https://community.databricks.com/t5/administration-architecture/lakeflow-connect-can-t-change-general-privilege-requirements/m-p/113814#M3186 <P>I want to set up Lakeflow Connect to ETL data from Azure SQL Server (Microsoft SQL Azure (RTM) - 12.0.2000.8 Feb 9 2025) using change tracking (we don't need the data retention of CDC).&nbsp; In the documentation, there is a list off system tables, views and sprocs we need to grant the ETL user access to (<A href="https://learn.microsoft.com/en-us/azure/databricks/ingestion/lakeflow-connect/sql-server/database-user-requirements#general-privilege-requirements" target="_blank">https://learn.microsoft.com/en-us/azure/databricks/ingestion/lakeflow-connect/sql-server/database-user-requirements#general-privilege-requirements</A>).</P><P>When I try to update permissions on the system objects, I get the following error</P><P class="lia-indent-padding-left-30px"><EM>Msg 40574, Level 16, State 1, Line 1</EM><BR /><EM>Permissions for system stored procedures, server scoped catalog views, and extended stored procedures cannot be changed in this version of SQL Server.</EM></P><P>Is this a known issue, and if so, is there a known way to work around trying to change permissions on system objects?</P> Thu, 27 Mar 2025 14:34:36 GMT Rjdudley 2025-03-27T14:34:36Z https://community.databricks.com/t5/administration-architecture/lakeflow-connect-can-t-change-general-privilege-requirements/m-p/113814#M3186 <P>I want to set up Lakeflow Connect to ETL data from Azure SQL Server (Microsoft SQL Azure (RTM) - 12.0.2000.8 Feb 9 2025) using change tracking (we don't need the data retention of CDC).&nbsp; In the documentation, there is a list off system tables, views and sprocs we need to grant the ETL user access to (<A href="https://learn.microsoft.com/en-us/azure/databricks/ingestion/lakeflow-connect/sql-server/database-user-requirements#general-privilege-requirements" target="_blank">https://learn.microsoft.com/en-us/azure/databricks/ingestion/lakeflow-connect/sql-server/database-user-requirements#general-privilege-requirements</A>).</P><P>When I try to update permissions on the system objects, I get the following error</P><P class="lia-indent-padding-left-30px"><EM>Msg 40574, Level 16, State 1, Line 1</EM><BR /><EM>Permissions for system stored procedures, server scoped catalog views, and extended stored procedures cannot be changed in this version of SQL Server.</EM></P><P>Is this a known issue, and if so, is there a known way to work around trying to change permissions on system objects?</P> Thu, 27 Mar 2025 14:34:36 GMT https://community.databricks.com/t5/administration-architecture/lakeflow-connect-can-t-change-general-privilege-requirements/m-p/113814#M3186 Rjdudley 2025-03-27T14:34:36Z https://community.databricks.com/t5/administration-architecture/lakeflow-connect-can-t-change-general-privilege-requirements/m-p/121507#M3462 <P>Got same issue. Did you find a way to configure required permissions?