Training
Module
Authenticate your Azure deployment pipeline by using service principals - Training
Learn how to create, manage, and grant permissions to service principals, which enable your deployment pipelines to securely authenticate to Azure.
Principal
Applies to: 
Databricks SQL Databricks Runtime
A principal is a user, service principal, or group known to the metastore. Principals can be granted privileges and can own securable objects.
{ `<user>@<domain-name>` |
`<sp-application-id>` |
group_name |
users |
`account users` }
Any object name that includes special characters, such as hyphens or dashes (-), must be surrounded by backticks (` `). Object names with underscores (_) don’t require backticks. See Names.
<user>@<domain-name>An individual user. You must escape the identifier with back-ticks (`) because of the @ character in the username.
<sp-application-id>A service principal, specified by its
applicationIdvalue. You must escape the identifier with back-ticks (`) because of the dash (-) characters in the ID.group_name
An identifier that specifies a group of users or groups. You must escape the identifier with back-ticks (`) if the group name uses special characters, like dashes (-).
users
The root group to which all users in the workspace belong. You cannot grant
usersprivileges on securable objects in Unity Catalog because it is a workspace-local group.account usersThe root group to which all users in the account belong. You must escape the identifier with back-ticks (`) because of the blank space character.
Azure Databricks has the concept of account groups and workspace-local groups, with special behaviors:
- Account groups Account groups can be created by account admins and workspace admins of identity-federated workspaces. They can be granted access to identity-federated workspaces and privileges to securable objects in the Unity Catalog.
- Workspace-local groups can be created only by workspace admins. These groups are identified as workspace-local in the workspace admin settings page and on the workspace Permissions tab in the account console. Workspace-local groups cannot be assigned to additional workspaces or granted privileges to securable objects in the Unity Catalog. The system groups
usersandadminsare a workspace-local groups.
-- Granting a privilege to the user alf@melmak.et
> GRANT SELECT ON TABLE t TO `alf@melmak.et`;
-- Granting a privilege to the service principal fab9e00e-ca35-11ec-9d64-0242ac120002
> GRANT SELECT ON TABLE t TO `fab9e00e-ca35-11ec-9d64-0242ac120002`;
-- Revoking a privilege from the general public group.
> REVOKE SELECT ON TABLE t FROM `account users`;
-- Transferring ownership of an object to `some-group`
> ALTER SCHEMA some_schema OWNER TO `some-group`;
Additional resources
Documentation
-
Unity Catalog privileges and securable objects - Azure Databricks
Learn about securable objects, privilege inheritance, and managing privilege types in Unity Catalog.
-
GRANT - Azure Databricks - Databricks SQL
Learn how to use the GRANT syntax of the SQL language in Databricks SQL and Databricks Runtime.
-
REVOKE - Azure Databricks - Databricks SQL
Learn how to use the REVOKE syntax of the SQL language in Databricks SQL and Databricks Runtime.