Unity Catalog volume privileges
Privileges for Unity Catalog volumes focus on working with files stored in cloud object storage.
Volumes introduce the following privileges:
See Unity Catalog privileges and securable objects.
Privileges required for volume operations
The following table lists the permissions required to work with volumes. Volumes rely on Unity Catalog, so you must be in a Unity Catalog-enabled workspace and use Unity Catalog-compatible compute to interact with volumes.
Operation | Ownership required? | Catalog permissions | Schema permissions | Volume permissions | External location permissions |
|---|---|---|---|---|---|
Read or list files | No |
|
|
| None |
Create, delete, or update files | No |
|
|
| None |
Create managed volume | No |
|
| None | None |
Create external volume | No |
|
| None |
|
Drop a volume | Yes |
|
| None | None |
Manage volume privileges | Yes |
|
| None | None |
Owners automatically get all privileges for a volume, and you can set privileges such as READ VOLUME and WRITE VOLUME at the catalog or schema level to cascade privileges to all contained volumes.
Volume ownership and MANAGE privileges
You must be the owner or have the MANAGE privilege on the volume to complete the following operations:
- Manage volume privileges
- Drop the volume
- Rename the volume
- Change volume ownership
Each object in Unity Catalog can have only one principal as its owner. Ownership doesn't cascade. That is, owning a catalog doesn't make you the owner of all objects within it, but the privileges that come with ownership apply to all objects contained in the owned object.
For Unity Catalog volumes, the following principals can manage volume privileges:
- The owner of the parent catalog
- The owner of the parent schema
- The owner of the volume
- Any user with the
MANAGEprivilege on the volume, its parent schema, or its parent catalog
Databricks recommends assigning ownership to a group rather than an individual so that you can manage access collectively. By default, the user who creates an object becomes its owner. However, you can grant the MANAGE privilege to multiple principals. See Manage Unity Catalog object ownership.