The last lesson controlled the objects you run on. This one controls the data — who can read and write which tables — through Unity Catalog privileges. UC has one structural fact that causes more wrong answers than any other, so we anchor on it.
The spine
Beat 1 — the anchor: a privilege at all three levels
A UC object is named catalog.schema.table.
Predict: you grant an analyst
SELECT ON TABLE bi.analytics.insightsand nothing else. Can they query it?
…
No. To reach a table you must traverse to it and act on it:
Anchor. Access requires
USE CATALOGon the catalog +USE SCHEMAon the schema + the action privilege (SELECTto read,MODIFYto write) on the table. Missing the privilege at any level blocks access — a perfectSELECTgrant is useless without the two traversal grants above it.
The read-only pattern falls straight out — three grants, one per level:
GRANT USE CATALOG ON CATALOG bi TO marketing_team;
GRANT USE SCHEMA ON SCHEMA bi.analytics TO marketing_team;
GRANT SELECT ON TABLE bi.analytics.insights TO marketing_team;
Lock it.
USE CATALOG+USE SCHEMA+SELECT/MODIFY. A loneSELECT ON TABLEis not enough — "granted SELECT but still can't query" → missing the traversal grants.
Beat 2 — the privilege vocabulary
| Privilege | Grants | On |
|---|---|---|
USE CATALOG / USE SCHEMA | traverse into (see/reference children) — not read data | catalog / schema |
SELECT | read (query) data | table / view |
MODIFY | insert + update + delete data | table |
CREATE TABLE / CREATE SCHEMA | create child objects | schema / catalog |
ALL PRIVILEGES | every applicable privilege | any |
Two exact meanings: MODIFY = insert + update + delete (all three writes, not read); GRANT ALL PRIVILEGES ON TABLE t TO g = full permissions on that table. Renamed-term note: UC uses USE CATALOG/USE SCHEMA; older Hive-metastore ACLs (and some exam phrasings) call traversal USAGE — recognise both.
The dials (skim now; return when a question needs one)
◆ Ownership, and "privileges don't flow upward"
Every UC securable has an owner with full control — and unlike workspace objects ([Access control — least privilege and the object permission ladders](/lessons/s7-access-control/)), a UC owner can be a group (recommended). The trap: when you grant CREATE TABLE and someone creates tables, they own them — you don't automatically get rights. A platform engineer who set up the catalog and granted the dev team CREATE TABLE cannot necessarily read the dev team's new tables (creators own them; a schema owner doesn't auto-hold privileges on child tables but can grant them to themselves). Privileges don't flow upward to the parent's admin. (Downward inheritance is [Unity Catalog inheritance — how one grant cascades](/lessons/s8-uc-inheritance/).)
◆ Delegating admin without admin — the MANAGE privilege
Let a team lead run access for a catalog without being a metastore admin/owner:
MANAGElets a principal grant and revoke privileges on a securable (administer its permissions) without owning it.- On a container (catalog/schema) it cascades to children —
GRANT MANAGE ON CATALOG finance_data TO finance_leadslets them administer everything inside. - They still need the usual traversal to exercise it.
Tell: "delegate permission management / let a lead grant access without full admin" → MANAGE. (Older GRANT … WITH GRANT OPTION delegates re-granting of one privilege; MANAGE is the broad, current delegation.)
◆ Grants only bite on UC-compliant compute
Privileges enforce only on the UC access modes from [Job & environment configuration — compute and Spark tuning](/lessons/s1-job-env-config/): Standard (was "Shared") for multi-user interactive with full UC governance; Dedicated (was "Single user") for single-user/automated jobs. Interactive exploration → Standard; automated ETL needing isolation → Dedicated; wrap both in compute policies. A non-UC access mode can't enforce these grants.
Takeaways (rebuild it from these)
- Three-level traversal:
USE CATALOG+USE SCHEMA+ (SELECT/MODIFY) — missing any level blocks access. - Meanings:
SELECT= read;MODIFY= insert+update+delete;USE CATALOG/SCHEMA= traverse (not read);ALL PRIVILEGES= everything. Old traversal name =USAGE. - Ownership: UC owner has full control and can be a group; tables created by others are owned by their creators — privileges don't flow upward.
MANAGEdelegates grant/revoke without ownership/admin; cascades on containers; still needs traversal.- Grants enforce only on UC-compliant compute: Standard (interactive) vs Dedicated (jobs), under compute policies.
Before you move on — say these without scrolling up
- Granted
SELECT ON TABLE, still can't query — what's missing? MODIFYcovers which operations, exactly?- You granted a team
CREATE TABLE; can you read the tables they create — why/why not? - "Let a lead grant access without making them admin" — which privilege?
Next: even with SELECT, you often must hide specific rows and column values per user → [Row filters and column masks — access control inside a table](/lessons/s7-row-col-masks/).