&nbsp;</P> Wed, 11 Jun 2025 16:35:32 GMT https://community.databricks.com/t5/administration-architecture/lakeflow-connect-can-t-change-general-privilege-requirements/m-p/121507#M3462 andreys 2025-06-11T16:35:32Z https://community.databricks.com/t5/administration-architecture/lakeflow-connect-can-t-change-general-privilege-requirements/m-p/137461#M4346 <P class="my-2 [&amp;+p]:mt-4 [&amp;_strong:has(+br)]:inline-block [&amp;_strong:has(+br)]:pb-2">You are hitting a known limitation in Azure SQL Database: it does not allow you to grant or modify permissions directly on most system objects, such as system stored procedures, catalog views, or extended stored procedures, resulting in the error "Msg 40574, Level 16, State 1, Line 1 - Permissions for system stored procedures, server scoped catalog views, and extended stored procedures cannot be changed in this version of SQL Server". This is not a bug but intentional: in Azure SQL Database, many server-level and some system-level permissions are simply not supported and cannot be changed by users.​</P> <H2 class="mb-2 mt-4 font-display font-semimedium text-base first:mt-0">Why This Happens</H2> <UL class="marker:text-quiet list-disc"> <LI class="py-0 my-0 prose-p:pt-0 prose-p:mb-2 prose-p:my-0 [&amp;&gt;p]:pt-0 [&amp;&gt;p]:mb-2 [&amp;&gt;p]:my-0"> <P class="my-2 [&amp;+p]:mt-4 [&amp;_strong:has(+br)]:inline-block [&amp;_strong:has(+br)]:pb-2">Azure SQL Database (unlike SQL Server on-prem or Managed Instance) restricts direct changes to system object permissions for security and multi-tenancy reasons.</P> </LI> <LI class="py-0 my-0 prose-p:pt-0 prose-p:mb-2 prose-p:my-0 [&amp;&gt;p]:pt-0 [&amp;&gt;p]:mb-2 [&amp;&gt;p]:my-0"> <P class="my-2 [&amp;+p]:mt-4 [&amp;_strong:has(+br)]:inline-block [&amp;_strong:has(+br)]:pb-2">Many server/instance-level concepts are not available in Azure SQL Database, and permissions must be managed at the database level, not the server level.​</P> </LI> </UL> <H2 class="mb-2 mt-4 font-display font-semimedium text-base first:mt-0">Lakeflow Connect Workaround &amp; Permissions</H2> <UL class="marker:text-quiet list-disc"> <LI class="py-0 my-0 prose-p:pt-0 prose-p:mb-2 prose-p:my-0 [&amp;&gt;p]:pt-0 [&amp;&gt;p]:mb-2 [&amp;&gt;p]:my-0"> <P class="my-2 [&amp;+p]:mt-4 [&amp;_strong:has(+br)]:inline-block [&amp;_strong:has(+br)]:pb-2">For ETL scenarios using Lakeflow Connect with change tracking (not CDC), you<SPAN>&nbsp;</SPAN><STRONG>do not need</STRONG><SPAN>&nbsp;</SPAN>to modify permissions on system objects directly.</P> </LI> <LI class="py-0 my-0 prose-p:pt-0 prose-p:mb-2 prose-p:my-0 [&amp;&gt;p]:pt-0 [&amp;&gt;p]:mb-2 [&amp;&gt;p]:my-0"> <P class="my-2 [&amp;+p]:mt-4 [&amp;_strong:has(+br)]:inline-block [&amp;_strong:has(+br)]:pb-2">Instead, focus on granting the following at the database and object level, as outlined in the Databricks documentation:</P> <UL class="marker:text-quiet list-disc"> <LI class="py-0 my-0 prose-p:pt-0 prose-p:mb-2 prose-p:my-0 [&amp;&gt;p]:pt-0 [&amp;&gt;p]:mb-2 [&amp;&gt;p]:my-0"> <P class="my-2 [&amp;+p]:mt-4 [&amp;_strong:has(+br)]:inline-block [&amp;_strong:has(+br)]:pb-2"><CODE>VIEW CHANGE TRACKING</CODE><SPAN>&nbsp;</SPAN>on tables and schemas that are being ingested.</P> </LI> <LI class="py-0 my-0 prose-p:pt-0 prose-p:mb-2 prose-p:my-0 [&amp;&gt;p]:pt-0 [&amp;&gt;p]:mb-2 [&amp;&gt;p]:my-0"> <P class="my-2 [&amp;+p]:mt-4 [&amp;_strong:has(+br)]:inline-block [&amp;_strong:has(+br)]:pb-2"><CODE>VIEW DEFINITION</CODE><SPAN>&nbsp;</SPAN>on the database being ingested.