Manage Unity Catalog object ownership

Each securable object in Unity Catalog has an owner. The owner can be any principal: a user, service principal, or account group. The principal that creates an object becomes its initial owner. An object’s owner has all privileges on the object, such as SELECT and MODIFY on a table, in addition to the permission to grant privileges to other principals. An object’s owner has the ability to drop the object.

Owner privileges

Owners of an object are automatically granted all privileges on that object. In addition, object owners can grant privileges on the object itself and on all of its child objects. This means that owners of a schema do not automatically have all privileges on the tables in the schema, but they can grant themselves privileges on the tables in the schema.

Note

There is one exception to the rule that owners have all privileges on an object: to avoid accidental data exfiltration, schema owners do not have the EXTERNAL USE SCHEMA privilege by default. See Control external access to data in Unity Catalog.

Metastore and catalog ownership

Metastore admins are the owners of the metastore. The metastore admin role is optional. Metastore admins can reassign ownership of the metastore by transferring the metastore admin role, see Assign a metastore admin.

If your workspace was enabled for Unity Catalog automatically, the workspace is attached to a metastore by default and a workspace catalog is created for your workspace in the metastore. Workspace admins are the default owners and can reassign ownership of the workspace catalog. In these workspaces, there is no metastore admin assigned by default, but account admins can grant the metastore admin role if needed. See Metastore admins.

For more information about admin privileges in Unity Catalog, see Admin privileges in Unity Catalog.

Ownership versus the MANAGE privilege

MANAGE (Public Preview) is a privilege that is similar to object ownership. It grants a user the ability to edit, drop, and manage privileges on the object. However, users with the MANAGE privilege on an object are not automatically granted all privileges on that object. As they do with other privileges, users require USE CATALOG on the object’s parent catalog and USE SCHEMA on the object’s parent schema. For example, to grant permissions on a table, users must have the MANAGE privilege on that table and USE CATALOG privileges on its parent catalog, along with USE SCHEMA privileges on its parent schema.

An object’s only can only be a single principal, including a group, whereas MANAGE can be granted to multiple principals.

To avoid accidental privilege escalation, ALL PRIVILEGES does not include the MANAGE privilege

View an object’s owner

You can use Catalog Explorer or SQL statements to view an object’s owner.

Permissions required: Any user with the BROWSE privilege on the object or a parent of the object can view the object owner.

  1. In your Databricks workspace, click Catalog icon Catalog.

  2. Select the object, such as a catalog, schema, table, view, volume, external location, or storage credential.

    How to navigate to the object depends on the object. Catalogs, schemas, and the contents of schemas (such as tables and volumes) are selectable in the left Catalog pane. You can find other objects, such as external locations or Delta Sharing shares, by clicking the Gear icon gear icon above the Catalog pane and selecting the object category from the menu.

    For most objects, the owner is displayed on the Overview tab on the object details page. For some objects, such as external locations, it is displayed at the top of the object details page.

Run the following SQL command in a notebook or SQL query editor. Replace the placeholder values:

  • <securable-type>: The type of securable, such as CATALOG or TABLE.

  • <catalog>: The parent catalog if you are viewing a schema or the contents of a schema.

  • <schema>: The parent schema if you are viewing the contents of a schema, such as a table or view.

  • <securable-name>: The name of the securable object.

DESCRIBE <securable-type> EXTENDED <catalog>.<schema>.<securable-name>;

Transfer ownership

You can use Catalog Explorer or SQL statements to view an object’s owner.

Permissions required: You can transfer object ownership if you are the current owner, a metastore admin, the owner of the container (the catalog for a schema, the schema for a table), or a user with the MANAGE privilege on the object. Delta Sharing share objects are an exception: principals with the USE SHARE and SET SHARE PERMISSION privileges can also transfer share ownership.

Note

To prevent privilege escalations, only a metastore admin can transfer ownership of a view, function, or model to any user, service principal, or group in the account. Current owners and users with the MANAGE privilege are restricted to transferring ownership to their username or to a group that they are member of.

  1. In your Databricks workspace, click Catalog icon Catalog.

  2. Select the object, such as a catalog, schema, table, view, external location, or storage credential.

    How to navigate to the object depends on the object. Catalogs, schemas, and the contents of schemas (such as tables and volumes) are selectable in the left Catalog pane. You can find other objects, such as external locations or Delta Sharing shares, by clicking the Gear icon gear icon above the Catalog pane and selecting the object category from the menu.

    For most objects, the owner is displayed on the Overview tab on the object details page. For some objects, such as external locations, it is displayed at the top of the object details page.

  3. Click the Edit icon edit icon next to the Owner.

  4. Search for and select a group, user, or service principal.

  5. Click Save.

Run the following SQL command in a notebook or SQL query editor. Replace the placeholder values:

  • <securable-type>: The type of securable object, such as CATALOG or TABLE. METASTORE is not supported as a securable object in this command.

  • <securable-name>: The name of the securable. If you are modifying a schema or the contents of a schema, you must use the complete three-level namespace (catalog.schema.object), unless you have already specified the parent catalog and/or schema.

  • <principal> is a user, service principal (represented by its applicationId value), or group. You must enclose users, service principals, and group names that include special characters in backticks ( ` ` ). See Principal.

ALTER <securable-type> <securable-name> OWNER TO <principal>;

For example, to transfer ownership of the orders table to the accounting group:

ALTER TABLE mycatalog.myschema.orders OWNER TO `accounting`;