Unity Catalog privileges and securable objects

Unity Catalog introduces a new privileges model and new securable objects. To learn about how this model differs from the Hive metastore, see Work with Unity Catalog and the legacy Hive metastore.

You can manage privileges for metastore objects in Data Explorer or by using SQL commands in the Databricks SQL editor or a Data Science & Engineering notebook.

To manage privileges, you use GRANT and REVOKE statements. Access can be granted by a metastore admin, the owner of an object, or the owner of the catalog or schema that contains the object. A built-in group called account users includes all users.

Note

Metastore administrators have additional privileges not listed below. See Administrator privileges in Unity Catalog.

The following table summarizes the privileges that can be granted on each securable object:

Securable

Privileges

Metastore

CREATE CATALOG, CREATE EXTERNAL LOCATION, CREATE SHARE, CREATE RECIPIENT

Catalog

CREATE, USAGE

Schema

CREATE, USAGE

Table

SELECT, MODIFY

View

SELECT

External location

CREATE TABLE, READ FILES, WRITE FILES

Storage credential

CREATE TABLE, READ FILES, WRITE FILES, CREATE EXTERNAL LOCATION

Function

EXECUTE

Share

SELECT (can be granted to RECIPIENT)

Recipient

None.

Provider

None.

You can also manage privileges by using the Databricks Terraform provider and databricks_grants.

Inheritance model

In Unity Catalog, privileges are not inherited on child securable objects. For example, if you grant the CREATE privilege on a catalog to a user, the user does not automatically have the CREATE privilege on all databases in the catalog.

USAGE

Applicable object types: CATALOG, SCHEMA

This privilege does not grant access to the securable itself, but is needed for a user to interact with any object within the securable. For example, to select data from a table, users need to have the SELECT privilege on that table and USAGE privileges on its parent schema and parent catalog.

This is useful for allowing schema and catalog owners to be able to limit how far individual table owners can share data they produce. A table owner granting SELECT to another user does not allow that user read access to the table unless they also have USAGE on the schema and catalog.

SELECT

Applicable object types: TABLE, VIEW

Allows a user to select from a table or view, if the user also has USAGE on its parent catalog and schema.

MODIFY

Applicable object types: TABLE

Allows a user to add, update, and delete data to or from the table if the user also has USAGE on its parent catalog and schema.

CREATE

Applicable object types: CATALOG, SCHEMA

If applied to a catalog, allows a user to create a schema. The user also requires the USAGE permission on the catalog.

If applied to a schema, allows a user to create a table or view in the schema. The user also requires the USAGE permission on its parent catalog and the schema.

EXECUTE

Applicable object types: FUNCTION

Allows a user to invoke a user defined function, if the user also has USAGE on its parent catalog and schema.

CREATE TABLE

Applicable object types: EXTERNAL LOCATION, STORAGE CREDENTIAL

Allows a user to create external tables directly in your cloud tenant using an external location or storage credential. Databricks recommends granting this privilege on an external location rather than storage credential (since it’s scoped to a path, it allows more control over where users can create external tables in your cloud tenant).

READ FILES

Applicable object types: EXTERNAL LOCATION, STORAGE CREDENTIAL

Allows a user to read files directly from your cloud object storage. Databricks recommends granting this privilege on an external location rather than storage credential (since it’s scoped to a path it allows more control over where users can read data from).

WRITE FILES

Applicable object types: EXTERNAL LOCATION, STORAGE CREDENTIAL

Allows a user to write files directly into your your cloud object storage. Databricks recommends granting this privilege on an external location rather than storage credential (since it is scoped to a path it allows more control over where users can write data to).

CREATE EXTERNAL LOCATION

Applicable object types: Unity Catalog metastore, STORAGE CREDENTIAL

When applied to a storage credential, allows a user to create an external location using the storage credential. This privilege can also be granted to a user on the metastore to allow them to create an external location.

CREATE CATALOG

Applicable object types: Unity Catalog metastore

Allows a user to create a catalog in a Unity Catalog metastore.

ALL PRIVILEGES

Applicable object types: All object types

Used to grant or revoke all privileges applicable to the securable without explicitly specifying them. This expands to all available privileges at the time of the grant.