Principal

Applies to: check marked yes Databricks SQL check marked yes Databricks Runtime

A principal is a user, service principal, or group known to the metastore. Principals can be granted privileges and may own securable objects.

Syntax

{ `<user>@<domain-name>` |
  `<sp-application-id>` |
  group_name |
  users |
  `account users` }

Parameters

  • <user>@<domain-name>

    An individual user. You must quote the identifier with back-ticks (`) due to the @ character.

  • <sp-application-id>

    A service principal, specified by its applicationId value. You must quote the identifier with back-ticks (`) because of the dash characters in the ID.

  • group_name

    An identifier specifying a group of users or groups.

  • users

    The root group to which all users in the workspace belong. You cannot grant users privileges to securable objects in the Unity Catalog because it is a workspace-local group.

  • account users

    The root group to which all users in the account belong. You must quote the identifier with back-ticks (`) because of the blank character.

Workspace-local and account groups

Databricks has the concept of account groups and workspace-local groups, with special behaviors:

  • Account groups Account groups can be created by account admins and workspace admins of identity-federated workspaces. They can be granted access to identity-federated workspaces and privileges to securable objects in the Unity Catalog.

  • Workspace-local groups can be created only by workspace admins. These groups are identified as workspace-local in the workspace admin settings page and on the workspace Permissions tab in the account console. Workspace-local groups cannot be assigned to additional workspaces or granted privileges to securable objects in the Unity Catalog. The system groups users and admins are a workspace-local groups.

Examples

-- Granting a privilege to the user alf@melmak.et
> GRANT SELECT ON TABLE t TO `alf@melmak.et`;

-- Granting a privilege to the service principal fab9e00e-ca35-11ec-9d64-0242ac120002
> GRANT SELECT ON TABLE t TO `fab9e00e-ca35-11ec-9d64-0242ac120002`;

-- Revoking a privilege from the general public group.
> REVOKE SELECT ON TABLE t FROM `account users`;

-- Transferring ownership of an object to `some_group`
> ALTER SCHEMA some_schema OWNER TO some_group;