Quick role guide (what each should do)
| Persona | Typical actions | Where they work | UC privileges (high level) | Workspace entitlements |
|---|---|---|---|---|
| Admin / Data Steward | Govern data, manage grants, ownership, create catalogs/schemas | All | MANAGE, OWNERSHIP, USE CATALOG, USE SCHEMA, CREATE * | Workspace admin; can manage clusters/warehouses |
| Data Engineer | Ingest, transform, optimize | bronze + silver (+ some gold for build) | USE CATALOG/SCHEMA, CREATE TABLE/VIEW, SELECT, MODIFY | Can create/run jobs & clusters (or use job clusters) |
| Data Analyst / BI | Query, build dashboards | gold (read), maybe personal sandbox schema (write) | Gold: SELECT; Sandbox: CREATE VIEW/TABLE, MODIFY (only in sandbox) | SQL Warehouse access; no cluster create |
| ML Engineer / Data Scientist | Feature engineering, training, scoring | read silver/gold, write to feature/ml schema | SELECT on source; in ml/features: CREATE TABLE/VIEW, MODIFY | ML/Jobs access; experiment/model registry use |
| AL (Auto Loader) / Ingestion Service Principal | Append raw data + checkpoints | bronze only; read landing files | Bronze: USE CATALOG/SCHEMA, CREATE TABLE, MODIFY; Volumes/External locations: read landing, write checkpoints | Job-only principal; no interactive workspace use |
Starter groups (recommended)
Create account/workspace groups:uc_admins, data_engineers, data_analysts, ml_users, ingestion_sp (for the service principal).
Unity Catalog grants (copy-paste templates)
Replace
<CAT>,<SCHEMA>,<GROUP>with your names. Run once per catalog/schema. Use FUTURE grants so new tables inherit access automatically.
Admin / Steward
-- Catalog-level admin
GRANT USE CATALOG ON CATALOG <CAT> TO `uc_admins`;
GRANT MANAGE ON CATALOG <CAT> TO `uc_admins`;
-- Schemas
GRANT USE SCHEMA ON SCHEMA <CAT>.bronze TO `uc_admins`;
GRANT USE SCHEMA ON SCHEMA <CAT>.silver TO `uc_admins`;
GRANT USE SCHEMA ON SCHEMA <CAT>.gold TO `uc_admins`;
GRANT MANAGE ON SCHEMA <CAT>.bronze TO `uc_admins`;
GRANT MANAGE ON SCHEMA <CAT>.silver TO `uc_admins`;
GRANT MANAGE ON SCHEMA <CAT>.gold TO `uc_admins`;
Data Engineers (build bronze/silver, limited gold)
-- Browse containers
GRANT USE CATALOG ON CATALOG <CAT> TO `data_engineers`;
GRANT USE SCHEMA ON SCHEMA <CAT>.bronze TO `data_engineers`;
GRANT USE SCHEMA ON SCHEMA <CAT>.silver TO `data_engineers`;
-- Build & maintain tables/views, now and future
GRANT CREATE TABLE, CREATE VIEW ON SCHEMA <CAT>.bronze TO `data_engineers`;
GRANT CREATE TABLE, CREATE VIEW ON SCHEMA <CAT>.silver TO `data_engineers`;
GRANT SELECT, MODIFY ON ALL TABLES IN SCHEMA <CAT>.bronze TO `data_engineers`;
GRANT SELECT, MODIFY ON ALL TABLES IN SCHEMA <CAT>.silver TO `data_engineers`;
GRANT SELECT, MODIFY ON FUTURE TABLES IN SCHEMA <CAT>.bronze TO `data_engineers`;
GRANT SELECT, MODIFY ON FUTURE TABLES IN SCHEMA <CAT>.silver TO `data_engineers`;
Data Analysts (read curated gold only; optional personal sandbox)
-- Let analysts see and read curated data
GRANT USE CATALOG ON CATALOG <CAT> TO `data_analysts`;
GRANT USE SCHEMA ON SCHEMA <CAT>.gold TO `data_analysts`;
GRANT SELECT ON ALL TABLES IN SCHEMA <CAT>.gold TO `data_analysts`;
GRANT SELECT ON FUTURE TABLES IN SCHEMA <CAT>.gold TO `data_analysts`;
-- Optional: give each analyst a sandbox schema they own (outside gold)
-- CREATE SCHEMA <CAT>.sandbox_<user> OWNER `<user>`;
ML Engineers / Data Scientists
-- Read from silver/gold
GRANT USE CATALOG ON CATALOG <CAT> TO `ml_users`;
GRANT USE SCHEMA ON SCHEMA <CAT>.silver TO `ml_users`;
GRANT USE SCHEMA ON SCHEMA <CAT>.gold TO `ml_users`;
GRANT SELECT ON ALL TABLES IN SCHEMA <CAT>.silver TO `ml_users`;
GRANT SELECT ON FUTURE TABLES IN SCHEMA <CAT>.silver TO `ml_users`;
GRANT SELECT ON ALL TABLES IN SCHEMA <CAT>.gold TO `ml_users`;
GRANT SELECT ON FUTURE TABLES IN SCHEMA <CAT>.gold TO `ml_users`;
-- Write to a dedicated ML/features schema
GRANT USE SCHEMA ON SCHEMA <CAT>.ml TO `ml_users`;
GRANT CREATE TABLE, CREATE VIEW ON SCHEMA <CAT>.ml TO `ml_users`;
