cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results forย 
Search instead forย 
Did you mean:ย 
Help
Data Governance
Join discussions on data governance practices, compliance, and security within the Databricks Community. Exchange strategies and insights to ensure data integrity and regulatory compliance.
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results forย 
Search instead forย 
Did you mean:ย 

How do I grant access to find a table in Databricks, without giving access to query the table?

Go to solution
excavator-matt
Contributor

2 weeks ago

Hi!

By default it seems users can only see tables and views in Unity Catalog that they have SELECT permission/privilege on. However, we would like to use Unity Catalog as a data catalog of tables we have. They wouldn't then be able to request access to query.

How can I grant users permissions to see the table/view without granting them access to query the table/view?

We have tried all combinations of privileges, but nothing seems to work. There is a feature for requesting access, but when would that ever be used if they can't see objects they do not already have access to?

0 Kudos
1 ACCEPTED SOLUTION

Accepted Solutions

Go to solution
iyashk-DB
Databricks Employee
Databricks Employee

a week ago

@excavator-matt you can grant BROWSE privilege on your catalog to a broad audience (for example, the โ€œAll account usersโ€ group). This lets users see object metadata (names, comments, lineage, search results, information_schema, etc.) in Catalog Explorer and search without being able to read data. They do not need USE CATALOG or USE SCHEMA to read metadata when they have BROWSE on the catalog.

View solution in original post

3 REPLIES 3

Go to solution
iyashk-DB
Databricks Employee
Databricks Employee

a week ago

@excavator-matt you can grant BROWSE privilege on your catalog to a broad audience (for example, the โ€œAll account usersโ€ group). This lets users see object metadata (names, comments, lineage, search results, information_schema, etc.) in Catalog Explorer and search without being able to read data. They do not need USE CATALOG or USE SCHEMA to read metadata when they have BROWSE on the catalog.

Go to solution
excavator-matt
Contributor

a week ago

Nice! I had completely missed that catalog level privilege. Are there any plans to extend this to a schema level? I want to protect the users from being cluttered with staging stables from other teams. I could of course also introduce more catalogs, but this also seems excessive.

0 Kudos

Go to solution
Shivam7788775
New Contributor III

Saturday

@excavator-matt to make tables and views discoverable without exposing their data, you should use the BROWSE privilege at the catalog level.

Granting BROWSE on a catalog (for example to the All-account users' group) allows users to view metadata across multiple surfacesโ€”not just Catalog Explorerโ€”including the schema browser, search results, lineage graph, information schema, and REST APIs. This does not allow them to query or read the underlying data.

An important detail is that BROWSE works independently of USE CATALOG and USE SCHEMA. As long as a user has BROWSE on the catalog, they can see metadata even if those other privileges are not granted.

This is the intended mechanism in Unity Catalog for object discovery while keeping data access tightly controlled.

Shivam Kumar
Senior Software Engineer
Big Data & EDW
0 Kudos

Join Us as a Local Community Builder!

Passionate about hosting events and connecting people? Help us grow a vibrant local communityโ€”sign up today to get started!

Sign Up Now
Announcements