details page.
SQL
Run the following SQL command in a notebook or SQL query editor. Replace the placeholder values:
<securable-type>
: The type of securable, such asCATALOG
orTABLE
.<catalog>
: The parent catalog if you are viewing a schema or the contents of a schema.<schema>
: The parent schema if you are viewing the contents of a schema, such as a table or view.<securable-name>
: The name of the securable object.
DESCRIBE <securable-type> EXTENDED <catalog>.<schema>.<securable-name>;
Transfer ownership
You can use Catalog Explorer or SQL statements to view an object’s owner.
Permissions required: You can transfer object ownership if you are the current owner, a metastore admin, the owner of the container (the catalog for a schema, the schema for a table), or a user with the MANAGE
privilege on the object. Delta Sharing share objects are an exception: principals with the USE SHARE
and SET SHARE PERMISSION
privileges can also transfer share ownership.
Note
To prevent privilege escalations, only a metastore admin can transfer ownership of a view, function, or model to any user, service principal, or group in the account. Current owners and users with the MANAGE
privilege are restricted to transferring ownership to their username or to a group that they are member of.
Catalog Explorer
In your Azure Databricks workspace, click Catalog.
Select the object, such as a catalog, schema, table, view, external location, or storage credential.
How to navigate to the object depends on the object. Catalogs, schemas, and the contents of schemas (such as tables and volumes) are selectable in the left Catalog pane. You can find other objects, such as external locations or Delta Sharing shares, by clicking the gear icon above the Catalog pane and selecting the object category from the menu.
For most objects, the owner is displayed on the Overview tab on the object details page. For some objects, such as external locations, it is displayed at the top of the object details page.
Click the edit icon next to the Owner.
Search for and select a group, user, or service principal.
Click Save.
SQL
Run the following SQL command in a notebook or SQL query editor. Replace the placeholder values:
<securable-type>
: The type of securable object, such asCATALOG
orTABLE
.METASTORE
is not supported as a securable object in this command.<securable-name>
: The name of the securable. If you are modifying a schema or the contents of a schema, you must use the complete three-level namespace (catalog.schema.object
), unless you have already specified the parent catalog and/or schema.<principal>
is a user, service principal (represented by its applicationId value), or group. You must enclose users, service principals, and group names that include special characters in backticks (` `
). See Principal.
ALTER <securable-type> <securable-name> OWNER TO <principal>;
For example, to transfer ownership of the orders
table to the accounting
group:
ALTER TABLE mycatalog.myschema.orders OWNER TO `accounting`;