</P> </LI> </UL> </LI> <LI class="py-0 my-0 prose-p:pt-0 prose-p:mb-2 prose-p:my-0 [&amp;&gt;p]:pt-0 [&amp;&gt;p]:mb-2 [&amp;&gt;p]:my-0"> <P class="my-2 [&amp;+p]:mt-4 [&amp;_strong:has(+br)]:inline-block [&amp;_strong:has(+br)]:pb-2">Example T-SQL for these (replace with your user/table/database names):</P> <DIV class="w-full md:max-w-[90vw]"> <DIV class="codeWrapper text-light selection:text-super selection:bg-super/10 my-md relative flex flex-col rounded font-mono text-sm font-normal bg-subtler"> <DIV class="translate-y-xs -translate-x-xs bottom-xl mb-xl flex h-0 items-start justify-end md:sticky md:top-[100px]"> <DIV class="overflow-hidden rounded-full border-subtlest ring-subtlest divide-subtlest bg-base"> <DIV class="border-subtlest ring-subtlest divide-subtlest bg-subtler">&nbsp;</DIV> </DIV> </DIV> <DIV class="-mt-xl"> <DIV> <DIV class="text-quiet bg-subtle py-xs px-sm inline-block rounded-br rounded-tl-[3px] font-thin" data-testid="code-language-indicator">sql</DIV> </DIV> <DIV><SPAN><CODE><SPAN class="token token">-- For each tracked table:</SPAN> <SPAN class="token token">GRANT</SPAN> <SPAN class="token token">VIEW</SPAN> CHANGE TRACKING <SPAN class="token token">ON</SPAN> OBJECT::dbo<SPAN class="token token punctuation">.</SPAN><SPAN class="token token operator">&lt;</SPAN>your<SPAN class="token token operator">-</SPAN><SPAN class="token token">table</SPAN><SPAN class="token token operator">&gt;</SPAN> <SPAN class="token token">TO</SPAN> <SPAN class="token token operator">&lt;</SPAN>etl<SPAN class="token token operator">-</SPAN><SPAN class="token token">user</SPAN><SPAN class="token token operator">&gt;</SPAN><SPAN class="token token punctuation">;</SPAN> <SPAN class="token token">-- At schema scope (alternative):</SPAN> <SPAN class="token token">GRANT</SPAN> <SPAN class="token token">VIEW</SPAN> CHANGE TRACKING <SPAN class="token token">ON</SPAN> <SPAN class="token token">SCHEMA</SPAN>::dbo <SPAN class="token token">TO</SPAN> <SPAN class="token token operator">&lt;</SPAN>etl<SPAN class="token token operator">-</SPAN><SPAN class="token token">user</SPAN><SPAN class="token token operator">&gt;</SPAN><SPAN class="token token punctuation">;</SPAN> <SPAN class="token token">-- Grant view definition for the whole database:</SPAN> <SPAN class="token token">GRANT</SPAN> <SPAN class="token token">VIEW</SPAN> DEFINITION <SPAN class="token token">ON</SPAN> <SPAN class="token token">DATABASE</SPAN>::<SPAN class="token token operator">&lt;</SPAN>your<SPAN class="token token operator">-</SPAN>db<SPAN class="token token operator">&gt;</SPAN> <SPAN class="token token">TO</SPAN> <SPAN class="token token operator">&lt;</SPAN>etl<SPAN class="token token operator">-</SPAN><SPAN class="token token">user</SPAN><SPAN class="token token operator">&gt;</SPAN><SPAN class="token token punctuation">;</SPAN> </CODE></SPAN></DIV> </DIV> </DIV> </DIV> </LI> <LI class="py-0 my-0 prose-p:pt-0 prose-p:mb-2 prose-p:my-0 [&amp;&gt;p]:pt-0 [&amp;&gt;p]:mb-2 [&amp;&gt;p]:my-0"> <P class="my-2 [&amp;+p]:mt-4 [&amp;_strong:has(+br)]:inline-block [&amp;_strong:has(+br)]:pb-2">There is<SPAN>&nbsp;</SPAN><STRONG>no supported way</STRONG><SPAN>&nbsp;</SPAN>to bypass or "fix" the inability to change permissions on system objects—stick with object- and database-level grants as above.​</P> </LI> </UL> <H2 class="mb-2 mt-4 font-display font-semimedium text-base first:mt-0">If You Still Get Errors</H2> <UL class="marker:text-quiet list-disc"> <LI class="py-0 my-0 prose-p:pt-0 prose-p:mb-2 prose-p:my-0 [&amp;&gt;p]:pt-0 [&amp;&gt;p]:mb-2 [&amp;&gt;p]:my-0"> <P class="my-2 [&amp;+p]:mt-4 [&amp;_strong:has(+br)]:inline-block [&amp;_strong:has(+br)]:pb-2">Double-check that you are not attempting to run<SPAN>&nbsp;</SPAN><CODE>GRANT</CODE><SPAN>&nbsp;</SPAN>statements referencing any system object, but only your user tables, schemas, or DB.