01-05-2023 09:55 AM
As per the documentation "Securable objects in Unity Catalog are hierarchical and privileges are inherited downward. The highest level object that privileges are inherited from is the catalog". Executed following statement "GRANT SELECT ON CATALOG uctest TO `user@***.com`;" expectation is the user should be able to access all the schema's inside the catalog "UCTest" but it getting exception "Error in SQL statement: AnalysisException: User does not have USE SCHEMA on Schema 'uctest.default'.
Note : Privilege Model Version 1.0 is used.
"
01-06-2023 05:42 AM
GRANT USE_CATALOG ON CATALOG demo_catalog TO `user@***.com` ;
GRANT USE_SCHEMA ON SCHEMA demo_catalog.demo_schema TO `user@***.com` ;
GRANT SELECT ON CATALOG demo_catalogTO `user@***.com` ;
GRANT SELECT ON SCHEMA demo_catalog.demo_schema TO `user@***.com` ;
01-05-2023 10:09 AM
Users need to have USAGE rights to be able to do anything. So you need to GRANT usage on the catalog and on the schema.
01-05-2023 10:19 AM
Hi, Both permissions have to be granted.
01-05-2023 08:20 PM
Hello Debayan,
Thanks for your response. Do you mean both Usage & Select permissions to be granted at both catalog & schema levels? I was referring to this in data bricks documentation which states that granting permission at catalog or schema grants access to all current & future child objects. Is my understanding not correct?
01-05-2023 10:02 PM
Your understanding is correct. Applying grant select and grant usage at the catalog level should grant said permissions on all current and future schemas and tables in said catalog.
Usage essentially adds user_can_see_this.
01-06-2023 01:18 AM
01-06-2023 05:27 AM
Hello Hubert & Jfoxyyc,
For granting user permission to a table I am using following 3 grants statements
grant usage on catalog demo_catalog to `user@***.com`
grant usage on schema demo_catalog.demo_schema to `user@***.com`
grant select on table demo_catalog.demo_schema.demo_table to `user@***.com`
Is there a way to grant this permission with single grant statement? Thanks in advance.
01-06-2023 05:42 AM
GRANT USE_CATALOG ON CATALOG demo_catalog TO `user@***.com` ;
GRANT USE_SCHEMA ON SCHEMA demo_catalog.demo_schema TO `user@***.com` ;
GRANT SELECT ON CATALOG demo_catalogTO `user@***.com` ;
GRANT SELECT ON SCHEMA demo_catalog.demo_schema TO `user@***.com` ;
01-06-2023 12:27 PM
The schema grants are redundant, I just tested and confirmed. Due to inheritance, adding anything at catalog shows the same permission at schema. It even shows a hint on the Grant page in Unity:
Granted privileges will be inherited by applicable objects (e.g. schemas, tables) in this catalog. Learn more
GRANT USE_CATALOG ON CATALOG dev to `user@userdomain.com`;
GRANT USE_SCHEMA ON CATALOG dev to ``user@userdomain.com`;
GRANT SELECT ON CATALOG dev to ``user@userdomain.com`;
Catalog
 
Schema
 
					
				
				
			
		
 
					
				
				
			
		
Passionate about hosting events and connecting people? Help us grow a vibrant local community—sign up today to get started!
Sign Up Now