Deny
Important
This documentation has been retired and might not be updated. The products, services, or technologies mentioned in this content are no longer supported. See DENY.
DENY
privilege_type [, privilege_type ] ...
ON [CATALOG | DATABASE <database-name> | TABLE <table-name> | VIEW <view-name> | FUNCTION <function-name> | ANONYMOUS FUNCTION | ANY FILE]
TO principal
privilege_type
: SELECT | CREATE | MODIFY | READ_METADATA | CREATE_NAMED_FUNCTION | ALL PRIVILEGES
principal
: `<user>@<domain-name>` | <group-name>
Deny a privilege on an object to a user or principal. Denying a privilege on a database
(for example a SELECT
privilege) has the effect of implicitly denying that privilege on all
objects in that database. Denying a specific privilege on the catalog has the effect of implicitly
denying that privilege on all databases in the catalog.
To deny a privilege to all users, specify the keyword users
after TO
.
DENY
can be used to ensure that a user or principal cannot access the specified object, despite
any implicit or explicit GRANTs
. When an object is accessed, Databricks first checks if there are
any explicit or implicit DENYs
on the object before checking if there are any explicit or implicit
GRANTs
.
For example, suppose there is a database db
with tables t1
and t2
. A user is initially granted
SELECT
privileges on db
. The user can access t1
and t2
due to the GRANT
on the database
db
.
If the administrator issues a DENY
on table t1
, the user will no longer be able to access t1
.
If the administrator issues a DENY
on database db
, the user will not be able to access any
tables in db
even if there is an explicit GRANT
on these tables. That is, the DENY
always
supersedes the GRANT
.