Managing Unity Catalog metastores

This article describes the privileges available for managing a Unity Catalog metastore. It also describes:

  • The metastore admin role, a highly-privileged role that has all metastore management privileges by default.

  • The metastore creation and management privileges owned by account admins.

Metastore-level privileges

The following privileges can be assigned to a metastore and can be delegated to any user or group:

  • CREATE CATALOG: Allows a user to create catalogs in the metastore.

  • CREATE CONNECTION: Allows a user to create a connection to an external database in a Lakehouse Federation scenario.

  • CREATE EXTERNAL LOCATION: Allows a user to create external locations.

  • CREATE FOREIGN CATALOG: Allows a user to create foreign catalogs using a connection to an external database in a Lakehouse Federation scenario.

  • CREATE SHARE: Allows a data provider user to create a share in Delta Sharing.

  • CREATE RECIPIENT: Allows a data provider user to create a recipient in Delta Sharing.

  • CREATE PROVIDER: Allows a data recipient user to create a provider in Delta Sharing.

When you grant privileges on a metastore, you do not include the metastore name, because the metastore that is attached to your workspace is assumed. For example,

GRANT CREATE CATALOG ON METASTORE TO `account users`;

For more information about granting privileges using SQL commands, see Privileges and securable objects in Unity Catalog.

Metastore admin privileges

The metastore admin is a highly privileged user or group in Unity Catalog. Metastore admins have the following permissions:

  • Create catalogs, external locations, connections, shares, recipients, and providers.

  • Manage the privileges or transfer ownership of any object within the metastore, including storage credentials, external locations, connections, shares, recipients, and providers.

  • Read and update the metadata of all objects in the metastore.

  • Delete the metastore.

  • Grant themselves read and write access to all data in the metastore. By default, no direct access is allowed. Granting read and write access permissions is audit-logged.

  • Manage the allowlist and grant users the ability to manage the allowlist. See Allowlist libraries and init scripts on shared compute.

Metastore admins are the only users who can grant privileges on the metastore itself.

The account admin who creates a metastore is its initial owner and metastore admin. Databricks recommends that the account admin delegate this responsibility by nominating a group as the metastore admin. By doing this, any member of the group is automatically a metastore admin. For information about transferring metastore admin rights, see Assign a metastore admin.

Account admin privileges

Account admin is a highly privileged role that you should distribute carefully. Account administrators have the following privileges:

  • Can create metastores, and by default become the initial metastore admin.

  • Can enable Delta Sharing for a metastore.

  • Can configure storage credentials.

  • Can change the metastore admin.

  • Can add users, service principals, and groups to a workspace.

  • Can delegate workspace administrators.

  • Can delegate other account administrators.

Workspace admin privileges

Workspace admin is a highly privileged role that you should distribute carefully. Workspace administrators have the following privileges:

  • Can add users, service principals, and groups to a workspace.

  • Can delegate other workspace administrators.

  • Can manage job ownership. See Jobs access control.

  • Can manage job Run as setting. See Run a job as a service principal.

  • Can view and manage notebooks, dashboards, queries, and other workspace objects. See Access control.

Note

If you use workspaces to isolate user data access, you might want to use workspace-catalog bindings. Workspace-catalog bindings enable you to limit catalog access by workspace boundaries. For example, you can ensure that workspace admins and users can only access production data in prod_catalog from a production workspace environment, prod_workspace.

Workspace-catalog bindings are configured by metastore admins or catalog owners. See (Optional) Assign a catalog to specific workspaces.