Applies to: Databricks SQL Databricks Runtime
An individual user. You must quote the identifier with back-ticks (`) due to the @ character.
A service principal, specified by its
applicationIdvalue. You must quote the identifier with back-ticks (`) because of the dash characters in the ID.
An identifier specifying a group of users or groups.
The root group to which all users in the workspace belong. You cannot grant
usersprivileges to securable objects in the Unity Catalog because it is a workspace-local group.
The root group to which all users in the account belong. You must quote the identifier with back-ticks (`) because of the blank character.
Databricks has the concept of account groups and workspace-local groups, with special behaviors:
Account groups Account groups can be created by account admins and workspace admins of identity-federated workspaces. They can be granted access to identity-federated workspaces and privileges to securable objects in the Unity Catalog.
Workspace-local groups can be created only by workspace admins. These groups are identified as workspace-local in the workspace admin settings page and on the workspace Permissions tab in the account console. Workspace-local groups cannot be assigned to additional workspaces or granted privileges to securable objects in the Unity Catalog. The system groups
adminsare a workspace-local groups.
-- Granting a privilege to the user firstname.lastname@example.org
> GRANT SELECT ON TABLE t TO `email@example.com`;
-- Granting a privilege to the service principal fab9e00e-ca35-11ec-9d64-0242ac120002
> GRANT SELECT ON TABLE t TO `fab9e00e-ca35-11ec-9d64-0242ac120002`;
-- Revoking a privilege from the general public group.
> REVOKE SELECT ON TABLE t FROM `account users`;
-- Transferring ownership of an object to `some_group`
> ALTER SCHEMA some_schema OWNER TO some_group;