cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Help
Administration & Architecture
Explore discussions on Databricks administration, deployment strategies, and architectural best practices. Connect with administrators and architects to optimize your Databricks environment for performance, scalability, and security.
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 

Which role is recommended to create and manage Unity Catalog objects—Workspace Admin or Metastore Ad

APJESK
Contributor

a week ago

Which role is recommended to create and manage Unity Catalog objects (catalog, schema, Storage credentials, External Location)—Workspace Admin or Metastore Admin—and why?

 

0 Kudos
2 REPLIES 2

APJESK
Contributor

a week ago

I am designing the security model for our Databricks platform and need guidance on role selection for managing Unity Catalog. Which role should be used for creating and managing Unity Catalog objects such as Storage Credentials, External Locations, Catalogs, Schemas, and Delta Sharing?

Specifically, for automation using Terraform, which role should be assigned to the service principal responsible for creating these Unity Catalog objects and handling future maintenance?

Should we use the Workspace Admin role or the Metastore Admin role, considering security best practices, least privilege, and long-term governance?

0 Kudos

Ashwin_DSA
Databricks Employee
Databricks Employee
In response to APJESK

a week ago

Hi @APJESK,

Per Databricks best practices, use workspace admin for day-to-day workspace management and metastore admin optionally, but specifically for central data governance and metastore-level storage across workspaces.

At a high level, use a dedicated service principal with Unity Catalog level privileges (ideally Metastore Admin or equivalent METASTORE grants), not a long-lived Workspace Admin, for Terraform automation.

For creating and managing UC objects via Terraform, use a service principal with metastore level privileges... preferably via the Metastore Admin role on the target metastore, assigned to a group the SP belongs to. Or via explicit GRANT … ON METASTORE of the specific UC privileges needed.

For UC object management... Metastore Admin (or equivalent METASTORE grants) is the correct choice.  Reserve Workspace Admin for workspace-centric tasks (users, jobs, clusters, workspace catalog), not for central UC governance.

The only exception is when creating the metastore itself and linking workspaces with Terraform... for which you also need a service principal with Account Admin permissions, per the UC Terraform automation docs.

Hope this helps.

If this answer resolves your question, could you mark it as “Accept as Solution”? That helps other users quickly find the correct fix.

 

Regards,
Ashwin | Delivery Solution Architect @ Databricks
Helping you build and scale the Data Intelligence Platform.
***Opinions are my own***
Announcements