Data access control

Preview

This feature is in Public Preview. Contact your Databricks representative to request access.

This article describes how data object owners manage access to data using Databricks data access control SQL commands.

Important

  • Data access control is always enabled in Databricks SQL Analytics even if table access control is not enabled in Databricks Workspace. Before a user can access any databases, tables, and views the user must first be granted access using data access commands.
  • If table access control is enabled in Databricks Workspace and you have already specified ACLS (granted and denied privileges) in Workspace, those ACLs are respected in SQL Analytics.

Commands

Data object owners apply the SQL GRANT, DENY, REVOKE, and SHOW GRANT commands to manage access to data objects from users and groups. For a command reference, see Security statements.

To run SHOW GRANTS [<user>] <object> you must be either:

  • A SQL Analytics administrator or the owner of <object>.
  • The user specified in [<user>].

For requirements for using these commands and a detailed explanation of the data governance model, see Data object privileges.

Example

To enable the user user@example.com to access all tables in the default database, invoke the following commands:

REVOKE ALL PRIVILEGES ON DATABASE default FROM `user@example.com`;

GRANT USAGE ON DATABASE default TO `user@example.com`;

GRANT SELECT ON DATABASE default TO `user@example.com`;

GRANT READ_METADATA on DATABASE default TO `user@example.com`;

SHOW GRANT `user@example.com` ON DATABASE default;

+------------------+---------------+------------+-----------+
| principal        | ActionType    | ObjectType | ObjectKey |
+------------------+---------------+------------+-----------+
| user@example.com | READ_METADATA | DATABASE   | default   |
+------------------+---------------+------------+-----------+
| user@example.com | SELECT        | DATABASE   | default   |
+------------------+---------------+------------+-----------+
| user@example.com | USAGE         | DATABASE   | default   |
+------------------+---------------+------------+-----------+

When you run these commands in the Databricks SQL Analytics query editor, you should see:

Show grant