https://community.databricks.com/t5/data-engineering/create-table-for-non-admins-table-access-control-cluster/m-p/33516#M24498 <P>That's correct, unlike table access control using credential passthrough all the user will see all the databases and table/view (but they wont be able to query some one else's table/view as it will fail with access error) , but then there is no control over dropping someone else's table from Hive, so based on my example above User2 will be able to run drop table on Database1.Table even though he can not run Select * From Database1.Table because it is created on a mounting point which user2 dont have access, but user2 can change hive megastore e.g. drop tables</P> Thu, 09 Dec 2021 13:41:13 GMT Redkite 2021-12-09T13:41:13Z https://community.databricks.com/t5/data-engineering/create-table-for-non-admins-table-access-control-cluster/m-p/33512#M24494 <P>Is there a way for non admin (at workspace level) or users without having (SELECT, MODIFY on ANY File) to create tables (unmanaged/external) even though they are owner of the database in which they want to create tables in a Table Access Controlled cluster/workspace environment.</P><P>Or some how restrict them to create table (with option/location) on a certain location on the storage.</P><P></P><P>Giving (SELECT or MODIFY on ANY File) makes user semi admin as they can create table on any location the service principle has access on external Data lake.</P> Thu, 09 Dec 2021 12:06:13 GMT https://community.databricks.com/t5/data-engineering/create-table-for-non-admins-table-access-control-cluster/m-p/33512#M24494 Redkite 2021-12-09T12:06:13Z https://community.databricks.com/t5/data-engineering/create-table-for-non-admins-table-access-control-cluster/m-p/33513#M24495 <P>Question is do they (users) need to login to databricks at all? maybe they can just use databricks sql endpoints to query data? like here <A href="https://www.youtube.com/watch?v=jlEdoVpWwNc" target="test_blank">https://www.youtube.com/watch?v=jlEdoVpWwNc</A></P><P></P><P>Regarding access management probably @Prabakar Ammeappin​&nbsp;and @Werner Stinckens​&nbsp;know more.</P> Thu, 09 Dec 2021 12:58:49 GMT https://community.databricks.com/t5/data-engineering/create-table-for-non-admins-table-access-control-cluster/m-p/33513#M24495 Hubert-Dudek 2021-12-09T12:58:49Z https://community.databricks.com/t5/data-engineering/create-table-for-non-admins-table-access-control-cluster/m-p/33514#M24496 <P>@Hubert Dudek​&nbsp;querying the table/view/data based on their Access via SQL end point or TAC cluster is not the problem.</P><P></P><P>Being able to create the table/view pointing to the datalake themselves is the problem, you need to be an admin (on work space level) or have SELECT and MODIFY on ANY File permissions to create a table.</P><P>SELECT and MODIFY on ANY File gives you access to create a table on any location on external Storage (on which Service principle has access) on which you may not have access via a table/view</P><P></P><P>e.g. let say there are 2 databases called Database1 and Database2 having a table each called Database1.Table and Database2.Table, user2 is owner of Database2 but can not view Database1.Table using table access control.</P><P>But for user2 to create a new table in his database called Database2.ANewTable he need SELECT and MODIFY on ANY File on workspace level which also gives liberty to create a new table called Database2.sometable which he can potentially point to datalke/Database1/Table on which he should not have any rights.</P> Thu, 09 Dec 2021 13:15:45 GMT https://community.databricks.com/t5/data-engineering/create-table-for-non-admins-table-access-control-cluster/m-p/33514#M24496 Redkite 2021-12-09T13:15:45Z https://community.databricks.com/t5/data-engineering/create-table-for-non-admins-table-access-control-cluster/m-p/33515#M24497 <P>only one idea which I have to restrict access to storage is to use credential passthrough so your user will have access (full or read only etc.) only to what is defined by IAM in azure <A href="https://docs.microsoft.com/en-us/azure/databricks/security/credential-passthrough/adls-passthrough" target="test_blank">https://docs.microsoft.com/en-us/azure/databricks/security/credential-passthrough/adls-passthrough</A></P><P>so every database will be on separate mount pointing to separate container in adls with separate access rights</P> Thu, 09 Dec 2021 13:33:48 GMT https://community.databricks.com/t5/data-engineering/create-table-for-non-admins-table-access-control-cluster/m-p/33515#M24497 Hubert-Dudek 2021-12-09T13:33:48Z https://community.databricks.com/t5/data-engineering/create-table-for-non-admins-table-access-control-cluster/m-p/33516#M24498 <P>That's correct, unlike table access control using credential passthrough all the user will see all the databases and table/view (but they wont be able to query some one else's table/view as it will fail with access error) , but then there is no control over dropping someone else's table from Hive, so based on my example above User2 will be able to run drop table on Database1.Table even though he can not run Select * From Database1.Table because it is created on a mounting point which user2 dont have access, but user2 can change hive megastore e.g. drop tables</P> Thu, 09 Dec 2021 13:41:13 GMT https://community.databricks.com/t5/data-engineering/create-table-for-non-admins-table-access-control-cluster/m-p/33516#M24498 Redkite 2021-12-09T13:41:13Z https://community.databricks.com/t5/data-engineering/create-table-for-non-admins-table-access-control-cluster/m-p/33517#M24499 <P>You can ask for access to preview of Unity Catalog</P><P><A href="https://databricks.com/product/unity-catalog" target="test_blank">https://databricks.com/product/unity-catalog</A></P> Thu, 09 Dec 2021 16:12:51 GMT https://community.databricks.com/t5/data-engineering/create-table-for-non-admins-table-access-control-cluster/m-p/33517#M24499 Hubert-Dudek 2021-12-09T16:12:51Z https://community.databricks.com/t5/data-engineering/create-table-for-non-admins-table-access-control-cluster/m-p/33518#M24500 <P>1- According to Data-brick guys i spoke to unity Catalog &nbsp;"it is still at early&nbsp;stage for production workloads"</P><P>2- As per my understanding based on Unity Catalog discussion, it can cater for more granular permissions, but still who can manage the create object permissions is unclear is that granular (e.g. at least database level as well) or do you need to be admin at highest level to create objects.</P> Fri, 10 Dec 2021 09:55:52 GMT https://community.databricks.com/t5/data-engineering/create-table-for-non-admins-table-access-control-cluster/m-p/33518#M24500 Redkite 2021-12-10T09:55:52Z https://community.databricks.com/t5/data-engineering/create-table-for-non-admins-table-access-control-cluster/m-p/33519#M24501 <P>Grant privileges on all the explain&nbsp;<B>tables</B>&nbsp;to&nbsp;<B>non admin</B>&nbsp;user as ... where BIADMIN is the&nbsp;<B>non admin</B>&nbsp;user who wants to&nbsp;<B>generate</B>&nbsp;explain plans.</P><P><A href="https://www.advancedmd.online/" alt="https://www.advancedmd.online/" target="_blank">&nbsp;AdvancedMD Login</A></P><P></P> Wed, 15 Dec 2021 08:58:17 GMT https://community.databricks.com/t5/data-engineering/create-table-for-non-admins-table-access-control-cluster/m-p/33519#M24501 Blackwell15 2021-12-15T08:58:17Z