Access control in Unity Catalog

Access control in Unity Catalog is built on the following complementary models:

  • Privileges and ownership control who can access what, using grants on securable objects.
  • Table-level filtering and masking control what data users can see within tables using table-specific filters and views.
  • Workspace-level restrictions control where users can access data, by limiting objects to specific workspaces.

These models work together to enforce secure, fine-grained access across your data environment.

When to use each access control mechanism

Workspace bindings, privileges, and ABAC policies all evaluate access at different levels, and they are designed to be used together. The following table compares them across common access control criteria:

Mechanism Applies to Defined using Use case
Privileges Catalogs, schemas, tables Grants (GRANT, REVOKE), ownership Baseline access and delegation
Workspace bindings Catalogs, external locations, storage credentials Workspace assignment Restricting access to objects from specific workspaces

Permissions model

Topic Description
Permissions concepts Understand the Unity Catalog object hierarchy, privilege inheritance, and how access flows from parent to child objects.
Privileges reference View detailed descriptions of every privilege in Unity Catalog.
Admin roles Learn about account admin, workspace admin, and metastore admin roles and their scopes.

Manage access

Topic Description
Manage privileges Grant, revoke, and inspect privileges on Unity Catalog objects using Catalog Explorer and SQL.
Access requests Configure destinations for access requests on Unity Catalog securable objects, including email, Slack, Teams, and webhooks.
Workspace-catalog binding Restrict which workspaces can access specific catalogs, external locations, and storage credentials.
  • Last updated on