</P> </LI> <LI class="py-0 my-0 prose-p:pt-0 prose-p:mb-2 prose-p:my-0 [&amp;&gt;p]:pt-0 [&amp;&gt;p]:mb-2 [&amp;&gt;p]:my-0"> <P class="my-2 [&amp;+p]:mt-4 [&amp;_strong:has(+br)]:inline-block [&amp;_strong:has(+br)]:pb-2">If Databricks or Lakeflow Connect instructions refer to granting permissions on system objects that can't be modified in Azure SQL DB, you can safely omit those steps and just use the granular permissions above.​</P> </LI> </UL> <H2 class="mb-2 mt-4 font-display font-semimedium text-base first:mt-0">Summary Table</H2> <DIV class="group relative"> <DIV class="w-full overflow-x-auto md:max-w-[90vw] border-subtlest ring-subtlest divide-subtlest bg-transparent"> <TABLE class="border-subtler my-[1em] w-full table-auto border-separate border-spacing-0 border-l border-t"> <THEAD class="bg-subtler"> <TR> <TH class="border-subtler p-sm break-normal border-b border-r text-left align-top">Object Type</TH> <TH class="border-subtler p-sm break-normal border-b border-r text-left align-top">Can Permission Be Changed?</TH> <TH class="border-subtler p-sm break-normal border-b border-r text-left align-top">Workaround/Azure SQL Approach</TH> </TR> </THEAD> <TBODY> <TR> <TD class="px-sm border-subtler min-w-[48px] break-normal border-b border-r">User tables/schemas/databases</TD> <TD class="px-sm border-subtler min-w-[48px] break-normal border-b border-r">Yes</TD> <TD class="px-sm border-subtler min-w-[48px] break-normal border-b border-r">Use<SPAN>&nbsp;</SPAN><CODE>GRANT</CODE><SPAN>&nbsp;</SPAN>as documented<SPAN>&nbsp;</SPAN>​</TD> </TR> <TR> <TD class="px-sm border-subtler min-w-[48px] break-normal border-b border-r">System stored procs/views/tables</TD> <TD class="px-sm border-subtler min-w-[48px] break-normal border-b border-r">No</TD> <TD class="px-sm border-subtler min-w-[48px] break-normal border-b border-r">Not supported, ignore/omit<SPAN>&nbsp;</SPAN>​</TD> </TR> <TR> <TD class="px-sm border-subtler min-w-[48px] break-normal border-b border-r">Change tracking metadata</TD> <TD class="px-sm border-subtler min-w-[48px] break-normal border-b border-r">Yes (object/schema level only)</TD> <TD class="px-sm border-subtler min-w-[48px] break-normal border-b border-r">Use<SPAN>&nbsp;</SPAN><CODE>VIEW CHANGE TRACKING</CODE><SPAN>&nbsp;</SPAN>​</TD> </TR> </TBODY> </TABLE> </DIV> <DIV class="bg-base border-subtler shadow-subtle pointer-coarse:opacity-100 right-xs absolute bottom-0 flex rounded-lg border opacity-0 transition-opacity group-hover:opacity-100 [&amp;&gt;*:not(:first-child)]:border-subtle [&amp;&gt;*:not(:first-child)]:border-l"> <DIV class="flex">&nbsp;</DIV> <DIV class="flex">&nbsp;</DIV> </DIV> </DIV> <P class="my-2 [&amp;+p]:mt-4 [&amp;_strong:has(+br)]:inline-block [&amp;_strong:has(+br)]:pb-2">You should not attempt or expect to grant rights on system-level SQL objects in Azure SQL Database, and should instead use the per-database/object permissions specifically documented for your ETL scenario.​</P> Mon, 03 Nov 2025 21:16:07 GMT https://community.databricks.com/t5/administration-architecture/lakeflow-connect-can-t-change-general-privilege-requirements/m-p/137461#M4346 mark_ott 2025-11-03T21:16:07Z