cancel
Showing results forĀ 
Search instead forĀ 
Did you mean:Ā 
Machine Learning
Dive into the world of machine learning on the Databricks platform. Explore discussions on algorithms, model training, deployment, and more. Connect with ML enthusiasts and experts.
cancel
Showing results forĀ 
Search instead forĀ 
Did you mean:Ā 

Inheritance model in Unity Catalog is not working as per documentation.

Ela
New Contributor III

As per the documentation "Securable objects in Unity Catalog are hierarchical and privileges are inherited downward. The highest level object that privileges are inherited from is the catalog". Executed following statement "GRANT SELECT ON CATALOG uctest TO `user@***.com`;" expectation is the user should be able to access all the schema's inside the catalog "UCTest" but it getting exception "Error in SQL statement: AnalysisException: User does not have USE SCHEMA on Schema 'uctest.default'.

https://docs.databricks.com/data-governance/unity-catalog/manage-privileges/privileges.html#inherita...

Note : Privilege Model Version 1.0 is used.

"

1 ACCEPTED SOLUTION

Accepted Solutions

Hubert-Dudek
Esteemed Contributor III

GRANT USE_CATALOG ON CATALOG demo_catalog TO `user@***.com` ;

GRANT USE_SCHEMA ON SCHEMA demo_catalog.demo_schema TO `user@***.com` ;

GRANT SELECT ON CATALOG demo_catalogTO `user@***.com` ;

GRANT SELECT ON SCHEMA demo_catalog.demo_schema TO `user@***.com` ;

View solution in original post

8 REPLIES 8

Hubert-Dudek
Esteemed Contributor III

Users need to have USAGE rights to be able to do anything. So you need to GRANT usage on the catalog and on the schema.

Debayan
Databricks Employee
Databricks Employee

Hi, Both permissions have to be granted.

Ela
New Contributor III

Hello Debayan,

Thanks for your response. Do you mean both Usage & Select permissions to be granted at both catalog & schema levels? I was referring to this in data bricks documentation which states that granting permission at catalog or schema grants access to all current & future child objects. Is my understanding not correct?image

Jfoxyyc
Valued Contributor

Your understanding is correct. Applying grant select and grant usage at the catalog level should grant said permissions on all current and future schemas and tables in said catalog.

ā€‹

Usage essentially adds user_can_see_this.

Hubert-Dudek
Esteemed Contributor III

Here are a few screens which will help you. Usage is for traverse catalog. Select is on tables.image.pngimage.pngimage.png

Ela
New Contributor III

Hello Hubert & Jfoxyyc,

For granting user permission to a table I am using following 3 grants statements

grant usage on catalog demo_catalog to `user@***.com`

grant usage on schema demo_catalog.demo_schema to `user@***.com`

grant select on table demo_catalog.demo_schema.demo_table to `user@***.com`

Is there a way to grant this permission with single grant statement? Thanks in advance.

Hubert-Dudek
Esteemed Contributor III

GRANT USE_CATALOG ON CATALOG demo_catalog TO `user@***.com` ;

GRANT USE_SCHEMA ON SCHEMA demo_catalog.demo_schema TO `user@***.com` ;

GRANT SELECT ON CATALOG demo_catalogTO `user@***.com` ;

GRANT SELECT ON SCHEMA demo_catalog.demo_schema TO `user@***.com` ;

Jfoxyyc
Valued Contributor

The schema grants are redundant, I just tested and confirmed. Due to inheritance, adding anything at catalog shows the same permission at schema. It even shows a hint on the Grant page in Unity:

Granted privileges will be inherited by applicable objects (e.g. schemas, tables) in this catalog. Learn more

GRANT USE_CATALOG ON CATALOG dev to `user@userdomain.com`;

GRANT USE_SCHEMA ON CATALOG dev to ``user@userdomain.com`; 

GRANT SELECT ON CATALOG dev to ``user@userdomain.com`;

Catalog

image 

Schema

image

Connect with Databricks Users in Your Area

Join a Regional User Group to connect with local Databricks users. Events will be happening in your city, and you wonā€™t want to miss the chance to attend and share knowledge.

If there isnā€™t a group near you, start one and help create a community that brings people together.

Request a New Group