Schema access restrict in Unity catalog

Question

Schema access restrict in Unity catalog

Azuretech 90

as an Metastore admin, I want to restrict the users/group from creating the new schema . This is needed so that they can use the default root storage location while creating.

I have not provided catalog create permission . it's working fine. Catalog creation is disabled after that.

but why schema creation is still enabled for the group , how to restrict the schema creation in unity catalog metastore.

Azuretech 90 Reputation points

2023-03-31T13:42:56.73+00:00

@PRADEEPCHEEKATLA Could you please suggest
PRADEEPCHEEKATLA 90,641 Reputation points Moderator

2023-04-06T05:49:41.88+00:00

Hello @Azuretech - Just checking in to see if the below answer helped. If this answers your query, do click Accept Answer and Yes for was this answer helpful. And, if you have any further query do let us know.

1 answer

Your answer

Azuretech 90 Reputation points

2023-03-31T13:42:56.73+00:00

@PRADEEPCHEEKATLA Could you please suggest
PRADEEPCHEEKATLA 90,641 Reputation points Moderator

2023-04-06T05:49:41.88+00:00

Hello @Azuretech - Just checking in to see if the below answer helped. If this answers your query, do click Accept Answer and Yes for was this answer helpful. And, if you have any further query do let us know.

Answer 1

PRADEEPCHEEKATLA 90,641 Moderator

Hello @Azuretech - Thanks for the question and using MS Q&A platform.

To restrict users or groups from creating a new schema in the Unity Catalog Metastore in Azure Databricks, you need to remove their "Create Schema" permission from the catalog. You can follow these steps to do so:

Log in to a workspace that is linked to the metastore.
Click "Data" and select the "Catalog"
In the "Permissions" tab, select the user or group that you want to restrict from creating a new schema.
Scroll down to the "Privileges" section and remove the "Create Schema" permission from the user or group.
Click on the "Grant" button to apply the changes.

User's image

Once you remove the "Create Schema" permission from the user or group, they will not be able to create a new schema in the Unity Catalog Metastore. Note that this permission only affects schema creation and does not impact their ability to use the default root storage location while creating tables.

This article explains how to control access to data and other objects in Unity Catalog: Manage privileges in Unity Catalog

Hope this helps. Do let us know if you any further queries.

If this answers your query, do click Accept Answer and Yes for was this answer helpful. And, if you have any further query do let us know.

Azuretech 90 Reputation points

2023-04-03T10:54:48.3833333+00:00
@PRADEEPCHEEKATLA Thank you for response.

Regarding the statement-

"Note that this permission only affects schema creation and does not impact their ability to use the default root storage location while creating tables."

What if an Account admin create a catalog and schema for user, using external location and storage credentials where we are giving user owned storage account detail for isolation and after that we are restricting user from creating new catalog and schema. use has just access to use the assigned catalog/schema and create table etc(but not catalog and schema)?. will that solve the purpose of isolated stoarge and not using root storage account for users? please let me know if my understanding is wrong?
PRADEEPCHEEKATLA 90,641 Reputation points Moderator

2023-04-04T06:39:56.56+00:00

Hello @Azuretech - Yes, your understanding is correct. If an account admin creates a catalog and schema for a user, using an external location and storage credentials where the user owns the storage account, and then restricts the user from creating new catalogs and schemas, the user will still be able to use the assigned catalog and schema to create tables and write data to the assigned storage account. In this case, the user is isolated from the default root storage location and is using their own storage account for storing data. This provides additional security and isolation for the user's data. Additionally, by restricting the user from creating new catalogs and schemas, you can ensure that they only have access to the data they are supposed to work with and cannot create new catalogs or schemas that may lead to data access or security issues. So, your approach of creating an isolated storage account for the user and restricting their access to only the assigned catalog and schema, while preventing them from creating new catalogs and schemas, is a valid way to ensure that users are isolated and secure in Azure Databricks. Hope this helps. Do let us know if you any further queries.
PRADEEPCHEEKATLA 90,641 Reputation points Moderator

2023-04-10T07:52:12.6366667+00:00

Hello @Azuretech - Following up to see if the above answer was helpful. If this answers your query, do click Accept Answer and Yes for was this answer helpful. And, if you have any further query do let us know.

Share via

Schema access restrict in Unity catalog

1 answer

Your answer