cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results forย 
Search instead forย 
Did you mean:ย 
Help
Data Governance
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results forย 
Search instead forย 
Did you mean:ย 

Privileges for SHOW GROUPS WITH USER '***@***'

Cami
Contributor III

a month ago

Hello Briksters, 

i am looking for a giving a grand to developer being able execute with SHOW GROUPS WITH USER '***@***' without admin permission on UC.

Could you give any tips to do it? 

UC Admin is able to see result query, but developer is not. 

Preview file
18 KB
0 Kudos
2 REPLIES 2

Kaniz
Community Manager
Community Manager

a month ago

Hi @Cami, To grant a developer the ability to execute the SHOW GROUPS WITH USER '***@***' query without requiring admin permissions on Azure Databricks, you can follow these steps:

  1. Unity Catalog Privileges:

  2. Metastore Admin Privileges:

    • The metastore admin is a highly privileged user or group in Unity Catalog.
    • Metastore admins have certain default privileges on the metastore, including the ability to create catalogs and connections to external databases.
    • However, you can customize these privileges to suit your requirements.
    • To grant the developer the necessary permissions, consider the following options:

  3. Specific Privilege for SHOW GROUPS WITH USER:

    • Unfortunately, there isnโ€™t a direct privilege specifically for the SHOW GROUPS WITH USER command.
    • However, you can create a custom role or modify an existing one to grant the necessary permissions.
    • Hereโ€™s a high-level approach:
      • Create a custom role (e.g., โ€œDeveloperRoleโ€) with the required privileges.
      • Assign this role to the developer.
      • Ensure that the role includes the necessary permissions for querying group information.
      • Test the setup to ensure that the developer can execute the query without admin permissions.
      • Remember to restrict other unnecessary privileges to maintain security3.

  4. Testing and Monitoring:

    • After granting the necessary privileges, test the setup thoroughly.
    • Verify that the developer can execute the SHOW GROUPS WITH USER '***@***' query successfully.
    • Monitor any additional queries executed by the developer to ensure compliance with security policies.

Remember to strike a balance between granting sufficient permissions for the developerโ€™s tasks and maintaining security.

Cami
Contributor III

3 weeks ago

Thank you for your comprehensive answer.

I assume from what you have written that this cannot be done without admin permissions on the metastore.

So is there any other way to check who is in which group?

0 Kudos
Announcements
Welcome to Databricks Community: Lets learn, network and celebrate together

Join our fast-growing data practitioner and expert community of 80K+ members, ready to discover, help and collaborate together while making meaningful connections. 

Click here to register and join today! 

Engage in exciting technical discussions, join a group with your peers and meet our Featured Members.