Databricks Community

Cami · ‎03-28-2024

Hello Briksters,

i am looking for a giving a grand to developer being able execute with SHOW GROUPS WITH USER '***@***' without admin permission on UC.

Could you give any tips to do it?

UC Admin is able to see result query, but developer is not.

Cami · ‎04-09-2024

Thank you for your comprehensive answer.

I assume from what you have written that this cannot be done without admin permissions on the metastore.

So is there any other way to check who is in which group?

jonasmw94kv · ‎10-07-2024

We are also interested in a way of getting privileges of a group. I think the role Browse should make the privileges visible?

MoJaMa · ‎10-20-2024

The permission model is designed such that you cannot see any Grants but that of yourself and/or of objects you own.

Scenario A: I am a "vanilla" user who is allowed to create a table in a schema. When I do SHOW GRANTS for my user ID, I'll see all the grants that "I" have (ie, objects I created + other grants I may have been given by other creators)

Scenario B: I'm a Schema Owner and execute SHOW GRANTS on SCHEMA "my-schema-name", I'll see all the grants "anyone" has on my Schema. (Similar for Catalog Owner).

This is why a Metastore Admin sees all GRANTS.