GRANT MODIFY ON ALL TABLES IN SCHEMA <CAT>.ml TO `ml_users`;
GRANT MODIFY ON FUTURE TABLES IN SCHEMA <CAT>.ml TO `ml_users`;
Auto Loader / Ingestion Service Principal (AL user)
-- Bronze build & append
GRANT USE CATALOG ON CATALOG <CAT> TO `ingestion_sp`;
GRANT USE SCHEMA ON SCHEMA <CAT>.bronze TO `ingestion_sp`;
GRANT CREATE TABLE ON SCHEMA <CAT>.bronze TO `ingestion_sp`;
GRANT MODIFY ON ALL TABLES IN SCHEMA <CAT>.bronze TO `ingestion_sp`;
GRANT MODIFY ON FUTURE TABLES IN SCHEMA <CAT>.bronze TO `ingestion_sp`;
-- If the job writes checkpoints/schemaLocation to a UC Volume:
-- GRANT READ VOLUME, WRITE VOLUME ON VOLUME <CAT>.<SCHEMA>.<VOLUME> TO `ingestion_sp`;
-- If reading raw files from an External Location (landing zone), give read rights on it.
-- (Exact privilege name can vary; grant read on the External Location/Storage Credential per your setup.)
To “hide” data from a persona: simply don’t grant
USE CATALOG/USE SCHEMAon that area (they won’t see objects inside).
Workspace/compute entitlements (quick)
- Admin: Workspace Admin, can manage clusters/warehouses.
- Data Engineers: “Allow cluster creation” (if you use interactive dev); else run via Jobs. Can use shared/single-user clusters appropriate for UC.
- Analysts: Databricks SQL access only; use governed SQL Warehouses; no cluster creation.
- ML Engineers: run Jobs, use ML runtimes; access to Model Registry/Experiments as your org requires.
- Ingestion SP: no UI; only Jobs permissions and access to the job’s compute.
Fine-grained controls (optional but powerful)
- Row filters / Column masks to enforce row-/column-level security in shared schemas.
- Dynamic views to expose curated slices to analysts while protecting PII.
- Lineage & audits via UC lineage + system tables.
Minimal “getting started” sequence
- Create groups in the account:
uc_admins,data_engineers,data_analysts,ml_users,ingestion_sp. - Apply the GRANT templates above for each catalog/schema.
- For Auto Loader jobs, also grant landing read (External Location) and checkpoint write (Volume/external path).
- Use FUTURE grants everywhere so new objects inherit access automatically.
Adhoc
SHOW GRANTS ON METASTORE
You’re listing metastore-level privileges. The row you see (account users→USE MARKETPLACE ASSETS) is a default grant that lets all account users browse Marketplace assets.GRANT CREATE CATALOG ON METASTORE TO \de_grp“
This gives the de_grp group permission to create new catalogs anywhere in this Unity Catalog metastore.
What that means (and what to do next)
Verify who can do what at the metastore
SHOW GRANTS ON METASTORE; -- current grants
SHOW GRANTS TO `de_grp`; -- everything de_grp has (any scope)
Create a catalog (now that de_grp has rights)
-- simplest (uses the metastore’s default storage)
CREATE CATALOG finance;
-- recommended: pin a managed storage location for the catalog
CREATE CATALOG finance
MANAGED LOCATION 'abfss://uc-managed@<storage>.dfs.core.windows.net/finance/';
-- hand off ownership (optional)
ALTER CATALOG finance OWNER TO `data_stewards`;
Lock down or roll back if needed
REVOKE CREATE CATALOG ON METASTORE FROM `de_grp`;
-- (Only a metastore admin or owner with MANAGE can do this.)
Good practices & cautions
- CREATE CATALOG is powerful. Give it only to a small steward/admin group; everyone else should work inside existing catalogs/schemas with
USE/SELECT/MODIFYgrants. - To “hide” data areas, don’t grant
USE CATALOG/USE SCHEMAon those containers; users won’t even see the objects inside. - After creating a catalog, set FUTURE grants on its schemas so new tables inherit access automatically:
GRANT USE CATALOG ON CATALOG finance TO `analysts_ro`, `data_engineers`; GRANT USE SCHEMA ON SCHEMA finance.silver TO `data_engineers`; GRANT SELECT, MODIFY ON FUTURE TABLES IN SCHEMA finance.silver TO `data_engineers`; GRANT USE SCHEMA ON SCHEMA finance.gold TO `analysts_ro`; GRANT SELECT ON FUTURE TABLES IN SCHEMA finance.gold TO `analysts_ro`;
Category: