Manage Unity Catalog object ownership
Each securable object in Unity Catalog has an owner. The owner can be any user, service principal, or account group, known as a principal. The principal that creates an object becomes its initial owner. An object’s owner has all privileges on the object, such as SELECT
and MODIFY
on a table, in addition to the permission to grant privileges to other principals. An object’s owner has the ability to drop the object.
Inheritance
Owners of an object are automatically granted all privileges on that object. In addition, object owners can grant privileges on the object itself and on all of its child objects. This means that owners of a schema do not automatically have all privileges on the tables in the schema, but they can grant themselves privileges on the tables in the schema.
Permissions required to transfer ownership
Object ownership can be transferred to other principals by the current owner, a metastore admin, or the owner of the container (the catalog for a schema, the schema for a table). Delta Sharing share objects are an exception: principals with the USE SHARE
and SET SHARE PERMISSION
can also transfer share ownership.
Show owner
To see the owner of a securable object, use the following syntax. Replace the placeholder values:
<SECURABLE-TYPE>
: The type of securable, such asCATALOG
orTABLE
.<catalog>
: The parent catalog for a table or view.<schema>
: The parent schema for a table or view.<securable-name>
: The name of the securable, such as a table or view.
DESCRIBE <SECURABLE-TYPE> EXTENDED <catalog>.<schema>.<securable-name>;
display(spark.sql("DESCRIBE <SECURABLE-TYPE> EXTENDED <catalog>.<schema>.<securable-name>"))
library(SparkR)
display(sql("DESCRIBE <SECURABLE-TYPE> EXTENDED <catalog>.<schema>.<securable-name>"))
display(spark.sql("DESCRIBE <SECURABLE-TYPE> EXTENDED <catalog>.<schema>.<securable-name>"))
Transfer ownership
To transfer ownership of an object, use a SQL command with the following syntax. Replace the placeholder values:
<SECURABLE-TYPE>
: The type of securable object, such asCATALOG
orTABLE
.METASTORE
is not supported as a securable object in this command.<SECURABLE-NAME>
: The name of the securable.<PRINCIPAL>
: The email address of an account-level user or the name of an account-level group.
ALTER <SECURABLE-TYPE> <SECURABLE-NAME> OWNER TO <PRINCIPAL>;
spark.sql("ALTER <SECURABLE-TYPE> <SECURABLE-NAME> OWNER TO <PRINCIPAL>")
library(SparkR)
sql("ALTER <SECURABLE-TYPE> <SECURABLE-NAME> OWNER TO <PRINCIPAL>")
spark.sql("ALTER <SECURABLE-TYPE> <SECURABLE-NAME> OWNER TO <PRINCIPAL>")
For example, to transfer ownership of a table to the accounting
group:
ALTER TABLE orders OWNER TO `accounting`;
spark.sql("ALTER TABLE orders OWNER TO `accounting`")
library(SparkR)
sql("ALTER TABLE orders OWNER TO `accounting`")
spark.sql("ALTER TABLE orders OWNER TO `accounting`")