Databricks

Databricks Unity Catalog Permissions Guide: GRANT/REVOKE, Inheritance & Securables

2026-03-26
更新: 2026-03-27
NicheeLab Editorial Team

Permission control is the heart of Unity Catalog's data governance. Securable objects — catalogs, schemas, tables, views, functions, volumes, and more — are managed declaratively with GRANT/REVOKE statements that answer the question "who can do what". Unlike the legacy Hive Metastore (table ACLs), Unity Catalog supports hierarchical inheritance and unified management across workspaces.

This article walks through the overall permission model, GRANT/REVOKE syntax, a comparison table of privilege types, how inheritance works, the full list of securable objects, and field-tested best practices.

Permission Model Overview

The Unity Catalog permission model has three building blocks: securable objects (what is protected), principals (who receives the permission), and privileges (what action is allowed).

  • Securable objects: Metastore / Catalog / Schema / Table / View / Function / Volume / External Location / Storage Credential
  • Principals: users / groups / service principals
  • Privileges: SELECT / MODIFY / CREATE TABLE / USE CATALOG / USE SCHEMA, and more

Permissions are managed with the ANSI SQL standard GRANT/REVOKE syntax. Databricks adds extensions such as USE CATALOG, USE SCHEMA, and CREATE VOLUME.

GRANT / REVOKE Syntax

-- Grant SELECT on a table
GRANT SELECT ON TABLE prod.silver.orders TO `data-analysts`;

-- Grant SELECT on every table under a schema (applied via inheritance)
GRANT SELECT ON SCHEMA prod.silver TO `data-analysts`;

-- Grant USE on a catalog (required to browse the namespace)
GRANT USE CATALOG ON CATALOG prod TO `data-analysts`;
GRANT USE SCHEMA ON SCHEMA prod.silver TO `data-analysts`;

-- Revoke a permission
REVOKE SELECT ON TABLE prod.silver.orders FROM `data-analysts`;

-- Inspect existing grants
SHOW GRANTS ON TABLE prod.silver.orders;
SHOW GRANTS TO `data-analysts`;

Wrap principal names in backticks. Backticks are also required when a group name contains a hyphen.

Privilege Types Comparison

PrivilegeTarget objectAllowed action
USE CATALOGCatalogBrowse the schemas inside the catalog
USE SCHEMASchemaBrowse the tables and views inside the schema
SELECTTable / ViewRead data (run SELECT queries)
MODIFYTableAdd, update, or delete data (INSERT/UPDATE/DELETE/MERGE)
CREATE TABLESchemaCreate a table inside the schema
CREATE SCHEMACatalogCreate a schema inside the catalog
CREATE VOLUMESchemaCreate a volume inside the schema
CREATE FUNCTIONSchemaCreate a function inside the schema
READ VOLUMEVolumeRead files in the volume
WRITE VOLUMEVolumeWrite files to the volume
EXECUTEFunctionExecute the function
ALL PRIVILEGESAllAll privileges on the target object

Privilege Inheritance

In Unity Catalog, privileges flow automatically from higher-level objects down to lower-level ones. The hierarchy and inheritance flow look like this:

Metastore
 └── Catalog  ← GRANT SELECT ON CATALOG → applies to every Schema/Table/View beneath it
      └── Schema  ← GRANT SELECT ON SCHEMA → applies to every Table/View beneath it
           ├── Table  ← GRANT SELECT ON TABLE → this table only
           ├── View
           ├── Volume
           └── Function

Granting SELECT at the catalog level also applies to schemas and tables created later. If your goal is to keep permissions valid for future tables, granting at the schema or catalog level is the most efficient approach.

Unity Catalog has no DENY mechanism. To exclude a specific table, avoid granting at the catalog or schema level and design your grants per table instead.

Securable Objects Reference

SecurableDescriptionKey privileges
MetastoreTop-level container; unique within a regionCREATE CATALOG, USE PROVIDER
CatalogContainer for schemas; the unit of environment isolationUSE CATALOG, CREATE SCHEMA
SchemaContainer for tables, views, and functionsUSE SCHEMA, CREATE TABLE/VIEW/FUNCTION/VOLUME
TableManaged or External tablesSELECT, MODIFY
ViewSQL views (also used for dynamic data masking)SELECT
VolumeManagement unit for non-tabular filesREAD VOLUME, WRITE VOLUME
FunctionUDFs and stored proceduresEXECUTE
External LocationMapping to a cloud storage pathCREATE EXTERNAL TABLE, READ FILES, WRITE FILES
Storage CredentialCredentials for the cloud storage accountCREATE EXTERNAL LOCATION

