Privileges and securable objects in the Hive metastore
Applies to: 
Databricks SQL Databricks Runtime
A privilege is a right granted to a principal to operate on a securable object in the metastore.
The privilege model and securable objects differ depending on whether you are using a Unity Catalog metastore or the legacy Hive metastore. This article describes the privilege model for the legacy Hive metastore. If you are using Unity Catalog, see Privileges and securable objects in Unity Catalog.
Securable objects in the Hive metastore
A securable object is an object defined in the metastore on which privileges can be granted to a principal.
To manage privileges on any object you must be its owner or an administrator.
Syntax
securable_object
{ ANY FILE |
CATALOG [ catalog_name ] |
{ SCHEMA | DATABASE } schema_name |
FUNCTION function_name |
[ TABLE ] table_name |
VIEW view_name
}
Parameters
ANY FILEControls access to the underlying filesystem.
CATALOGcatalog_nameControls access to the entire data catalog.
{ SCHEMA | DATABASE }schema_nameControls access to a schema.
FUNCTIONfunction_nameControls access to a named function.
[ TABLE ]table_nameControls access to a managed or external table.
VIEWview_nameControls access to SQL views.
Inheritance model
Securable objects in the Hive metastore are hierarchical and privileges are inherited downward. This means that granting or denying a privilege on the CATALOG automatically grants or denies the privilege to all schemas in the catalog. Similarly, privileges granted on a schema object are inherited by all objects in that schema. This pattern is true for all securable objects.
If you deny a user privileges on a table, the user can’t see the table by attempting to list all tables in the schema. If you deny a user privileges on a schema, the user can’t see that the schema exists by attempting to list all schemas in the catalog.
Privilege types
The following table shows which privileges are associated with which securable objects.
| Privilege type | ANONYMOUS FUNCTION | ANY FILE | CATALOG | SCHEMA | FUNCTION | TABLE | VIEW |
|---|---|---|---|---|---|---|---|
| CREATE | Yes | Yes | |||||
| MODIFY | Yes | Yes | Yes | Yes | |||
| READ_METADATA | Yes | Yes | Yes | Yes | |||
| SELECT | Yes | Yes | Yes | Yes | Yes | Yes | Yes |
| USAGE | Yes | Yes |
ALL PRIVILEGESUsed to grant or revoke all privileges applicable to the securable and its child objects without explicitly specifying them. This expands to all available privileges at the time permissions checks are made.
CREATECreate objects within the catalog or schema.
MODIFYCOPY INTO, UPDATE DELETE, INSERT, or MERGE INTO the table.
If the securable_object is the
hive_metastoreor a schema within it, grantingMODIFYwill grantMODIFYon all current and future tables and views within the securable object.READ_METADATADiscover the securable object in SHOW and interrogate the object in DESCRIBE
If the securable object is the
hive_metastorecatalog or a schema within it, grantingREAD_METADATAwill grantREAD_METADATAon all current and future tables and views within the securable object.READ FILESQuery files directly using the storage credential or external location.
SELECTQuery a table or view, invoke a user defined or anonymous function, or select
ANY FILE. The user needsSELECTon the table, view, or function, as well asUSAGEon the object’s schema and catalog.If the securable object is the
hive_metastoreor a schema within it, grantingSELECTwill grantSELECTon all current and future tables and views within the securable object.USAGERequired, but not sufficient to reference any objects in a catalog or schema. The principal also needs to have privileges on the individual securable objects.
WRITE FILESDirectly COPY INTO files governed by the storage credential or external location.
Examples
-- Grant a privilege to the user alf@melmak.et
> GRANT SELECT ON TABLE t TO `alf@melmak.et`;
-- Revoke a privilege from the general public group.
> REVOKE USAGE ON SCHEMA some_schema FROM `alf@melmak.et`;