Lessons

Security & Compliance

Unity Catalog privileges — the three-level traversal and delegation

Grant Unity Catalog data privileges (SELECT, MODIFY, USE CATALOG/SCHEMA, MANAGE) following least privilege, and delegate administration without granting admin.

The last lesson controlled the objects you run on. This one controls the data — who can read and write which tables — through Unity Catalog privileges. UC has one structural fact that causes more wrong answers than any other, so we anchor on it.


The spine

Beat 1 — the anchor: a privilege at all three levels

A UC object is named catalog.schema.table.

Predict: you grant an analyst SELECT ON TABLE bi.analytics.insights and nothing else. Can they query it?

No. To reach a table you must traverse to it and act on it:

Anchor. Access requires USE CATALOG on the catalog + USE SCHEMA on the schema + the action privilege (SELECT to read, MODIFY to write) on the table. Missing the privilege at any level blocks access — a perfect SELECT grant is useless without the two traversal grants above it.

The read-only pattern falls straight out — three grants, one per level:

GRANT USE CATALOG ON CATALOG bi TO marketing_team;
GRANT USE SCHEMA  ON SCHEMA bi.analytics TO marketing_team;
GRANT SELECT      ON TABLE bi.analytics.insights TO marketing_team;

Lock it. USE CATALOG + USE SCHEMA + SELECT/MODIFY. A lone SELECT ON TABLE is not enough — "granted SELECT but still can't query" → missing the traversal grants.

Beat 2 — the privilege vocabulary

PrivilegeGrantsOn
USE CATALOG / USE SCHEMAtraverse into (see/reference children) — not read datacatalog / schema
SELECTread (query) datatable / view
MODIFYinsert + update + delete datatable
CREATE TABLE / CREATE SCHEMAcreate child objectsschema / catalog
ALL PRIVILEGESevery applicable privilegeany

Two exact meanings: MODIFY = insert + update + delete (all three writes, not read); GRANT ALL PRIVILEGES ON TABLE t TO g = full permissions on that table. Renamed-term note: UC uses USE CATALOG/USE SCHEMA; older Hive-metastore ACLs (and some exam phrasings) call traversal USAGE — recognise both.


The dials (skim now; return when a question needs one)

◆ Ownership, and "privileges don't flow upward"

Every UC securable has an owner with full control — and unlike workspace objects ([Access control — least privilege and the object permission ladders](/lessons/s7-access-control/)), a UC owner can be a group (recommended). The trap: when you grant CREATE TABLE and someone creates tables, they own them — you don't automatically get rights. A platform engineer who set up the catalog and granted the dev team CREATE TABLE cannot necessarily read the dev team's new tables (creators own them; a schema owner doesn't auto-hold privileges on child tables but can grant them to themselves). Privileges don't flow upward to the parent's admin. (Downward inheritance is [Unity Catalog inheritance — how one grant cascades](/lessons/s8-uc-inheritance/).)

◆ Delegating admin without admin — the MANAGE privilege

Let a team lead run access for a catalog without being a metastore admin/owner:

Tell: "delegate permission management / let a lead grant access without full admin" → MANAGE. (Older GRANT … WITH GRANT OPTION delegates re-granting of one privilege; MANAGE is the broad, current delegation.)

◆ Grants only bite on UC-compliant compute

Privileges enforce only on the UC access modes from [Job & environment configuration — compute and Spark tuning](/lessons/s1-job-env-config/): Standard (was "Shared") for multi-user interactive with full UC governance; Dedicated (was "Single user") for single-user/automated jobs. Interactive exploration → Standard; automated ETL needing isolation → Dedicated; wrap both in compute policies. A non-UC access mode can't enforce these grants.

Takeaways (rebuild it from these)

  1. Three-level traversal: USE CATALOG + USE SCHEMA + (SELECT/MODIFY) — missing any level blocks access.
  2. Meanings: SELECT = read; MODIFY = insert+update+delete; USE CATALOG/SCHEMA = traverse (not read); ALL PRIVILEGES = everything. Old traversal name = USAGE.
  3. Ownership: UC owner has full control and can be a group; tables created by others are owned by their creators — privileges don't flow upward.
  4. MANAGE delegates grant/revoke without ownership/admin; cascades on containers; still needs traversal.
  5. Grants enforce only on UC-compliant compute: Standard (interactive) vs Dedicated (jobs), under compute policies.

Before you move on — say these without scrolling up

  1. Granted SELECT ON TABLE, still can't query — what's missing?
  2. MODIFY covers which operations, exactly?
  3. You granted a team CREATE TABLE; can you read the tables they create — why/why not?
  4. "Let a lead grant access without making them admin" — which privilege?

Next: even with SELECT, you often must hide specific rows and column values per user → [Row filters and column masks — access control inside a table](/lessons/s7-row-col-masks/).

Prerequisites

Leads to