Deny

DENY
  privilege_type [, privilege_type ] ...
  ON (CATALOG | DATABASE <database-name> | [TABLE] <table-name> | [VIEW] <view-name> | [FUNCTION] <function-name> | ANONYMOUS FUNCTION | ANY FILE)
  TO principal

privilege_type
  : SELECT | CREATE | MODIFY | READ_METADATA | CREATE_NAMED_FUNCTION | ALL PRIVILEGES

principal
  : `<user>@<domain-name>` | <group-name>

Deny a privilege on an object to a user or principal. Denying a privilege on a database (for example a SELECT privilege) has the effect of implicitly denying that privilege on all objects in that database. Denying a specific privilege on the catalog has the effect of implicitly denying that privilege on all databases in the catalog.

To deny a privilege to all users, specify the keyword users after TO.

DENY can be used to ensure that a user or principal cannot access the specified object, despite any implicit or explicit GRANTs. When an object is accessed, Databricks first checks if there are any explicit or implicit DENYs on the object before checking if there are any explicit or implicit GRANTs.

For example, suppose there is a database db with tables t1 and t2. A user is initially granted SELECT privileges on db. The user can access t1 and t2 due to the GRANT on the database db.

If the administrator issues a DENY on table t1, the user will no longer be able to access t1. If the administrator issues a DENY on database db, the user will not be able to access any tables in db even if there is an explicit GRANT on these tables. That is, the DENY always supersedes the GRANT.

Examples

DENY SELECT ON <table-name> TO `<user>@<domain-name>`;