Manage privileges in Unity Catalog

This article explains how to control access to data and other objects in Unity Catalog.

You can set access controls using Catalog Explorer, SQL statements in notebooks or Databricks SQL queries, using the Unity Catalog REST API, or using Terraform.

Initially, users have no access to data in a metastore. Access can be granted by either a metastore admin, the owner of an object, or the owner of the catalog or schema that contains the object.

Admin privileges

Databricks account admins, workspace admins, and metastore admins have default privileges for managing Unity Catalog. See Admin privileges in Unity Catalog.

Object ownership

All securable objects in Unity Catalog have an owner. Object owners have all privileges on that object, including the ability to grant privileges to other principals. See Manage Unity Catalog object ownership.

Unity Catalog privileges

Access privileges can be granted by either a metastore admin, the owner of an object, or the owner of the catalog or schema that contains the object. See Unity Catalog privileges and securable objects.

Privilege inheritance

Securable objects in Unity Catalog are hierarchical and privileges are inherited downward. This means that granting a privilege on the catalog automatically grants the privilege to all current and future objects within the catalog. Similarly, privileges granted on a schema are inherited by all current and future objects within that schema. See Inheritance model.

Note

If you created your Unity Catalog metastore during the public preview (before August 25, 2022), you can upgrade to Privilege Model version 1.0 with privilege inheritance. See Upgrade to privilege inheritance.

Basic object privileges

Unity Catalog supports the SQL keywords SHOW, GRANT, and REVOKE for managing privileges on catalogs, schemas, tables, views, and functions.

An object’s owner or a metastore admin can list all grants on the object. If the object is contained within a catalog or schema (for example, a table or view), the owner of the catalog or schema can also list all grants on the object.

See the SQL reference documentation for examples of this syntax:

Catalog Explorer provides a UI to complete these actions; see Manage Unity Catalog permissions in Catalog Explorer.

Transfer ownership

To transfer ownership of an object within a metastore, you can use SQL or Catalog Explorer. See Manage Unity Catalog object ownership or Manage Unity Catalog object ownership in Catalog Explorer.

Manage external locations and storage credentials

You can configure external locations and storage credentials for Unity Catalog using Catalog Explorer. For more information, see Manage storage credentials and Manage external locations.

Dynamic views

Dynamic views allow you to manage which users have access to a view’s rows, columns, or even specific records by filtering or masking their values. See Create a dynamic view.