Deny
Important
This documentation has been retired and might not be updated. The products, services, or technologies mentioned in this content are no longer supported. See DENY.
DENY
privilege_type [, privilege_type ] ...
ON [CATALOG | DATABASE <database-name> | TABLE <table-name> | VIEW <view-name> | FUNCTION <function-name> | ANONYMOUS FUNCTION | ANY FILE]
TO principal
privilege_type
: SELECT | CREATE | MODIFY | READ_METADATA | CREATE_NAMED_FUNCTION | ALL PRIVILEGES
principal
: `<user>@<domain-name>` | <group-name>
Deny a privilege on an object to a user or principal. Denying a privilege on a database
(for example a SELECT privilege) has the effect of implicitly denying that privilege on all
objects in that database. Denying a specific privilege on the catalog has the effect of implicitly
denying that privilege on all databases in the catalog.
To deny a privilege to all users, specify the keyword users after TO.
DENY can be used to ensure that a user or principal cannot access the specified object, despite
any implicit or explicit GRANTs. When an object is accessed, Databricks first checks if there are
any explicit or implicit DENYs on the object before checking if there are any explicit or implicit
GRANTs.
For example, suppose there is a database db with tables t1 and t2. A user is initially granted
SELECT privileges on db. The user can access t1 and t2 due to the GRANT on the database
db.
If the administrator issues a DENY on table t1, the user will no longer be able to access t1.
If the administrator issues a DENY on database db, the user will not be able to access any
tables in db even if there is an explicit GRANT on these tables. That is, the DENY always
supersedes the GRANT.