cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Help
Community Articles
Dive into a collaborative space where members like YOU can exchange knowledge, tips, and best practices. Join the conversation today and unlock a wealth of collective wisdom to enhance your experience and drive success.
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 

🔐 How Do I Prevent Users from Accidentally Deleting Tables in Unity Catalog? 🔐

CURIOUS_DE
Contributor III

‎06-10-2025 09:14 PM

Question:

I have a role called dev-dataengineer with the following privileges on the catalog dap_catalog_dev:

  • APPLY TAG

  • CREATE FUNCTION

  • CREATE MATERIALIZED VIEW

  • CREATE TABLE

  • CREATE VOLUME

  • EXECUTE

  • READ VOLUME

  • REFRESH

  • SELECT

  • USE SCHEMA

  • WRITE VOLUME

Despite this, users are still able to delete/drop tables within dap_catalog_dev.

Question:

Why are users still able to delete tables, and how can I restrict this behavior so that table deletion is not allowed?

I want to ensure that users can read and create tables if needed, but not delete them

Answer:

Great question — and one that's crucial for data governance and table protection in shared environments!

🚫 Why Users Can Still Delete Tables

CREATE TABLE on a catalog allows users to create AND drop their own tables, unless further restricted.

🔐 How to Prevent Table Deletion

To prevent accidental or unauthorized table deletion:

  1. Avoid granting DROP, MODIFY, or ALL PRIVILEGES at the catalog or schema level.

  2. Grant CREATE TABLE only at the schema level, not the catalog level — this scopes table creation to specific areas.

  3. Restrict OWNERSHIP transfer, as object owners can drop their own tables regardless of other permissions.

  4. Review and manage privileges regularly using SHOW GRANTS.

Fix - That Worked for mea nd eventually for all

Audit all roles (not just dev-dataengineer) and users for:

  • DROP, MODIFY, or ALL PRIVILEGES

  • CREATE TABLE permissions granted at higher scopes (e.g., catalog)

You can run something like:

SHOW GRANTS ON SCHEMA dap_catalog_dev;
SHOW GRANTS ON CATALOG dap_catalog_dev;

 

Databricks Solution Architect
2 REPLIES 2

Advika
Databricks Employee
Databricks Employee

‎06-13-2025 02:30 AM

Thanks for breaking it down so clearly, @CURIOUS_DE! That’s such a subtle detail. Many overlook it, but it's important to be aware of it.

nayan_wylde
Honored Contributor

‎07-01-2025 12:23 PM

Managing assets in UC is always a overhead maintenance. We have this access controls in terraform codes and it is always hard to see what level of access is given to different personas in the org. We are building an audit dashboard for it.

Join Us as a Local Community Builder!

Passionate about hosting events and connecting people? Help us grow a vibrant local community—sign up today to get started!

Sign Up Now
Announcements