Admin privileges in Unity Catalog
This article describes privileges that Azure Databricks account admins, workspace admins, and metastore admins have for managing Unity Catalog.
Note
If your workspace was enabled for Unity Catalog automatically, workspace admins have default privileges on the attached metastore and the workspace catalog, if a workspace catalog was provisioned. See Workspace admin privileges when workspaces are enabled for Unity Catalog automatically.
Metastore admins
The metastore admin is an optional but highly privileged user or group in Unity Catalog. Metastore admins have the following privileges on the metastore by default:
CREATE CATALOG
: Allows a user to create catalogs in the metastore.CREATE CLEAN ROOM
: Allows a user to create a clean room for securely collaborating on projects with other organizations without sharing underlying data.CREATE CONNECTION
: Allows a user to create a connection to an external database in a Lakehouse Federation scenario.CREATE EXTERNAL LOCATION
: Allows a user to create external locations.CREATE SERVICE CREDENTIAL
: Allows a user to create service credentials.CREATE STORAGE CREDENTIAL
: Allows a user to create storage credentials.CREATE FOREIGN CATALOG
: Allows a user to create foreign catalogs using a connection to an external database in a Lakehouse Federation scenario.CREATE SHARE
: Allows a data provider user to create a share in Delta Sharing.CREATE RECIPIENT
: Allows a data provider user to create a recipient in Delta Sharing.CREATE PROVIDER
: Allows a data recipient user to create a provider in Delta Sharing.CREATE MATERIALIZED VIEW
: Allows a user to create materialized views.MANAGE ALLOWLIST
: Allows a user to update allowlists that manage cluster access to init scripts and libraries.
Metastore admins are also the owners of the metastore, which grants them the following privileges:
Manage the privileges or transfer ownership of any object within the metastore, including storage credentials, external locations, connections, shares, recipients, and providers.
Grant themselves read and write access to any data in the metastore.
Metastore admins have this ability indirectly, through their ability to transfer ownership of all objects. There is no direct access by default. Granting of permissions is audit-logged.
Read and update the metadata of all objects in the metastore.
Delete the metastore.
Metastore admins are the only users who can grant privileges on the metastore itself.
Because metastore admins are the only users who have these privileges, you must assign a metastore admin if you want to use any of the following functionality:
- Change ownership of catalogs after someone leaves the company.
- Manage and delegate permissions on the init script and jar allowlist.
- Delegate the ability to create catalogs and other top-level permissions to non-workspace admins.
- Receive shared data through Delta Sharing.
- Remove default workspace admin permissions.
- Add managed storage to the metastore, if it has none. See Add managed storage to an existing metastore.
Who has initial metastore admin privileges?
If an account admin creates the metastore manually, that account admin is the metastore’s initial owner and metastore admin. All metastores created before November 9, 2023 were created manually by an account admin.
If the metastore was provisioned as part of automatic Unity Catalog enablement, the metastore was created without a metastore admin. Workspace admins in that case are automatically granted privileges that make the metastore admin optional. If needed, account admins can assign the metastore admin role to a user, service principal, or group. Groups are strongly recommended. See Automatic enablement of Unity Catalog.
Assign a metastore admin
Metastore admin is a highly privileged role that you should distribute carefully. It is optional.
Account admins can assign the metastore admin role. Databricks recommends nominating a group as the metastore admin. By doing this, any member of the group is automatically a metastore admin.
To assign the metastore admin role to a group:
- As an account admin, log in to the account console.
- Click Catalog.
- Click the name of a metastore to open its properties.
- Under Metastore Admin, click Edit.
- Select a group from the drop-down. You can enter text in the field to search for options.
- Click Save.
Important
It can take up to 30 seconds for a metastore admin assignment change to be reflected in your account, and it may take longer to take effect in some workspaces than others. This delay is due to caching protocols.
Account admins
Account admin is a highly privileged role that you should distribute carefully. Account admins have the following privileges:
- Can create metastores, and by default become the initial metastore admin.
- Can link metastores to workspaces.
- Can assign the metastore admin role.
- Can grant privileges on metastores.
- Can enable Delta Sharing for a metastore.
- Can configure storage credentials.
- Can enable system tables and delegate access to them.
To establish your first Azure Databricks account admin, see Establish your first account admin.
Workspace admins
Workspace admin is a highly privileged role that you should distribute carefully. Workspace admins have the following privileges:
- Can add users, service principals, and groups to a workspace.
- Can delegate other workspace admins.
- Can manage job ownership. See Control access to a job.
- Can manage the job Run as setting. See Configure identity for job runs.
- Can view and manage notebooks, dashboards, queries, and other workspace objects. See Access control lists.
Account admins can restrict workspace admin privileges using the the RestrictWorkspaceAdmins
setting. See Restrict workspace admins.
Workspace admin privileges when workspaces are enabled for Unity Catalog automatically
If your workspace was enabled for Unity Catalog automatically, the workspace is attached to a metastore by default. For more information see Automatic enablement of Unity Catalog.
If your workspace was enabled for Unity Catalog automatically, workspace admins have the following privileges on the attached metastore by default:
CREATE CATALOG
CREATE CLEAN ROOM
CREATE EXTERNAL LOCATION
CREATE SERVICE CREDENTIAL
CREATE STORAGE CREDENTIAL
CREATE CONNECTION
CREATE SHARE
CREATE RECIPIENT
CREATE PROVIDER
CREATE MATERIALIZED VIEW
Workspace admins are the default owners of the workspace catalog, if a workspace catalog was provisioned for your workspace. Ownership of this catalog grants the following privileges:
Manage the privileges for or transfer ownership of any object within the workspace catalog.
This includes the ability to grant themselves read and write access to all data in the catalog (no direct access by default; granting permissions is audit-logged).
Transfer ownership of the workspace catalog itself.
All workspace users receive the USE CATALOG
privilege on the workspace catalog. Workspace users also receive the USE SCHEMA
, CREATE TABLE
, CREATE VOLUME
, CREATE MODEL
, CREATE FUNCTION
, and CREATE MATERIALIZED VIEW
privileges on the default
schema in the catalog.
Note
The default privileges granted on the attached metastore and workspace catalog are not maintained across workspaces (if, for example, the workspace catalog is also bound to another workspace).