Administrator privileges in Unity Catalog
Metastore administrators have privileges for creating metastore-level securable objects in Unity Catalog. You can grant privileges to create metastore-level securables to users, groups, and service principals in the account. Databricks recommends limiting these privileges to trusted power users.
Metastore-level privileges
A metastore admin is a highly privileged user or group in Unity Catalog. Metastore admins have the following permissions:
Create catalogs, external locations, shares, recipients, and providers.
Manage the privileges or transfer ownership of any object within the metastore, including storage credentials, external locations, shares, recipients, and providers.
Read and update the metadata of all objects in the metastore.
Delete the metastore.
Grant themselves read and write access to all data in the metastore (no direct access by default; granting permissions is audit logged).
The account admin who creates a metastore is its initial owner and metastore admin. Databricks recommends that the account admin delegate this responsibility by nominating a group as the metastore admin. By doing this, any member of the group is automatically a metastore admin. For information about transferring metastore admin rights, see Assign a metastore admin.
Metastore admins can grant the following metastore-level privileges to other users:
CREATE CATALOG: Allows a user to create a catalog.CREATE EXTERNAL LOCATION: Allows a user to create an external location.CREATE SHARE: Allows a data provider user to create a share in Delta Sharing.CREATE RECIPIENT: Allows a data provider user to create a recipient in Delta Sharing.CREATE PROVIDER: Allows a data recipient user to create a provider in Delta Sharing.