Principal

Applies to: check marked yes Databricks SQL check marked yes Databricks Runtime

A principal is a user, service principal, or group known to the metastore. Principals can be granted privileges and may own securable objects.

Syntax 

{ `<user>@<domain-name>` |
  `<sp-application-id>` |
  group_name |
  USERS |
  ACCOUNT USERS }

Parameters

  • <user>@<domain-name>

    An individual user. You must quote the identifier with back-ticks (`) due to the @ character.

  • <sp-application-id>

    A service principal, specified by its applicationId value. You must quote the identifier with back-ticks (`) because of the dash characters in the ID.

  • group_name

    An identifier specifying a group of users or groups.

  • USERS

    The root group to which all users in the workspace belong.

  • ACCOUNT USERS

    The root group to which all users in the account belong.

Workspace-local and account groups

Databricks has the concept of account groups and workspace-local groups, with special behaviors:

  • Account groups can be created only by account admins. Account groups are available for assignment to identity-federated workspaces, and can be assigned to such workspaces by both account admins and workspace admins

  • Workspace-local groups can be created only by workspace admins. These groups are identified as workspace-local in the workspace admin console and on the workspace Permissions tab in the account console.

You can only grant privileges to securable objects in the Unity Catalog to account groups.

Examples 

-- Granting a privilege to the user alf@melmak.et
> GRANT SELECT ON TABLE t TO `alf@melmak.et`;

-- Granting a privilege to the service principal fab9e00e-ca35-11ec-9d64-0242ac120002
> GRANT SELECT ON TABLE t TO `fab9e00e-ca35-11ec-9d64-0242ac120002`;

-- Revoking a privilege from the general public group.
> REVOKE SELECT ON TABLE t FROM users;

-- Transferring ownership of an object to `some_group`
> ALTER SCHEMA some_schema OWNER TO some_group;