cancel
Showing results for 
Search instead for 
Did you mean: 
Data Governance
Join discussions on data governance practices, compliance, and security within the Databricks Community. Exchange strategies and insights to ensure data integrity and regulatory compliance.
cancel
Showing results for 
Search instead for 
Did you mean: 

Unity Catalog Metastore Ownership best practices

DouglasMoore
Databricks Employee
Databricks Employee

Ownership of the Unity Catalog (UC) Metastore gives you permission to grant permissions to the metastore (e.g. Create Catalog). Large Organizations take one of three approaches to UC Metastore ownership (Service Principal, Global Data Admin group or No owner). Before we explore the options, these days, the best practice for large organizations with the UC Metastore is to not use a default storage account, but to use storage accounts (buckets) with each catalog. Now on to the three options for sharing ownership of the UC metastore:

1. The UC Metastore is owned by a service principal and all configuration is performed using Automation (Terraform). The strength of automation is the full set of controls, review and workflow that is available.

DouglasMoore_2-1726493355536.png

 


2. The UC Metastore is owned by a group of global data admin people, all with equal access and responsibility.

DouglasMoore_1-1726493307002.png

With this, create a group, add your global data admins (Need not be day to day data permission admins)

 


3. The UC Metastore is owned by no-one, this is suitable for a distributed governance model where no group of admins is to be put above another group.

Below, we show setting the UC Metastore owner to no owner, recommended for distributed data governance model:

DouglasMoore_0-1726493057063.png


Final Note: An important part of Metastore management strategy is delegating permissions. As an UC Metastore owner, you can give permissions to a group (recommended), individual or service principal. In this example, we've defined a business unit one data admin group and given them permissions to manage storage credentials, external locations, the ability to create catalogs and a few other permissions.

DouglasMoore_3-1726493872334.png

This information may be important when it comes to Enabling System Schemas and other tasks.

Sharing can be challenging at times, do not split the metastore, as in the future you will come to regret this decision. With the options listed above, you should be able to proceed with a great deal of confidence in making the right decision.

 

1 REPLY 1

Rafael-Sousa
Contributor

Thanks for sharing

Rafael Sousa

Connect with Databricks Users in Your Area

Join a Regional User Group to connect with local Databricks users. Events will be happening in your city, and you won’t want to miss the chance to attend and share knowledge.

If there isn’t a group near you, start one and help create a community that brings people together.

Request a New Group