Admin privileges in Unity Catalog
This article describes privileges that Databricks account admins, workspace admins, and metastore admins have for managing Unity Catalog.
If your workspace was enabled for Unity Catalog automatically, workspace admins have default privileges on the attached metastore and the workspace catalog, if a workspace catalog was provisioned. See Workspace admin privileges when workspaces are enabled for Unity Catalog automatically.
Account admins
Account admin is a highly privileged role that you should distribute carefully. Account admins have privileges over the entire Databricks account, which includes the following key capabilities:
Capability | Description |
|---|---|
Create metastores | Create metastores and become the initial metastore admin by default |
Link metastores to workspaces | Associate metastores with specific workspaces |
Assign the metastore admin role | Assign the metastore admin role to users, service principals, or groups. See Metastore admins for a list of metastore admin capabilities. |
Grant privileges on metastores | Manage permissions at the metastore level |
Enable Delta Sharing for a metastore | Enable Delta Sharing functionality for a metastore. |
Configure storage credentials | Set up storage credentials for accessing cloud storage |
Enable system tables | Enable system tables and control who can access them |
For more information, see What are account admins?.
Workspace admins
Workspace admin is a highly privileged role that you should distribute carefully. Workspace admins have admin privileges within a single workspace, which includes the following key capabilities:
Capability | Description |
|---|---|
Manage workspace membership | Add users, service principals, and groups to a workspace |
Assign the workspace admin role | Assign the workspace admin role to users, service principals, or groups |
Manage job ownership | Control job ownership. See Control access to a job. |
Manage the job Run as setting | Configure job execution identity. See Configure the Run as user for job runs. |
View and manage workspace objects | Access and control notebooks, dashboards, queries, and other workspace objects. See Access control lists. |
For more information, see What are workspace admins?.
Account admins can restrict workspace admin privileges using the RestrictWorkspaceAdmins setting. See Restrict workspace admins.
Workspace admin privileges when workspaces are enabled for Unity Catalog automatically
If your workspace was enabled for Unity Catalog automatically, the workspace is attached to a metastore by default. For more information see Automatic enablement of Unity Catalog.
If your workspace was enabled for Unity Catalog automatically, workspace admins have the following privileges on the attached metastore by default:
CREATE CATALOG
CREATE EXTERNAL LOCATIONCREATE SERVICE CREDENTIALCREATE STORAGE CREDENTIALCREATE CONNECTIONCREATE SHARECREATE RECIPIENTCREATE PROVIDERCREATE MATERIALIZED VIEW
Workspace admins are the default owners of the workspace catalog, if a workspace catalog was provisioned for your workspace. Ownership of this catalog grants the following privileges:
-
Manage the privileges for or transfer ownership of any object within the workspace catalog.
This includes the ability to grant themselves read and write access to all data in the catalog (no direct access by default; granting permissions is audit-logged).
-
Transfer ownership of the workspace catalog itself.
All workspace users receive the USE CATALOG privilege on the workspace catalog. Workspace users also receive the USE SCHEMA, CREATE TABLE, CREATE VOLUME, CREATE MODEL, CREATE FUNCTION, and CREATE MATERIALIZED VIEW privileges on the default schema in the catalog.
The default privileges granted on the attached metastore and workspace catalog are not maintained across workspaces (if, for example, the workspace catalog is also bound to another workspace).
Metastore admins
The metastore admin is an optional but highly privileged user or group in Unity Catalog. Metastore admins have privileges from two sources: default privileges granted by the role, and ownership privileges because they are the owners of the metastore.
Default metastore admin privileges
Metastore admins have the following privileges on the metastore by default:
Privilege | Description |
|---|---|
| Create catalogs in the metastore |
| Create a clean room for securely collaborating on projects with other organizations without sharing underlying data |
| Create a connection to an external database in a Lakehouse Federation scenario |
| Create external locations |
| Create service credentials |
| Create storage credentials |
| Create foreign catalogs using a connection to an external database in a Lakehouse Federation scenario |
| Create a share in Delta Sharing as a data provider |
| Create a recipient in Delta Sharing as a data provider |
| Create a provider in Delta Sharing as a data recipient |
| Create materialized views |
| Update allowlists that manage cluster access to init scripts and libraries |
Ownership privileges
As owners of the metastore, metastore admins have the following privileges:
Privilege | Description |
|---|---|
Manage privileges and transfer ownership | Manage privileges or transfer ownership of any object within the metastore, including storage credentials, external locations, connections, shares, recipients, and providers |
Grant access to data | Grant anyone read and write access to any data in the metastore. This ability is indirect because metastore admins can transfer ownership of any object to themselves. There is no direct access by default. Permission grants are audit-logged. |
Manage object metadata | Read and update the metadata of all objects in the metastore |
Manage tags | Set tags on all objects in the metastore |
Configure access request destinations | Enable default access request destinations in the metastore |
Delete metastore | Delete the metastore |
What only metastore admins can do
The following capabilities are exclusive to metastore admins. No other role, including account admins or workspace admins, can perform these actions:
Capability | Description |
|---|---|
Grant privileges on the metastore | Metastore admins are the only users who can grant privileges on the metastore itself |
Transfer ownership of any object | Transfer ownership of storage credentials, external locations, connections, shares, recipients, providers, catalogs, and other metastore objects |
Manage allowlists | Update the init script and jar allowlists that control cluster access to libraries and scripts |
Delete the metastore | Remove the metastore entirely |
Enable default access request destinations | Configure default access request destinations for objects without explicit destinations |
Because metastore admins are the only users who have these privileges, you must assign a metastore admin if you want to use any of the following functionality:
- Change ownership of catalogs after someone leaves the company.
- Manage and delegate permissions on the init script and jar allowlist.
- Delegate the ability to create catalogs and other top-level permissions to non-workspace admins.
- Receive shared data through Delta Sharing.
- Remove default workspace admin permissions.
- Add managed storage to the metastore, if it has none. See Add managed storage to an existing metastore.
- Enable default access request destinations for objects that don't have destinations explicitly set. See Enable default email destinations.
Who has initial metastore admin privileges?
If an account admin creates the metastore manually, that account admin is the metastore's initial owner and metastore admin. All metastores created before March 6, 2024 were created manually by an account admin.
If the metastore was provisioned as part of automatic Unity Catalog enablement, the metastore was created without a metastore admin. Workspace admins in that case are automatically granted privileges that make the metastore admin optional. If needed, account admins can assign the metastore admin role to a user, service principal, or group. Groups are strongly recommended. See Automatic enablement of Unity Catalog.
Assign a metastore admin
Metastore admin is a highly privileged role that you should distribute carefully. It is optional.
Account admins can assign the metastore admin role. Databricks recommends nominating a group as the metastore admin. By doing this, any member of the group is automatically a metastore admin.
To assign the metastore admin role to a group:
- As an account admin, log in to the account console.
- Click
Catalog. - Click the name of a metastore to open its properties.
- Under Metastore Admin, click Edit.
- Select a group from the drop-down. You can enter text in the field to search for options.
- Click Save.
It can take up to 30 seconds for a metastore admin assignment change to be reflected in your account, and it may take longer to take effect in some workspaces than others. This delay is due to caching protocols.