Principal

A principal is a user, service principal, or group known to the metastore. Principals can be granted privileges and may own securable objects.

Syntax

 { `<user>@<domain-name>` |
   `<sp-application-id>` |
   group_name |
   USERS }

Parameters

  • <user>@<domain-name>

    An individual user. You must quote the identifier with back-ticks (`) due to the @ character.

  • <sp-application-id>

    A service principal, specified by its applicationId value. You must quote the identifier with back-ticks (`) due to the dash characters in the ID.

  • group_name

    An identifier specifying a group of users or groups.

  • USERS

    The root group to which all workspace level users belong.

  • ACOUNT USERS

    The root group to which all account level users belong.

Workspace and Account level principals

Databricks Runtime supports to distinct sets of principals: workspace level and account level.

If you attempt to GRANT a privilege to a securable_object you will receive a “user not found” error if the principal does not apply to the securable object.

Workspace level principal

Workspace level principals are managed in each workspace. They apply to all objects defined in the hive_metastore catalog. You can also create and manage workspace level groups using the following statements:

Account level principal

Account level principals are global within the account. They are managed outside of of the space of SQL and apply to all objects outside the hive_metastore catalog.

Examples

-- Granting a privilege to the user alf@melmak.et
> GRANT SELECT ON TABLE t TO `alf@melmak.et`;

-- Granting a privilege to the service principal fab9e00e-ca35-11ec-9d64-0242ac120002
> GRANT SELECT ON TABLE t TO `fab9e00e-ca35-11ec-9d64-0242ac120002`;

-- Revoking a privilege from the general public group.
> REVOKE SELECT ON TABLE t FROM users;

-- Transfering owbership of an object to `some_group`
> ALTER SCHEMA some_schema OWNER TO some_group;