cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results forย 
Search instead forย 
Did you mean:ย 
Help
Generative AI
Explore discussions on generative artificial intelligence techniques and applications within the Databricks Community. Share ideas, challenges, and breakthroughs in this cutting-edge field.
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results forย 
Search instead forย 
Did you mean:ย 

Failed to fetch tables for the space when using Genie MCP via Model Serving

ilaria
Databricks Partner

โ€Ž03-05-2026 05:53 AM

Hello everyone,

I'm experiencing a specific permissions issue when using an AI agent that queries a Genie space via MCP (Model Context Protocol) within a Model Serving endpoint.
I developed an AI agent to query a Genie space to retrieve retail sales data for predictions. I own the catalog, schema, and Genie space.

When interacting with the agent via the Review app (Model Serving), any query that triggers a call to the Genie tool fails with the following error:
PERMISSION_DENIED: Unable to retrieve tables for the space. Please resolve these errors to continue: No access to the table 'fashion_retail.ppl_schema.silver_transactions'. Code: 42.

What is the best practice for granting Unity Catalog permissions (USE CATALOG, USE SCHEMA, SELECT) to a system identity created from a Model Serving endpoint?

Any suggestions on how to properly configure the authorization chain between Model Serving -> MCP -> Genie -> Unity Catalog would be greatly appreciated.

Thanks in advance!

0 Kudos
1 REPLY 1

Ashwin_DSA
Databricks Employee
Databricks Employee

โ€Ž03-06-2026 02:29 PM

Hi @ilaria,

When you call a Genie space via MCP from a Model Serving endpoint, the queries against the table you have mentioned (fashion_retail.ppl_schema.silver_transactions) donโ€™t run as you (the workspace user who owns the catalog/schema/space), but as the system identity/service principal associated with that serving endpoint. That identity must have its own Unity Catalog permissions.

Here are some steps you can try...

Check Genie space + app/endpoint permissions

Make sure the endpointโ€™s identity has at least CAN RUN on the Genie space, not just you as a user. The Genie app/docs spell this out and also highlight that the appโ€™s service principal needs UC privileges on the underlying tables:

Grant Unity Catalog privileges to the serving identity

In addition to spaceโ€‘level permissions, the Model Serving system identity (or associated service principal) must have at least:

  • GRANT USE CATALOG ON CATALOG fashion_retail TO `<endpoint-sp-or-group>`;
  • GRANT USE SCHEMA ON SCHEMA fashion_retail.ppl_schema TO `<endpoint-sp-or-group>`;
  • GRANT SELECT ON TABLE fashion_retail.ppl_schema.silver_transactions TO `<endpoint-sp-or-group>`;
Replace <endpoint-sp-or-group> with the actual principal that backs your Model Serving endpoint (often shown in the endpoint config or via your admin/team).
 
If the above steps don't resolve, test access using the same principal that backs the serving endpoint (for example, via a job or test notebook impersonating that SP). If a simple SELECT * FROM fashion_retail.ppl_schema.silver_transactions LIMIT 1 fails there with the same error, youโ€™ve confirmed itโ€™s purely a UC permissions issue.
 
 If this answer resolves your question, could you mark it as โ€œAccept as Solutionโ€? That helps other users quickly find the correct fix.
Regards,
Ashwin | Delivery Solution Architect @ Databricks
Helping you build and scale the Data Intelligence Platform.
***Opinions are my own***
0 Kudos
Announcements