Permission Design Best Practices

  • Avoid granting directly to users; grant through groups instead (it integrates cleanly with SCIM provisioning)
  • Do not forget to grant USE CATALOG and USE SCHEMA (SELECT alone cannot resolve names)
  • Restrict MODIFY on production catalogs to ETL service principals only
  • Give developers ALL PRIVILEGES on dev/staging catalogs and only SELECT on the prod catalog
  • Periodically audit grants with SHOW GRANTS and revoke anything that is no longer needed
  • Implement row- and column-level controls with dynamic views (using current_user() and is_member())
-- Row Level Security via a dynamic view
CREATE OR REPLACE VIEW prod.silver.orders_restricted AS
SELECT *
FROM prod.silver.orders
WHERE region = CASE
  WHEN is_member('apac-team') THEN 'APAC'
  WHEN is_member('emea-team') THEN 'EMEA'
  ELSE region  -- admins can read every region
END;

GRANT SELECT ON VIEW prod.silver.orders_restricted TO `all-users`;

The OWNERSHIP Concept

Every securable object has an owner. The owner holds every privilege on that object and can grant privileges to other principals. The user who creates a table becomes the default owner.

-- Change the owner
ALTER TABLE prod.silver.orders SET OWNER TO `data-engineering-team`;

-- Inspect the owner
DESCRIBE TABLE EXTENDED prod.silver.orders;
-- The Owner column shows the current owner

Key Points for the Exam

  • USE CATALOG + USE SCHEMA + SELECT are all required to execute a query
  • Privileges inherit downward (catalog → schema → table)
  • DENY does not exist
  • An owner effectively holds ALL PRIVILEGES on the object
  • How to implement row- and column-level security with dynamic views
  • How to inspect grants with the SHOW GRANTS syntax

Check Your Understanding

Data Engineer Associate / Professional

問題 1

A data analyst runs a SELECT query against prod.silver.orders and gets a TABLE_OR_VIEW_NOT_FOUND error. SHOW GRANTS TO `analyst-user` confirms that SELECT on the table has been granted. What is the most likely cause?

  1. Missing USE CATALOG on the prod catalog or USE SCHEMA on the silver schema
  2. The table is stored in Parquet format instead of Delta
  3. The analyst's cluster was started on Serverless Compute
  4. A CHECK constraint on the table is blocking SELECT

正解: A

To access a table in Unity Catalog you need SELECT on the table plus USE CATALOG on its catalog and USE SCHEMA on its schema. Without these, name resolution fails and you see TABLE_OR_VIEW_NOT_FOUND. Table format and compute type are not the cause of permission errors, and CHECK constraints do not affect SELECT.

Frequently Asked Questions

What do USE CATALOG and USE SCHEMA privileges allow?

USE CATALOG lets a principal browse the schemas inside a catalog, and USE SCHEMA lets them browse the tables and views inside a schema. Neither grants data access — they only allow listing the namespace contents. Reading table data requires a separate SELECT privilege, so a query only succeeds when USE CATALOG + USE SCHEMA + SELECT are all granted together.

How does privilege inheritance work?

In Unity Catalog, privileges flow from higher-level objects down to lower-level ones. Granting SELECT at the catalog level applies SELECT to every schema and table beneath it. There is no DENY, so you cannot partially block inheritance. To exclude a specific table, avoid granting at the catalog level and instead grant per-schema or per-table.

Why does a query fail when only GRANT SELECT has been issued?

The most likely cause is missing USE CATALOG and USE SCHEMA privileges. Unity Catalog uses hierarchical access control, so even with SELECT on the table, name resolution fails without USE on the parent catalog and schema. Add GRANT USE CATALOG ON CATALOG <catalog> TO <principal> and GRANT USE SCHEMA ON SCHEMA <schema> TO <principal>.

Check what you learned with practice questions

Practice with certification-focused question sets

無料で問題を解いてみる
Author

NicheeLab Editorial Team

NicheeLab editorial team focused on data engineering and cloud certification learning. Content is structured around practical study needs and official exam domains.


Related articles
Databricks

Databricks Certifications: All 7 Exams, Difficulty & Study Plan (2026)

Complete guide to all 7 Databricks certifications — Data Eng...

Databricks

Databricks Exam Difficulty Ranking: All 7 Certs Compared (2026)

Every Databricks certification ranked by difficulty, with st...

Databricks

Databricks Study Guide: Fastest Pass Route & Time Estimates (2026)

How to pass Databricks certifications efficiently. Official ...

Databricks

Databricks Data Engineer Associate: Complete Guide (2026)

Domain-by-domain breakdown of the Databricks Certified Data ...

Databricks

Databricks Data Engineer Professional: Complete Guide (2026)

Tactics for the Databricks Certified Data Engineer Professio...

Browse all Databricks articles (110)
© 2026 NicheeLab All rights reserved.