Note
Access to this page requires authorization. You can try signing in or changing directories.
Access to this page requires authorization. You can try changing directories.
Applies to:  Databricks SQL
 Databricks SQL  Databricks Runtime
 Databricks Runtime  Unity Catalog only
 Unity Catalog only
A privilege is a right granted to a principal to operate on a securable object in the metastore. The privilege model and securable objects differ depending on whether you are using a Unity Catalog metastore or the legacy Hive metastore. This article describes the privilege model for Unity Catalog. If you are using the Hive metastore, see Privileges and securable objects in the Hive metastore.
For detailed information about how to manage privileges in Unity Catalog, see Manage privileges in Unity Catalog.
Note
This article refers to the Unity Catalog privileges and inheritance model in Privilege Model version 1.0. If you created your Unity Catalog metastore during the public preview (before August 25, 2022), you might be on an earlier privilege model that doesn't support the current inheritance model. You can upgrade to Privilege Model version 1.0 to get privilege inheritance. See Upgrade to privilege inheritance.
Securable objects
A securable object is an object defined in the Unity Catalog metastore on which privileges can be granted to a principal. For a complete list of Unity Catalog securable objects and the privileges that can be granted on them, see Unity Catalog privileges and securable objects.
To manage privileges on any object, you must be its owner or have the MANAGE privilege on the object, as well as USE CATALOG on the object's parent catalog and USE SCHEMA on its parent schema.
Syntax
securable_object
  { CATALOG [ catalog_name ] |
    CONNECTION connection_name |
    CLEAN ROOM clean_room_name |
    EXTERNAL LOCATION location_name |
    EXTERNAL METADATA metadata_name |
    FUNCTION function_name |
    METASTORE |
    PROCEDURE procedure_name |
    SCHEMA schema_name |
    SHARE share_name |
    [ STORAGE | SERVICE ] CREDENTIAL credential_name |
    [ TABLE ] table_name |
    MATERIALIZED VIEW view_name |
    VIEW view_name |
    VOLUME volume_name
  }
You can also specify SERVER instead of CONNECTION and DATABASE instead of SCHEMA.
Parameters
- CATALOGcatalog_name- Controls access to the entire data catalog. 
- CLEAN ROOMclean_room_name- Controls access to a clean room. 
- CONNECTIONconnection_name- Controls access to the connection. 
- EXTERNAL LOCATIONlocation_name- Controls access to an external location. 
- EXTERNAL METADATAmetadata_name- Controls access to an external metadata object for use in a custom data lineage configuration. 
- FUNCTIONfunction_name- Controls access to a user-defined function or an MLflow registered model. 
- MATERIALIZED VIEWview_name- Controls access to a materialized view. 
- METASTORE- Controls access to the Unity Catalog metastore attached to the workspace. When you manage privileges on a metastore, you do not include the metastore name in a SQL command. Unity Catalog will grant or revoke the privilege on the metastore attached to your workspace. 
- PROCEDUREprocedure_name- Controls access to a user-defined procedure. - If the procedure cannot be found, Azure Databricks raises an error. 
- SCHEMAschema_name- Controls access to a schema. 
- [ STORAGE | SERVICE ] CREDENTIALcredential_name- Controls access to a credential. - The keywords - STORAGEand- SERVICE( Databricks Runtime 15.4 and above) are optional. Databricks Runtime 15.4 and above) are optional.
- SHAREshare_name
- TABLEtable_name- Controls access to a managed or external table. If the table cannot be found Azure Databricks raises a TABLE_OR_VIEW_NOT_FOUND error. 
- VIEWview_name- Controls access to a view. If the view cannot be found Azure Databricks raises a TABLE_OR_VIEW_NOT_FOUND error. 
- VOLUMEvolume_name- Controls access to a volume. If the volume cannot be found Azure Databricks raises an error. 
Privilege types
For a list of privilege types, see Unity Catalog privileges and securable objects.
Examples
-- Grant a privilege to the user alf@melmak.et
> GRANT SELECT ON TABLE t TO `alf@melmak.et`;
-- Revoke a privilege from the general public group.
> REVOKE USE SCHEMA ON SCHEMA some_schema FROM `alf@melmak.et`;