Manage Unity Catalog object ownership

  • Article

Each securable object in Unity Catalog has an owner. The owner can be any principal: a user, service principal, or account group. The principal that creates an object becomes its initial owner. An object’s owner has all privileges on the object, such as SELECT and MODIFY on a table, in addition to the permission to grant privileges to other principals. An object’s owner has the ability to drop the object.

Owner privileges

Owners of an object are automatically granted all privileges on that object. In addition, object owners can grant privileges on the object itself and on all of its child objects. This means that owners of a schema do not automatically have all privileges on the tables in the schema, but they can grant themselves privileges on the tables in the schema.

Metastore and catalog ownership

Metastore admins are the owners of the metastore. The metastore admin role is optional. Metastore admins can reassign ownership of the metastore by transferring the metastore admin role, see Assign a metastore admin.

If your workspace was enabled for Unity Catalog automatically, the workspace is attached to a metastore by default and a workspace catalog is created for your workspace in the metastore. Workspace admins are the default owners and can reassign ownership of the workspace catalog. In these workspaces, there is no metastore admin assigned by default, but account admins can grant metastore admin permissions if needed. See Metastore admins.

For more information on admin privileges in Unity Catalog, see Admin privileges in Unity Catalog.

View an object’s owner

Catalog explorer

  1. In your Azure Databricks workspace, click Catalog icon Catalog.
  2. Select the object, such as a catalog, schema, table, view, volume, external location, or storage credential.
  3. Click Permissions.

Sql

Run the following SQL command in a notebook or SQL query editor. Replace the placeholder values:

  • <securable-type>: The type of securable, such as CATALOG or TABLE.
  • <catalog>: The parent catalog for a table or view.
  • <schema>: The parent schema for a table or view.
  • <securable-name>: The name of the securable, such as a table or view.
DESCRIBE <securable-type> EXTENDED <catalog>.<schema>.<securable-name>;

Transfer ownership

Object ownership can be transferred to other principals by the current owner, a metastore admin, or the owner of the container (the catalog for a schema, the schema for a table). Delta Sharing share objects are an exception: principals with the USE SHARE and SET SHARE PERMISSION can also transfer share ownership.

Catalog explorer

  1. In your Azure Databricks workspace, click Catalog icon Catalog.
  2. Select the object, such as a catalog, schema, table, view, external location, or storage credential.
  3. Click Permissions.
  4. Click the blue pencil next to the Owner.
  5. Select a group, user, or service principal from the dropdown list.
  6. Click Save.

Sql

Run the following SQL command in a notebook or SQL query editor. Replace the placeholder values:

  • <securable-type>: The type of securable object, such as CATALOG or TABLE. METASTORE is not supported as a securable object in this command.

    • <securable-name>: The name of the securable.
    • <principal> is a user, service principal (represented by its applicationId value), or group. You must enclose users, service principals, and group names that include special characters in backticks (` `). See Principal.
    ALTER <securable-type> <securable-name> OWNER TO <principal>;

    For example, to transfer ownership of a table to the accounting group:

    ALTER TABLE orders OWNER TO `accounting`;