topic Re: Which role is recommended to create and manage Unity Catalog objects—Workspace Admin or Metastor in Administration & Architecture

Which role is recommended to create and manage Unity Catalog objects—Workspace Admin or Metastore Ad

APJESK — Sun, 05 Apr 2026 04:58:32 GMT

Which role is recommended to create and manage Unity Catalog objects (catalog, schema, Storage credentials, External Location)—Workspace Admin or Metastore Admin—and why?

Re: Which role is recommended to create and manage Unity Catalog objects—Workspace Admin or Metastor

APJESK — Sun, 05 Apr 2026 05:03:54 GMT

I am designing the security model for our Databricks platform and need guidance on role selection for managing Unity Catalog. Which role should be used for creating and managing Unity Catalog objects such as Storage Credentials, External Locations, Catalogs, Schemas, and Delta Sharing?

Specifically, for automation using Terraform, which role should be assigned to the service principal responsible for creating these Unity Catalog objects and handling future maintenance?

Should we use the Workspace Admin role or the Metastore Admin role, considering security best practices, least privilege, and long-term governance?

Re: Which role is recommended to create and manage Unity Catalog objects—Workspace Admin or Metastor

Ashwin_DSA — Sun, 05 Apr 2026 10:27:54 GMT

Hi @APJESK,

Per Databricks best practices, use workspace admin for day-to-day workspace management and metastore admin optionally, but specifically for central data governance and metastore-level storage across workspaces.

At a high level, use a dedicated service principal with Unity Catalog level privileges (ideally Metastore Admin or equivalent METASTORE grants), not a long-lived Workspace Admin, for Terraform automation.

For creating and managing UC objects via Terraform, use a service principal with metastore level privileges... preferably via the Metastore Admin role on the target metastore, assigned to a group the SP belongs to. Or via explicit GRANT … ON METASTORE of the specific UC privileges needed.

For UC object management... Metastore Admin (or equivalent METASTORE grants) is the correct choice. Reserve Workspace Admin for workspace-centric tasks (users, jobs, clusters, workspace catalog), not for central UC governance.

The only exception is when creating the metastore itself and linking workspaces with Terraform... for which you also need a service principal with Account Admin permissions, per the UC Terraform automation docs.

Hope this helps.

If this answer resolves your question, could you mark it as “Accept as Solution”? That helps other users quickly find the correct fix.