Data access control

Preview

This feature is in Public Preview.

This article describes how data object owners manage access to data.

For a general overview of how to enable access to data, see Databricks SQL security model and data access overview.

Important

  • Data access control is always enabled in Databricks SQL even if table access control is not enabled in the Databricks Data Science & Engineering workspace. Before a user can access any databases, tables, and views, the user must first be granted access using data access commands.
  • If table access control is enabled in Databricks Data Science & Engineering and you have already specified ACLS (granted and denied privileges) in the workspace, those ACLs are respected in Databricks SQL.

You can manage ownership and permissions using the data explorer or by running security commands in the query editor.

Manage ownership and permissions in the data explorer

Manage data object ownership

You must be a Databricks admin to view and manage data object ownership.

If you do not have permission to see the owner, the Owner field displays Obscured database owner.

If the data object has no owner, the Owner field displays No object owner.

Edit database ownership

  1. Display databases.
  2. Select a database.
  3. In the Owner field, click the Edit Owner Icon.
  4. In the Set owner for <database-name> dialog, click Down Arrow Icon, and select an owner.

Edit table ownership

  1. Display databases.
  2. Select a table.
  3. In the Owner field, click the Edit Owner Icon.
  4. In the Set owner for <database-name.table-name> dialog, click Down Arrow Icon, and select an owner.

Manage data object permissions

You must be a Databricks admin or the data object owner to view and manage data object permissions.

Manage database permissions

  1. Display databases.
  2. Select a database.
  3. Click the Permissions tab.
  4. Grant or revoke privileges.
    • Grant
      1. Click Grant.
      2. Optionally type a string to filter the principals and select a principal.
      3. Select the checkboxes next to the privileges to grant.
      4. Click OK.
    • Revoke
      1. Select the checkbox next to a principal.
      2. Click Revoke.

Manage table permissions

  1. Display databases.
  2. Select a table.
  3. Click the Permissions tab.
  4. Grant or revoke privileges.
    • Grant
      1. Click Grant.
      2. Optionally type a string to filter the principals and select a principal.
      3. Select the checkboxes next to the privileges to grant.
      4. Click OK.
    • Revoke
      1. Select the checkbox next to a principal.
      2. Click Revoke.

Security commands

Data object owners apply the SQL GRANT, DENY, REVOKE, and SHOW GRANT commands to manage access to data objects from users and groups. For a command reference, see Security statements.

To run SHOW GRANTS [<user>] <object> you must be either:

  • A Databricks SQL administrator or the owner of <object>.
  • The user specified in [<user>].

For requirements for using these commands and a detailed explanation of the data governance model, see Data object privileges.

Example

To enable the user user@example.com to access all tables in the default database, invoke the following commands:

REVOKE ALL PRIVILEGES ON DATABASE default FROM `user@example.com`;

GRANT USAGE, SELECT, READ_METADATA ON DATABASE default TO `user@example.com`;

SHOW GRANT `user@example.com` ON DATABASE default;

+------------------+---------------+------------+-----------+
| principal        | ActionType    | ObjectType | ObjectKey |
+------------------+---------------+------------+-----------+
| user@example.com | READ_METADATA | DATABASE   | default   |
+------------------+---------------+------------+-----------+
| user@example.com | SELECT        | DATABASE   | default   |
+------------------+---------------+------------+-----------+
| user@example.com | USAGE         | DATABASE   | default   |
+------------------+---------------+------------+-----------+

When you run these commands in the Databricks SQL query editor, you should see:

Show grant