At an enterprise scale, Unity Catalog is centrally managed using a hub-and-spoke model where catalogs are isolated via workspace bindings to restrict specific data to designated environments.

Security is enforced through strict privilege-based Access Control Lists (ACLs) applied to hierarchical objects (Metastore, catalog, schema, table) using standard GRANT and REVOKE controls.

Fine-grained access, such as row-level filtering and column-level masking, is implemented dynamically using SQL functions evaluated against the querying user's identity.

Attribute-Based Access Control (ABAC) and tag-driven governance are handled by assigning metadata tags to data assets, allowing access policies or discovery to be automated based on data classification.

The entire data governance lifecycle is predominantly managed using Terraform (Infrastructure as Code) for automation, alongside SQL, Python (Databricks SDK), and Databricks REST APIs.

Thank you... Which roles ( workspace admin or Metastore Admin) are recommended to securely create and manage Unity Catalog objects (Storage Credentials, External Locations, Catalogs, Schemas, and Delta Sharing)?” and why ?