Manage tag policy permissions
This feature is in Beta.
This page explains how to create and manage tag policies permissions. For an overview of tag policies, see Tag policies.
Tag policy permissions overview
Tag policy permissions determine who can create, edit, assign, and delete tag policies, as well as who can assign governed tags to resources. Tag policy permissions can apply at one of two scopes:
- Account: If you have a permission at the account level, you have that permission on all tag policies in the account. For example, if you have MANAGE at the account level, you can manage any tag policy in the account.
- Individual tag policy: If you have a permission on a specific tag policy, you can only manage or assign that particular tag policy.
The following table summarizes the permissions available for managing tag policies.
Permission | Definition | Scope |
|---|---|---|
CREATE | Create new tag policies | Account |
MANAGE | Edit, delete, and assign permissions for tag policies | Account or individual tag policy |
ASSIGN | Assign governed tags to Unity Catalog objects | Account or individual tag policy |
- Account admins have CREATE and MANAGE permissions on the account by default.
- Workspace admins have CREATE on the account by default.
- Users with the CREATE permission can add new tag policies and are automatically granted the MANAGE permission on each policy they create.
- System tags cannot be updated or deleted, even by users with the MANAGE permission
The ASSIGN permission controls who can use governed tags defined by tag policies. This is distinct from privileges that determine whether a user can add or edit tags on specific objects. For example, the APPLY TAG privilege on an object is also required to assign governed tags to Unity Catalog objects.
Users can also continue to create and assign tags that are not governed by tag policies. Tag policies only apply to tags that are explicitly governed.
To assign tag policy permissions, an account admin must enable the tag policy beta. See Enable tag policies.
Updating tag policy permissions can take up to 30 seconds or longer to fully propagate. The UI reflects the updated permissions immediately, but permission checks may not succeed until propagation is complete.
Assign tag policy permissions on the account
To assign tag policy permissions at the account level, you must have the MANAGE permission at the account level. Account admins have MANAGE on the account by default.
- In your Databricks workspace, click
Catalog. - On the Quick access page, click the Tag Policies > button.
- Click the Account Permissions tab.
- Click Grant permission set.
- In Principals, select the user, service principal, or group you want to assign permissions to.
- In Permission sets, select the desired permissions (CREATE, MANAGE, or ASSIGN).
- Click Save.
Assign permissions on an individual tag policy
To assign tag policy permissions on an individual tag policy, you must have the MANAGE permission on that tag policy.
- In your Databricks workspace, click Catalog.
- On the Quick access page, click the Tag Policies > button.
- Select the tag policy.
- Click the Permissions tab.
- Click Grant permission set.
- In Principals, select the user, service principal, or group you want to assign permissions to.
- In Permission sets, select the desired permissions (CREATE, MANAGE, or ASSIGN).
- Click Save.