Databricks Unity Catalog provides a powerful governance layer across all data assets in your lakehouse. However, when working with Unity Catalog, one of the most common challenges users face is access errors, especially the USE CATALOG or USE SCHEMA permission issues.
In this blog post, we’ll walk through:
- Why these permissions are needed
- The hierarchy of access control in Unity Catalog
- How to grant access to users or roles β step-by-step
- A ready-to-use SQL script for bulk permission assignment
β οΈ The Common Error
When trying to access a table or explore data in the Catalog Explorer, you might run into an error like this:
You are missing required permissions
Requires permissionUSE_CATALOGon catalog'uc_edh_frwk_specs_u'
This means your user or role doesnβt have permission to even enter the catalog. Unity Catalog enforces strict access controls at every level β catalog β schema β object (tables, views).
𧱠Unity Catalog Access Hierarchy
Unity Catalog permissions follow a top-down structure:
- Catalog Level β Access to the catalog itself
- Permission:
USE CATALOG
- Permission:
- Schema Level β Access to schemas (databases) within the catalog
- Permission:
USE SCHEMA
- Permission:
- Object Level β Access to tables, views, and other database objects
- Permission:
SELECT,INSERT, etc.
- Permission:
Without access to the upper levels, the lower levels are unreachable β even if you have SELECT permission on a table, it wonβt work unless you also have USE CATALOG and USE SCHEMA.
β Step-by-Step: Granting Full Access
If youβre a data engineer, admin, or platform team member, use the following SQL script to grant all necessary access to a user or role:
-- Step 1: Grant access to the Catalog
GRANT USE CATALOG ON CATALOG uc_edh_frwk_specs_u TO `<user_or_role>`;
-- Step 2: Grant access to the Schema
GRANT USE SCHEMA ON SCHEMA uc_edh_frwk_specs_u.config_tb TO `<user_or_role>`;
-- Step 3: Grant SELECT access on all tables in the Schema
GRANT SELECT ON ALL TABLES IN SCHEMA uc_edh_frwk_specs_u.config_tb TO `<user_or_role>`;
π Replace <user_or_role> with the actual username or Databricks role name, such as data_engineer_role or jane.doe@databricks.com.
π οΈ Optional: Grant Access on Future Tables
If new tables are frequently created in a schema, consider granting access to future objects as well:
GRANT SELECT ON FUTURE TABLES IN SCHEMA uc_edh_frwk_specs_u.config_tb TO `<user_or_role>`;
This ensures the user or role will automatically have access to newly created tables in the same schema.
π§ͺ How to Check Your Roles and Permissions
To check what permissions you or a user already have, use:
SHOW GRANTS TO USER `<username>`;
To list all existing roles in your workspace:
SHOW ROLES;
π Best Practices
- Use roles instead of individual users for easier permission management.
- Avoid over-permissioning β grant only what’s necessary (e.g., read-only roles).
- Regularly audit access with
SHOW GRANTSto keep your security tight. - Use
FUTURE TABLESpermissions in dynamic environments to reduce maintenance.
π Conclusion
Understanding and managing access in Unity Catalog is essential for secure and efficient collaboration in Databricks. While the permission model is strict, it’s highly powerful and scalable when implemented correctly. Use the step-by-step commands above to grant access properly and avoid common permission errors.
π Resolving βUSE_CATALOGβ Permission Error in Databricks Unity Catalog
When working in Databricks with Unity Catalog enabled, you may encounter access issues if proper permissions arenβt granted at each level of the catalog hierarchy.
In this guide, weβll break down one of the most common errors:
β Real Error Message
When trying to access a table via Catalog Explorer or running a query, you may see this message:
You are missing required permissions
Requires permissionUSE_CATALOGon catalog'uc_abc'
And in SQL cell output (e.g. from a notebook):
[INSUFFICIENT_PERMISSIONS] Insufficient privileges:
User does not have USE CATALOG on Catalog 'uc_abc'. SQLSTATE: 42501
π§ What This Error Means
Databricks enforces access control at three levels through Unity Catalog:
| Level | Permission Needed | Purpose |
|---|---|---|
| Catalog | USE CATALOG | Grants access to the catalog itself |
| Schema | USE SCHEMA | Grants access to schemas (like a database) |
| Tables/Views | SELECT, INSERT, etc. | Grants access to data objects inside the schema |
If you’re missing even one of these permissions, you wonβt be able to explore or query anything under that catalog.
π οΈ Step-by-Step Fix: Grant All Required Permissions
To fully enable access for a user or role, youβll need to run three GRANT statements in sequence.
π§Ύ Full Script to Grant Access
-- 1. Grant access to the catalog
GRANT USE CATALOG ON CATALOG uc_abc TO `<user_or_role>`;
-- 2. Grant access to the schema inside the catalog
GRANT USE SCHEMA ON SCHEMA uc_abc .config_tb TO `<user_or_role>`;
-- 3. Grant SELECT permission on all current tables in that schema
GRANT SELECT ON ALL TABLES IN SCHEMA uc_abc .config_tb TO `<user_or_role>`;
π Replace <user_or_role> with the actual Databricks username or assigned role, like data_analyst_role or john.doe@databricks.com.
π Optional: Access to Future Tables
If your environment frequently adds new tables, use this to grant auto-access to future objects:
GRANT SELECT ON FUTURE TABLES IN SCHEMA uc_abc .config_tb TO `<user_or_role>`;
π How to View Roles and Grants
You can check what access a user or role currently has:
SHOW GRANTS TO USER `<username>`;
To list all roles in the system:
SHOW ROLES;
To see access on a specific object (e.g., a table):
SHOW GRANTS ON TABLE uc_abc.config_tb.audit_log;
β Best Practices
- Use roles for permission management rather than assigning user-by-user.
- Limit privileges based on the principle of least privilege.
- Always grant
USE CATALOGandUSE SCHEMAwhen giving table-level access. - Use
FUTURE TABLESgrant if schemas evolve frequently. - Document and audit access regularly with
SHOW GRANTS.
π Summary
| Task | Required SQL Command Example |
|---|---|
| Access to catalog | GRANT USE CATALOG ON CATALOG uc_name TO <role> |
| Access to schema | GRANT USE SCHEMA ON SCHEMA uc_name.schema_name TO <role> |
| Access to all tables in schema | GRANT SELECT ON ALL TABLES IN SCHEMA uc_name.schema_name TO <role> |
Leave a Reply