cancel
Showing results for 
Search instead for 
Did you mean: 
Data Governance
cancel
Showing results for 
Search instead for 
Did you mean: 

Privileges for SHOW GROUPS WITH USER '***@***'

Cami
Contributor III

Hello Briksters, 

i am looking for a giving a grand to developer being able execute with SHOW GROUPS WITH USER '***@***' without admin permission on UC.

Could you give any tips to do it? 

UC Admin is able to see result query, but developer is not. 

2 REPLIES 2

Kaniz
Community Manager
Community Manager

Hi @Cami, To grant a developer the ability to execute the SHOW GROUPS WITH USER '***@***' query without requiring admin permissions on Azure Databricks, you can follow these steps:

  1. Unity Catalog Privileges:

  2. Metastore Admin Privileges:

    • The metastore admin is a highly privileged user or group in Unity Catalog.
    • Metastore admins have certain default privileges on the metastore, including the ability to create catalogs and connections to external databases.
    • However, you can customize these privileges to suit your requirements.
    • To grant the developer the necessary permissions, consider the following options:
  3. Specific Privilege for SHOW GROUPS WITH USER:

    • Unfortunately, there isn’t a direct privilege specifically for the SHOW GROUPS WITH USER command.
    • However, you can create a custom role or modify an existing one to grant the necessary permissions.
    • Here’s a high-level approach:
      • Create a custom role (e.g., “DeveloperRole”) with the required privileges.
      • Assign this role to the developer.
      • Ensure that the role includes the necessary permissions for querying group information.
      • Test the setup to ensure that the developer can execute the query without admin permissions.
      • Remember to restrict other unnecessary privileges to maintain security3.
  4. Testing and Monitoring:

    • After granting the necessary privileges, test the setup thoroughly.
    • Verify that the developer can execute the SHOW GROUPS WITH USER '***@***' query successfully.
    • Monitor any additional queries executed by the developer to ensure compliance with security policies.

Remember to strike a balance between granting sufficient permissions for the developer’s tasks and maintaining security.

Cami
Contributor III

Thank you for your comprehensive answer.

I assume from what you have written that this cannot be done without admin permissions on the metastore.

So is there any other way to check who is in which group?