❓ Question:
I have a role called dev-dataengineer with the following privileges on the catalog dap_catalog_dev:
APPLY TAG
CREATE FUNCTION
CREATE MATERIALIZED VIEW
CREATE TABLE
CREATE VOLUME
EXECUTE
READ VOLUME
REFRESH
SELECT
USE SCHEMA
WRITE VOLUME
Despite this, users are still able to delete/drop tables within dap_catalog_dev.
❓Question:
Why are users still able to delete tables, and how can I restrict this behavior so that table deletion is not allowed?
I want to ensure that users can read and create tables if needed, but not delete them
✅ Answer:
Great question — and one that's crucial for data governance and table protection in shared environments!
🚫 Why Users Can Still Delete Tables
CREATE TABLE on a catalog allows users to create AND drop their own tables, unless further restricted.
🔐 How to Prevent Table Deletion
To prevent accidental or unauthorized table deletion:
Avoid granting DROP, MODIFY, or ALL PRIVILEGES at the catalog or schema level.
Grant CREATE TABLE only at the schema level, not the catalog level — this scopes table creation to specific areas.
Restrict OWNERSHIP transfer, as object owners can drop their own tables regardless of other permissions.
Review and manage privileges regularly using SHOW GRANTS.
Fix - That Worked for mea nd eventually for all
Audit all roles (not just dev-dataengineer) and users for:
DROP, MODIFY, or ALL PRIVILEGES
CREATE TABLE permissions granted at higher scopes (e.g., catalog)
You can run something like:
SHOW GRANTS ON SCHEMA dap_catalog_dev;
SHOW GRANTS ON CATALOG dap_catalog_dev;
Databricks Solution Architect