Manage permissions on governed tags
This feature is in Public Preview.
This page explains how to grant permissions on governed tags. For an overview of governed tags, see Governed tags.
Governed tag permissions overview
Governed tag permissions determine who can create, edit, assign, and delete governed tags, as well as who can assign governed tags to resources. Governed tag permissions can apply at one of two scopes:
- Account: If you have a permission at the account level, you have that permission on all governed tags in the account. For example, if you have MANAGE at the account level, you can manage any governed tag in the account.
- Individual governed tag: If you have a permission on a specific governed tag, you can only manage or assign that particular governed tag.
The following table summarizes the permissions available for managing governed tags.
Permission | Definition | Scope |
|---|---|---|
CREATE | Create new governed tags | Account |
MANAGE | Edit, delete, and assign permissions for governed tags | Account or individual governed tag |
ASSIGN | Assign governed tags to Unity Catalog objects | Account or individual governed tag |
- Account admins have CREATE and MANAGE permissions on the account by default.
- Workspace admins have CREATE on the account by default.
- Users with the CREATE permission can add new governed tags and are automatically granted the MANAGE permission on each governed tag they create.
- System tags cannot be updated or deleted, even by users with the MANAGE permission
The ASSIGN permission controls who can use governed tags. This is distinct from privileges that determine whether a user can add or edit tags on specific objects. For example, the APPLY TAG privilege on an object is also required to assign governed tags to Unity Catalog objects.
Users can also continue to create and assign tags that are not governed.
Updating governed tag permissions can take up to 30 seconds or longer to fully propagate. The UI reflects the updated permissions immediately, but permission checks may not succeed until propagation is complete.
Assign governed tag permissions on the account
To assign governed tag permissions at the account level, you must have the MANAGE permission at the account level. Account admins have MANAGE on the account by default.
- In your Databricks workspace, click
Catalog. - Click the Governed tags button.
- Click the Account Permissions tab.
- Click Grant permission set.
- In Principals, select the user, service principal, or group you want to assign permissions to.
- In Permission sets, select the desired permissions (CREATE, MANAGE, or ASSIGN).
- Click Save.
Assign permissions on an individual governed tag
To assign permissions on an individual governed tag, you must have the MANAGE permission on that governed tag.
- In your Databricks workspace, click Catalog.
- Click the Governed tags button.
- Select the governed tag.
- Click the Permissions tab.
- Click Grant permission set.
- In Principals, select the user, service principal, or group you want to assign permissions to.
- In Permission sets, select the desired permissions (CREATE, MANAGE, or ASSIGN).
- Click Save.