Manage Unity Catalog object ownership
Each securable object in Unity Catalog has an owner. The owner can be any principal: a user, service principal, or account group. The principal that creates an object becomes its initial owner. An object’s owner has all privileges on the object, such as SELECT
and MODIFY
on a table, in addition to the permission to grant privileges to other principals. An object’s owner has the ability to drop the object.
Owner privileges
Owners of an object are automatically granted all privileges on that object. In addition, object owners can grant privileges on the object itself and on all of its child objects. This means that owners of a schema do not automatically have all privileges on the tables in the schema, but they can grant themselves privileges on the tables in the schema.
Metastore and catalog ownership
Metastore admins are the owners of the metastore. The metastore admin role is optional. Metastore admins can reassign ownership of the metastore by transferring the metastore admin role, see Assign a metastore admin.
If your workspace was enabled for Unity Catalog automatically, the workspace is attached to a metastore by default and a workspace catalog is created for your workspace in the metastore. Workspace admins are the default owners and can reassign ownership of the workspace catalog. In these workspaces, there is no metastore admin assigned by default, but account admins can grant metastore admin permissions if needed. See Metastore admins.
For more information on admin privileges in Unity Catalog, see Admin privileges in Unity Catalog.
View an object’s owner
Catalog explorer
- In your Azure Databricks workspace, click Catalog.
- Select the object, such as a catalog, schema, table, view, volume, external location, or storage credential.
- Click Permissions.
Sql
Run the following SQL command in a notebook or SQL query editor. Replace the placeholder values:
<securable-type>
: The type of securable, such asCATALOG
orTABLE
.<catalog>
: The parent catalog for a table or view.<schema>
: The parent schema for a table or view.<securable-name>
: The name of the securable, such as a table or view.
DESCRIBE <securable-type> EXTENDED <catalog>.<schema>.<securable-name>;
Transfer ownership
Object ownership can be transferred to other principals by the current owner, a metastore admin, or the owner of the container (the catalog for a schema, the schema for a table). Delta Sharing share objects are an exception: principals with the USE SHARE
and SET SHARE PERMISSION
can also transfer share ownership.
Catalog explorer
- In your Azure Databricks workspace, click Catalog.
- Select the object, such as a catalog, schema, table, view, external location, or storage credential.
- Click Permissions.
- Click the blue pencil next to the Owner.
- Select a group, user, or service principal from the dropdown list.
- Click Save.
Sql
Run the following SQL command in a notebook or SQL query editor. Replace the placeholder values:
<securable-type>
: The type of securable object, such asCATALOG
orTABLE
.METASTORE
is not supported as a securable object in this command.<securable-name>
: The name of the securable.<principal>
is a user, service principal (represented by its applicationId value), or group. You must enclose users, service principals, and group names that include special characters in backticks (` `
). See Principal.
ALTER <securable-type> <securable-name> OWNER TO <principal>;
For example, to transfer ownership of a table to the
accounting
group:ALTER TABLE orders OWNER TO `accounting`;
Feedback
https://aka.ms/ContentUserFeedback.
Coming soon: Throughout 2024 we will be phasing out GitHub Issues as the feedback mechanism for content and replacing it with a new feedback system. For more information see:Submit and view feedback for