Note
Access to this page requires authorization. You can try signing in or changing directories.
Access to this page requires authorization. You can try changing directories.
In Lakebase, use a temporary shared role as an intermediate step to transfer Postgres object ownership between roles. You can't do this directly with a standard ALTER TABLE ... OWNER TO command.
Note
This page covers transferring ownership to a Azure Databricks group role. To grant access to objects without changing ownership, see Manage database permissions.
Prerequisites
- The target Azure Databricks group exists in your workspace. To create a group: In Lakehouse, go to Settings > Identity and access > Groups > Add Group.
- The current object owner is a member of the target group. To add a member: In Lakehouse, go to Settings > Identity and access > Groups > your group > Add member.
- A Postgres role exists for the Azure Databricks group. See Create an OAuth role for Azure Databricks identities to add a Postgres role for the group.
Transfer ownership of a single object
Connect as the
<current_owner>role (the role that currently owns the table), then create a temporary shared ownership role:CREATE ROLE temp_table_owners NOLOGIN;Grant schema permissions to the temporary role:
GRANT USAGE, CREATE ON SCHEMA public TO temp_table_owners;Grant membership in the temporary role to the current owner and the target group:
GRANT temp_table_owners TO "<current_owner>"; GRANT temp_table_owners TO "<databricks_group_name>";Transfer ownership of the table to the temporary role:
ALTER TABLE <target_table> OWNER TO temp_table_owners;In your Lakebase project, click Connect, select the
<databricks_group_name>role in the Roles drop-down, and click Copy OAuth Token.Connect as the
<databricks_group_name>role:export PGPASSWORD='<oauth_token>' psql -h <lakebase_hostname> -p 5432 \ -d <database_name> \ -U "<databricks_group_name>" \ --set=sslmode=requireTransfer the table to the Azure Databricks group role:
ALTER TABLE <target_table> OWNER TO "<databricks_group_name>";Verify the transfer:
\dtThe Owner column for
<target_table>shows<databricks_group_name>.
Transfer ownership of multiple objects
REASSIGN OWNED transfers all objects owned by a role, including tables, views, materialized views, sequences, functions, schemas, and types.
Connect as the
<current_owner>role, then create a temporary shared ownership role:CREATE ROLE temp_table_owners NOLOGIN;Grant schema permissions to the temporary role:
GRANT USAGE, CREATE ON SCHEMA public TO temp_table_owners;Grant membership in the temporary role to the current owner and the target group:
GRANT temp_table_owners TO "<current_owner>"; GRANT temp_table_owners TO "<databricks_group_name>";Reassign all objects owned by the current owner to the temporary role:
REASSIGN OWNED BY "<current_owner>" TO temp_table_owners;In your Lakebase project, click Connect, select the
<databricks_group_name>role in the Roles drop-down, and click Copy OAuth Token.Connect as the
<databricks_group_name>role:export PGPASSWORD='<oauth_token>' psql -h <lakebase_hostname> -p 5432 \ -d <database_name> \ -U "<databricks_group_name>" \ --set=sslmode=requireReassign all objects from the temporary role to the Azure Databricks group:
REASSIGN OWNED BY temp_table_owners TO "<databricks_group_name>";
Note
REASSIGN OWNED has the following behavior:
- Runs in the current database context. Run it in each database where you must transfer ownership.
- Reassigns ownership only. It does not change existing GRANT permissions or default privileges.