cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Help
Data Governance
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 

How to resolve the AnalysisException "DENY is not supported in Unity Catalog"

akashs04
New Contributor II

‎02-23-2023 10:08 PM

Hi All,

I am trying to manage access to objects created in a Unity Catalog.

I want the owner/creator of the object(me) to not have access to the object and only the specified users/groups to be able to select/perform other actions on the objects.

But the DENY Command is not supported in Unity Catalog. Is there any other way to deny access to the owner of the objects?

The command I am using is:

%sql

DENY EXECUTE ON FUNCTION catalogName.schemaName.functionTest TO `username@email.com`;

Thanks!

5 REPLIES 5

Ajay-Pandey
Esteemed Contributor III

‎02-24-2023 01:56 AM

Hi @Akash Sivadas​ ,

I think you can do it by data explorer tab.

Please refer below blog for the same-

Manage Unity Catalog permissions in Data Explorer | Databricks on AWS

0 Kudos

akashs04
New Contributor II
In response to Ajay-Pandey

‎02-24-2023 02:15 AM

Hi. Apologies for not being more elaborate about the scenario.

Your solution would work for users who have been granted any permissions to the object but not for the owner of the object. I want the owner of the object to be revoked from accessing this object.

Ideally transferring the object ownership to another user would work. But in my case I am dealing with sensitive data and object creation happens with the help of a Databricks Job. The above mentioned step can be reverted by an admin in the Databricks Workspace. So, this job can still be executed by any other Admin in the Workspace using the owner's credentials to potentially access data.

0 Kudos

Kaniz
Community Manager
Community Manager

‎02-24-2023 05:00 AM

Hi @Akash Sivadas​, It seems there is a syntax error here. Please try the below syntax:-

%sql
 
DENY EXECUTE ON FUNCTION catalogName.schemaName.functionTest TO username@email.com;
 

0 Kudos

akashs04
New Contributor II
In response to Kaniz

‎02-24-2023 05:31 AM

Hi @Kaniz Fatma​

I had already tried that but Databricks throws a ParseException saying possibly unquoted identifier username@email.com detected. Please consider quoting it with back-quoted as `username@email.com`

0 Kudos

Kaniz
Community Manager
Community Manager
In response to akashs04

‎02-24-2023 05:38 AM

Hi @Akash Sivadas​, Unity Catalog does not support this function. This statement applies only to the hive_metastore catalog and its objects.

SOURCE

0 Kudos
Announcements
Welcome to Databricks Community: Lets learn, network and celebrate together

Join our fast-growing data practitioner and expert community of 80K+ members, ready to discover, help and collaborate together while making meaningful connections. 

Click here to register and join today! 

Engage in exciting technical discussions, join a group with your peers and meet our Featured Members.