Privileges and securable objects in Unity Catalog
Applies to: Databricks SQL Databricks Runtime Unity Catalog only
A privilege is a right granted to a principal to operate on a securable object in the metastore. The privilege model and securable objects differ depending on whether you are using a Unity Catalog metastore or the legacy Hive metastore. This article describes the privilege model for Unity Catalog. If you are using the Hive metastore, see Privileges and securable objects in the Hive metastore.
For detailed information about how to manage privileges in Unity Catalog, see Manage privileges in Unity Catalog.
Securable objects
A securable object is an object defined in the Unity Catalog metastore on which privileges can be granted to a principal. For a complete list of Unity Catalog securable objects and the privileges that can be granted on them, see Unity Catalog privileges and securable objects.
To manage privileges on any object, you must be its owner or have the MANAGE
privilege on the object, as well as USE CATALOG
on the object’s parent catalog and USE SCHEMA
on its parent schema.
Syntax
securable_object
{ CATALOG [ catalog_name ] |
CONNECTION connection_name |
EXTERNAL LOCATION location_name |
FUNCTION function_name |
METASTORE |
SCHEMA schema_name |
SHARE share_name |
[ STORAGE | SERVICE ] CREDENTIAL credential_name |
[ TABLE ] table_name |
VIEW view_name |
VOLUME volume_name
}
You can also specify SERVER
instead of CONNECTION
and DATABASE
instead of SCHEMA
.
Parameters
CATALOG
catalog_nameControls access to the entire data catalog.
CONNECTION
connection_nameControls access to the connection.
EXTERNAL LOCATION
location_nameControls access to an external location.
FUNCTION
function_nameControls access to a user-defined function or an MLflow registered model.
METASTORE
Controls access to the Unity Catalog metastore attached to the workspace. When you manage privileges on a metastore, you do not include the metastore name in a SQL command. Unity Catalog will grant or revoke the privilege on the metastore attached to your workspace.
SCHEMA
schema_nameControls access to a schema.
[ STORAGE | SERVICE ] CREDENTIAL
credential_nameControls access to a credential.
The keywords
STORAGE
andSERVICE
( Databricks Runtime 15.4 and later) are optional.SHARE
share_nameTABLE
table_nameControls access to a managed or external table. If the table cannot be found Databricks raises a TABLE_OR_VIEW_NOT_FOUND error.
VIEW
view_nameControls access to a view. If the view cannot be found Databricks raises a TABLE_OR_VIEW_NOT_FOUND error.
VOLUME
volume_nameControls access to a volume. If the volume cannot be found Databricks raises an error.
Privilege types
For a list of privilege types, see Unity Catalog privileges and securable objects.