Permission control is the heart of Unity Catalog's data governance. Securable objects — catalogs, schemas, tables, views, functions, volumes, and more — are managed declaratively with GRANT/REVOKE statements that answer the question "who can do what". Unlike the legacy Hive Metastore (table ACLs), Unity Catalog supports hierarchical inheritance and unified management across workspaces.
This article walks through the overall permission model, GRANT/REVOKE syntax, a comparison table of privilege types, how inheritance works, the full list of securable objects, and field-tested best practices.
The Unity Catalog permission model has three building blocks: securable objects (what is protected), principals (who receives the permission), and privileges (what action is allowed).
Permissions are managed with the ANSI SQL standard GRANT/REVOKE syntax. Databricks adds extensions such as USE CATALOG, USE SCHEMA, and CREATE VOLUME.
-- Grant SELECT on a table
GRANT SELECT ON TABLE prod.silver.orders TO `data-analysts`;
-- Grant SELECT on every table under a schema (applied via inheritance)
GRANT SELECT ON SCHEMA prod.silver TO `data-analysts`;
-- Grant USE on a catalog (required to browse the namespace)
GRANT USE CATALOG ON CATALOG prod TO `data-analysts`;
GRANT USE SCHEMA ON SCHEMA prod.silver TO `data-analysts`;
-- Revoke a permission
REVOKE SELECT ON TABLE prod.silver.orders FROM `data-analysts`;
-- Inspect existing grants
SHOW GRANTS ON TABLE prod.silver.orders;
SHOW GRANTS TO `data-analysts`;Wrap principal names in backticks. Backticks are also required when a group name contains a hyphen.
| Privilege | Target object | Allowed action |
|---|---|---|
| USE CATALOG | Catalog | Browse the schemas inside the catalog |
| USE SCHEMA | Schema | Browse the tables and views inside the schema |
| SELECT | Table / View | Read data (run SELECT queries) |
| MODIFY | Table | Add, update, or delete data (INSERT/UPDATE/DELETE/MERGE) |
| CREATE TABLE | Schema | Create a table inside the schema |
| CREATE SCHEMA | Catalog | Create a schema inside the catalog |
| CREATE VOLUME | Schema | Create a volume inside the schema |
| CREATE FUNCTION | Schema | Create a function inside the schema |
| READ VOLUME | Volume | Read files in the volume |
| WRITE VOLUME | Volume | Write files to the volume |
| EXECUTE | Function | Execute the function |
| ALL PRIVILEGES | All | All privileges on the target object |
In Unity Catalog, privileges flow automatically from higher-level objects down to lower-level ones. The hierarchy and inheritance flow look like this:
Metastore
└── Catalog ← GRANT SELECT ON CATALOG → applies to every Schema/Table/View beneath it
└── Schema ← GRANT SELECT ON SCHEMA → applies to every Table/View beneath it
├── Table ← GRANT SELECT ON TABLE → this table only
├── View
├── Volume
└── FunctionGranting SELECT at the catalog level also applies to schemas and tables created later. If your goal is to keep permissions valid for future tables, granting at the schema or catalog level is the most efficient approach.
Unity Catalog has no DENY mechanism. To exclude a specific table, avoid granting at the catalog or schema level and design your grants per table instead.
| Securable | Description | Key privileges |
|---|---|---|
| Metastore | Top-level container; unique within a region | CREATE CATALOG, USE PROVIDER |
| Catalog | Container for schemas; the unit of environment isolation | USE CATALOG, CREATE SCHEMA |
| Schema | Container for tables, views, and functions | USE SCHEMA, CREATE TABLE/VIEW/FUNCTION/VOLUME |
| Table | Managed or External tables | SELECT, MODIFY |
| View | SQL views (also used for dynamic data masking) | SELECT |
| Volume | Management unit for non-tabular files | READ VOLUME, WRITE VOLUME |
| Function | UDFs and stored procedures | EXECUTE |
| External Location | Mapping to a cloud storage path | CREATE EXTERNAL TABLE, READ FILES, WRITE FILES |
| Storage Credential | Credentials for the cloud storage account | CREATE EXTERNAL LOCATION |
-- Row Level Security via a dynamic view
CREATE OR REPLACE VIEW prod.silver.orders_restricted AS
SELECT *
FROM prod.silver.orders
WHERE region = CASE
WHEN is_member('apac-team') THEN 'APAC'
WHEN is_member('emea-team') THEN 'EMEA'
ELSE region -- admins can read every region
END;
GRANT SELECT ON VIEW prod.silver.orders_restricted TO `all-users`;Every securable object has an owner. The owner holds every privilege on that object and can grant privileges to other principals. The user who creates a table becomes the default owner.
-- Change the owner
ALTER TABLE prod.silver.orders SET OWNER TO `data-engineering-team`;
-- Inspect the owner
DESCRIBE TABLE EXTENDED prod.silver.orders;
-- The Owner column shows the current ownerData Engineer Associate / Professional
問題 1
A data analyst runs a SELECT query against prod.silver.orders and gets a TABLE_OR_VIEW_NOT_FOUND error. SHOW GRANTS TO `analyst-user` confirms that SELECT on the table has been granted. What is the most likely cause?
正解: A
To access a table in Unity Catalog you need SELECT on the table plus USE CATALOG on its catalog and USE SCHEMA on its schema. Without these, name resolution fails and you see TABLE_OR_VIEW_NOT_FOUND. Table format and compute type are not the cause of permission errors, and CHECK constraints do not affect SELECT.
What do USE CATALOG and USE SCHEMA privileges allow?
USE CATALOG lets a principal browse the schemas inside a catalog, and USE SCHEMA lets them browse the tables and views inside a schema. Neither grants data access — they only allow listing the namespace contents. Reading table data requires a separate SELECT privilege, so a query only succeeds when USE CATALOG + USE SCHEMA + SELECT are all granted together.
How does privilege inheritance work?
In Unity Catalog, privileges flow from higher-level objects down to lower-level ones. Granting SELECT at the catalog level applies SELECT to every schema and table beneath it. There is no DENY, so you cannot partially block inheritance. To exclude a specific table, avoid granting at the catalog level and instead grant per-schema or per-table.
Why does a query fail when only GRANT SELECT has been issued?
The most likely cause is missing USE CATALOG and USE SCHEMA privileges. Unity Catalog uses hierarchical access control, so even with SELECT on the table, name resolution fails without USE on the parent catalog and schema. Add GRANT USE CATALOG ON CATALOG <catalog> TO <principal> and GRANT USE SCHEMA ON SCHEMA <schema> TO <principal>.
Practice with certification-focused question sets
無料で問題を解いてみるNicheeLab Editorial Team
NicheeLab editorial team focused on data engineering and cloud certification learning. Content is structured around practical study needs and official exam domains.
Databricks Certifications: All 7 Exams, Difficulty & Study Plan (2026)
Complete guide to all 7 Databricks certifications — Data Eng...
Databricks Exam Difficulty Ranking: All 7 Certs Compared (2026)
Every Databricks certification ranked by difficulty, with st...
Databricks Study Guide: Fastest Pass Route & Time Estimates (2026)
How to pass Databricks certifications efficiently. Official ...
Databricks Data Engineer Associate: Complete Guide (2026)
Domain-by-domain breakdown of the Databricks Certified Data ...
Databricks Data Engineer Professional: Complete Guide (2026)
Tactics for the Databricks Certified Data Engineer Professio...