Manage Unity Catalog object ownership

Each securable object in Unity Catalog has an owner. The owner can be any user, service principal, or account group, known as a principal. The principal that creates an object becomes its initial owner. An object’s owner has all privileges on the object, such as SELECT and MODIFY on a table, in addition to the permission to grant privileges to other principals. An object’s owner has the ability to drop the object.

Owner’s privileges

Owners of an object are automatically granted all privileges on that object. In addition, object owners can grant privileges on the object itself and on all of its child objects. This means that owners of a schema do not automatically have all privileges on the tables in the schema, but they can grant themselves privileges on the tables in the schema.

Metastore and catalog ownership

Metastore admins are the owners of the metastore. Metastore admins can reassign ownership of the metastore by transferring the metastore admin role, see Assign a metastore admin

If your workspace was enabled for Unity Catalog automatically, the workspace is attached to a metastore by default and a workspace catalog is created for your workspace in the metastore. Workspace admins are the default owners and can reassign ownership of the workspace catalog. There is no metastore admin assigned by default, but account admins may still grant metastore admin permissions if needed. See Metastore admins.

For more information on admin privileges in Unity Catalog, see Admin privileges in Unity Catalog.

View an object’s owner

To see the owner of a securable object, use the following syntax. Replace the placeholder values:

  • <SECURABLE-TYPE>: The type of securable, such as CATALOG or TABLE.

  • <catalog>: The parent catalog for a table or view.

  • <schema>: The parent schema for a table or view.

  • <securable-name>: The name of the securable, such as a table or view.

DESCRIBE <SECURABLE-TYPE> EXTENDED <catalog>.<schema>.<securable-name>;
display(spark.sql("DESCRIBE <SECURABLE-TYPE> EXTENDED <catalog>.<schema>.<securable-name>"))
library(SparkR)

display(sql("DESCRIBE <SECURABLE-TYPE> EXTENDED <catalog>.<schema>.<securable-name>"))
display(spark.sql("DESCRIBE <SECURABLE-TYPE> EXTENDED <catalog>.<schema>.<securable-name>"))

Transfer ownership

Object ownership can be transferred to other principals by the current owner, a metastore admin, or the owner of the container (the catalog for a schema, the schema for a table). Delta Sharing share objects are an exception: principals with the USE SHARE and SET SHARE PERMISSION can also transfer share ownership.

To transfer ownership of an object, use a SQL command with the following syntax. Replace the placeholder values:

  • <SECURABLE-TYPE>: The type of securable object, such as CATALOG or TABLE. METASTORE is not supported as a securable object in this command.

  • <SECURABLE-NAME>: The name of the securable.

  • <PRINCIPAL>: The email address of an account-level user or the name of an account-level group.

ALTER <SECURABLE-TYPE> <SECURABLE-NAME> OWNER TO <PRINCIPAL>;
spark.sql("ALTER <SECURABLE-TYPE> <SECURABLE-NAME> OWNER TO <PRINCIPAL>")
library(SparkR)

sql("ALTER <SECURABLE-TYPE> <SECURABLE-NAME> OWNER TO <PRINCIPAL>")
spark.sql("ALTER <SECURABLE-TYPE> <SECURABLE-NAME> OWNER TO <PRINCIPAL>")

For example, to transfer ownership of a table to the accounting group:

ALTER TABLE orders OWNER TO `accounting`;
spark.sql("ALTER TABLE orders OWNER TO `accounting`")
library(SparkR)

sql("ALTER TABLE orders OWNER TO `accounting`")
spark.sql("ALTER TABLE orders OWNER TO `accounting`")