Introduction
The TestUC1005 – Not Authorized for Action error in Databricks Unity Catalog indicates that the user or service principal lacks the necessary permissions to perform a specific operation. This can occur during catalog, schema, table creation, data access, or managing resources. Without proper permissions, users may not be able to create catalogs, access tables, or update metastore settings.
🚨 Common symptoms of TestUC1005:
- Error: “TestUC1005 – Not Authorized for Action” while creating a catalog, schema, or table.
- Cannot assign or manage Unity Catalog metastore.
- Users cannot access certain Unity Catalog objects.
- Permission denied errors in notebooks or jobs.
Common Causes and Fixes for TestUC1005
1. Insufficient Permissions on Unity Catalog Resources
Symptoms:
- Error: “Not authorized to create or manage catalog.”
- Cannot perform
CREATE CATALOG,GRANT, orALTERcommands.
Causes:
- The user or group lacks the necessary permissions on Unity Catalog resources.
- Metastore admin privileges are not assigned to the user.
- Service principals running Databricks jobs have insufficient permissions.
Fix:
✅ Check user permissions on Unity Catalog:
SHOW GRANTS ON CATALOG main;
✅ Grant the necessary permissions to the user or group:
GRANT CREATE CATALOG ON METASTORE TO `user@example.com`;
GRANT SELECT ON CATALOG main TO `user@example.com`;
✅ To assign Metastore admin privileges:
GRANT METASTORE ADMIN TO `user@example.com`;
2. Service Principal or IAM Role Lacks Access to Unity Catalog
Symptoms:
- Databricks jobs fail with “Not Authorized for Action” errors.
- Service principal cannot access Unity Catalog tables or manage resources.
Causes:
- Service principal lacks permissions on Unity Catalog.
- IAM roles (AWS) or Azure Managed Identities are not properly configured.
Fix:
✅ Grant permissions to the service principal:
GRANT SELECT ON TABLE my_catalog.my_schema.my_table TO `service_principal@mycompany.com`;
✅ Verify that the service principal is assigned the correct role in Azure or AWS:
az role assignment list --assignee <service-principal-id>
✅ For AWS IAM roles, ensure the following policy is attached:
{
"Effect": "Allow",
"Action": ["glue:Get*", "s3:GetObject", "s3:PutObject"],
"Resource": "*"
}
3. No Permissions to Create or Manage Schemas
Symptoms:
- Error: “Not authorized to create schema.”
- Cannot perform
CREATE SCHEMAorDROP SCHEMAcommands.
Causes:
- User lacks permissions to manage schemas in the specified catalog.
- Catalog-level permissions are not granted.
Fix:
✅ Check the current permissions on the catalog:
SHOW GRANTS ON CATALOG my_catalog;
✅ Grant the necessary permissions:
GRANT CREATE SCHEMA, DROP SCHEMA ON CATALOG my_catalog TO `user@example.com`;
4. Unauthorized Access to Tables or Columns
Symptoms:
- Error: “Not authorized to select from table.”
- Queries on certain tables fail with a permission denied error.
Causes:
- User does not have SELECT permissions on the table or specific columns.
- Column-level access control is enabled, but permissions are missing.
Fix:
✅ Grant SELECT permission on the table:
GRANT SELECT ON TABLE my_catalog.my_schema.my_table TO `user@example.com`;
✅ For column-level access control, grant access to specific columns:
GRANT SELECT (column1, column2) ON TABLE my_catalog.my_schema.my_table TO `user@example.com`;
5. Not Authorized to Manage Metastore Settings
Symptoms:
- Error: “Not authorized to modify metastore settings.”
- Cannot assign a metastore to a workspace.
Causes:
- User is not a Metastore admin.
- Insufficient privileges to manage Unity Catalog resources.
Fix:
✅ Check current Metastore admin permissions:
SHOW GRANTS ON METASTORE;
✅ Assign Metastore admin role:
GRANT METASTORE ADMIN TO `admin@example.com`;
Step-by-Step Troubleshooting Guide
1. Verify User and Role Permissions
SHOW GRANTS ON CATALOG main;
SHOW GRANTS ON TABLE my_catalog.my_schema.my_table;
2. Check Service Principal or IAM Role Permissions
- AWS: Ensure the IAM role has the required S3 and Glue permissions.
- Azure: Check Managed Identity permissions for Azure Data Lake Storage and Key Vault.
3. Grant Missing Permissions
GRANT CREATE CATALOG, CREATE SCHEMA, SELECT ON CATALOG main TO `user@example.com`;
4. Check Logs for Unauthorized Actions
- Databricks job logs may provide more details on the denied action.
Best Practices to Avoid TestUC1005 – Not Authorized for Action
✅ Use Role-Based Access Control (RBAC)
- Assign permissions at group or role level for easier management.
✅ Audit Permissions Regularly
- Use SHOW GRANTS to identify missing or excessive permissions.
✅ Assign the Metastore Admin Role to Responsible Users
- Only assign Metastore admin privileges to trusted users.
✅ Monitor Unity Catalog Access Logs
- Track access and modification events to detect unauthorized attempts.
Conclusion
The TestUC1005 – Not Authorized for Action error in Databricks Unity Catalog is primarily caused by missing permissions on catalogs, schemas, or tables. By granting appropriate permissions, verifying service principal roles, and checking IAM policies, you can resolve this error and ensure secure and seamless access to Unity Catalog resources.
