Manage privileges in Unity Catalog

This article explains how to control access to data and other objects in Unity Catalog.

You can set access controls using Data Explorer, SQL statements in notebooks or Databricks SQL queries, or using the Unity Catalog REST API.

Initially, users have no access to data in a metastore. Access can be granted by either a metastore admin, the owner of an object, or the owner of the catalog or schema that contains the object.

Assign a metastore admin

The metastore admin is a highly privileged user or group in Unity Catalog. Metastore admins have the following permissions:

  • Create catalogs, external locations, shares, and recipients.

  • Manage the privileges or transfer ownership of any object within the metastore, including storage credentials, external locations, shares, recipients, and providers.

  • Read and update the metadata of all objects in the metastore.

  • Delete the metastore.

  • Grant themselves read and write access to all data in the metastore (no direct access by default; granting permissions is audit logged).

The account admin who creates a metastore is its initial owner and metastore admin. Databricks recommends that the account admin delegate this responsibility by nominating a group as the metastore admin. By doing this, any member of the group is automatically a metastore admin.

To transfer the metastore admin role to a group:

  1. Log in to the account console.

  2. Click Data Icon Data.

  3. Click the name of a metastore to open its properties.

  4. Under Metastore Admin, click Edit.

  5. Select a group from the drop-down. You can enter text in the field to search for options.

  6. Click Save.

See Administrator privileges in Unity Catalog.

Object ownership

All securables objects in Unity Catalog have an owner. Object owners have all privileges for an object. See Manage Unity Catalog object ownership.

Unity Catalog privileges

Access privileges can be granted by either a metastore admin, the owner of an object, or the owner of the catalog or schema that contains the object. See Unity Catalog privileges and securable objects.

Basic object privileges

Unity Catalog supports the SQL keywords SHOW, GRANT, and REVOKE for managing privileges on catalogs, schemas, tables, views, and functions.

An object’s owner or a metastore admin can list all grants on the object. If the object is contained within a catalog or schema (for example, a table or view), the owner of the catalog or schema can also list all grants on the object.

See the SQL reference documentation for examples of this syntax:

Data Explorer provides a UI to complete these actions; see Manage Unity Catalog permissions in Data Explorer.

Transfer ownership

To transfer ownership of an object within a metastore, you can use SQL or Data Explorer. See Manage Unity Catalog object ownership or Manage Unity Catalog object ownership in Data Explorer.

Manage external locations and storage credentials

You can configure external locations and storage credentials for Unity Catalog using Data Explorer. For more information, see Manage external locations and storage credentials.

Dynamic views

Dynamic views allow you to manage which users have access to a view’s rows, columns, or even specific records by filtering or masking their values. See Create a dynamic view.