Applies to: Databricks SQL Databricks Runtime
A principal is a user, service principal, or group known to the metastore. Principals can be granted privileges and may own securable objects.
An individual user. You must quote the identifier with back-ticks (`) due to the @ character.
A service principal, specified by its
applicationIdvalue. You must quote the identifier with back-ticks (`) because of the dash characters in the ID.
An identifier specifying a group of users or groups.
The root group to which all users in the workspace belong.
The root group to which all users in the account belong. You must quote the identifier with back-ticks (`) because of the blank character.
Workspace-local and account groups
Databricks has the concept of account groups and workspace-local groups, with special behaviors:
Account groups can be created only by account admins. Account groups are available for assignment to identity-federated workspaces, and can be assigned to such workspaces by both account admins and workspace admins
Workspace-local groups can be created only by workspace admins. These groups are identified as workspace-local in the workspace admin console and on the workspace Permissions tab in the account console.
You can only grant privileges to securable objects in the Unity Catalog to account groups.
-- Granting a privilege to the user email@example.com > GRANT SELECT ON TABLE t TO `firstname.lastname@example.org`; -- Granting a privilege to the service principal fab9e00e-ca35-11ec-9d64-0242ac120002 > GRANT SELECT ON TABLE t TO `fab9e00e-ca35-11ec-9d64-0242ac120002`; -- Revoking a privilege from the general public group. > REVOKE SELECT ON TABLE t FROM users; -- Transferring ownership of an object to `some_group` > ALTER SCHEMA some_schema OWNER TO some_group;