Administrator privileges in Unity Catalog

Metastore administrators have privileges for creating metastore-level securable objects in Unity Catalog. You can grant privileges to create metastore-level securables to users, groups, and service principals in the account. Databricks recommends limiting these privileges to trusted power users.

Metastore-level privileges

A metastore admin is a highly privileged user or group in Unity Catalog. Metastore admins have the following permissions:

  • Create catalogs, external locations, shares, recipients, and providers.

  • Manage the privileges or transfer ownership of any object within the metastore, including storage credentials, external locations, shares, recipients, and providers.

  • Read and update the metadata of all objects in the metastore.

  • Delete the metastore.

  • Grant themselves read and write access to all data in the metastore (no direct access by default; granting permissions is audit logged).

The account admin who creates a metastore is its initial owner and metastore admin. Databricks recommends that the account admin delegate this responsibility by nominating a group as the metastore admin. By doing this, any member of the group is automatically a metastore admin. For information about transferring metastore admin rights, see Assign a metastore admin.

Metastore admins can grant the following metastore-level privileges to other users:

  • CREATE CATALOG: Allows a user to create a catalog.

  • CREATE EXTERNAL LOCATION: Allows a user to create an external location.

  • CREATE SHARE: Allows a data provider user to create a share in Delta Sharing.

  • CREATE RECIPIENT: Allows a data provider user to create a recipient in Delta Sharing.

  • CREATE PROVIDER: Allows a data recipient user to create a provider in Delta Sharing.

Account administrator privileges

Account administrators have the following privileges:

  • Can create metastores, and by default become the initial metastore admin.

  • Can enable Delta Sharing for a metastore.

  • Can configure storage credentials.

  • Can change the metastore administrator.