cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results forย 
Search instead forย 
Did you mean:ย 
Help
Machine Learning
Dive into the world of machine learning on the Databricks platform. Explore discussions on algorithms, model training, deployment, and more. Connect with ML enthusiasts and experts.
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results forย 
Search instead forย 
Did you mean:ย 

Inheritance model in Unity Catalog is not working as per documentation.

Go to solution
Ela
New Contributor III

โ€Ž01-05-2023 09:55 AM

As per the documentation "Securable objects in Unity Catalog are hierarchical and privileges are inherited downward. The highest level object that privileges are inherited from is the catalog". Executed following statement "GRANT SELECT ON CATALOG uctest TO `user@***.com`;" expectation is the user should be able to access all the schema's inside the catalog "UCTest" but it getting exception "Error in SQL statement: AnalysisException: User does not have USE SCHEMA on Schema 'uctest.default'.

https://docs.databricks.com/data-governance/unity-catalog/manage-privileges/privileges.html#inherita...

Note : Privilege Model Version 1.0 is used.

"

Labels:
0 Kudos
1 ACCEPTED SOLUTION

Accepted Solutions

Go to solution
Hubert-Dudek
Esteemed Contributor III
In response to Ela

โ€Ž01-06-2023 05:42 AM

GRANT USE_CATALOG ON CATALOG demo_catalog TO `user@***.com` ;

GRANT USE_SCHEMA ON SCHEMA demo_catalog.demo_schema TO `user@***.com` ;

GRANT SELECT ON CATALOG demo_catalogTO `user@***.com` ;

GRANT SELECT ON SCHEMA demo_catalog.demo_schema TO `user@***.com` ;

View solution in original post

0 Kudos
8 REPLIES 8

Go to solution
Hubert-Dudek
Esteemed Contributor III

โ€Ž01-05-2023 10:09 AM

Users need to have USAGE rights to be able to do anything. So you need to GRANT usage on the catalog and on the schema.

0 Kudos

Go to solution
Debayan
Databricks Employee
Databricks Employee

โ€Ž01-05-2023 10:19 AM

Hi, Both permissions have to be granted.

0 Kudos

Go to solution
Ela
New Contributor III
In response to Debayan

โ€Ž01-05-2023 08:20 PM

Hello Debayan,

Thanks for your response. Do you mean both Usage & Select permissions to be granted at both catalog & schema levels? I was referring to this in data bricks documentation which states that granting permission at catalog or schema grants access to all current & future child objects. Is my understanding not correct?image

Preview file
46 KB
0 Kudos

Go to solution
Jfoxyyc
Valued Contributor
In response to Ela

โ€Ž01-05-2023 10:02 PM

Your understanding is correct. Applying grant select and grant usage at the catalog level should grant said permissions on all current and future schemas and tables in said catalog.

โ€‹

Usage essentially adds user_can_see_this.

0 Kudos

Go to solution
Hubert-Dudek
Esteemed Contributor III
In response to Ela

โ€Ž01-06-2023 01:18 AM

Here are a few screens which will help you. Usage is for traverse catalog. Select is on tables.image.pngimage.pngimage.png

Preview file
147 KB
Preview file
185 KB
Preview file
185 KB
0 Kudos

Go to solution
Ela
New Contributor III
In response to Ela

โ€Ž01-06-2023 05:27 AM

Hello Hubert & Jfoxyyc,

For granting user permission to a table I am using following 3 grants statements

grant usage on catalog demo_catalog to `user@***.com`

grant usage on schema demo_catalog.demo_schema to `user@***.com`

grant select on table demo_catalog.demo_schema.demo_table to `user@***.com`

Is there a way to grant this permission with single grant statement? Thanks in advance.

0 Kudos

Go to solution
Hubert-Dudek
Esteemed Contributor III
In response to Ela

โ€Ž01-06-2023 05:42 AM

GRANT USE_CATALOG ON CATALOG demo_catalog TO `user@***.com` ;

GRANT USE_SCHEMA ON SCHEMA demo_catalog.demo_schema TO `user@***.com` ;

GRANT SELECT ON CATALOG demo_catalogTO `user@***.com` ;

GRANT SELECT ON SCHEMA demo_catalog.demo_schema TO `user@***.com` ;

0 Kudos

Go to solution
Jfoxyyc
Valued Contributor
In response to Ela

โ€Ž01-06-2023 12:27 PM

The schema grants are redundant, I just tested and confirmed. Due to inheritance, adding anything at catalog shows the same permission at schema. It even shows a hint on the Grant page in Unity:

Granted privileges will be inherited by applicable objects (e.g. schemas, tables) in this catalog. Learn more

GRANT USE_CATALOG ON CATALOG dev to `user@userdomain.com`;

GRANT USE_SCHEMA ON CATALOG dev to ``user@userdomain.com`; 

GRANT SELECT ON CATALOG dev to ``user@userdomain.com`;

Catalog

image 

Schema

image

Preview file
10 KB
Preview file
7 KB
0 Kudos

Connect with Databricks Users in Your Area

Join a Regional User Group to connect with local Databricks users. Events will be happening in your city, and you wonโ€™t want to miss the chance to attend and share knowledge.

If there isnโ€™t a group near you, start one and help create a community that brings people together.

Request a New Group
Announcements