Manage access to Delta Sharing data shares (for providers)
This article explains how to grant a data recipient access to a Delta Sharing share. It also explains how to view, update, and revoke access.
Requirements
To share data with recipients:
- You must use an Azure Databricks workspace that has a Unity Catalog metastore attached.
- You must use a SQL warehouse or cluster that uses a Unity-Catalog-capable cluster access mode.
- Shares and recipients must already be defined.
- You must be one of the following:
- Metastore admin.
- User with delegated permissions or ownership on both the share and the recipient objects ((
USE SHARE
+SET SHARE PERMISSION
) or share owner) AND (USE RECIPIENT
or recipient owner).
Grant recipient access to share
To grant share access to recipients, you can use Catalog Explorer, the Databricks Unity Catalog CLI, or SQL commands in an Azure Databricks notebook or the Databricks SQL query editor.
Permissions required: One of the following:
- Metastore admin.
- Delegated permissions or ownership on both the share and the recipient objects ((
USE SHARE
+SET SHARE PERMISSION
) or share owner) AND (USE RECIPIENT
or recipient owner).
Catalog Explorer
To add recipients to a share, starting at the share v:
In your Azure Databricks workspace, click Catalog.
At the top of the Catalog pane, click the gear icon and select Delta Sharing.
Alternatively, from the Quick access page, click the Delta Sharing > button.
On the Shared by me tab, find and select the share.
Click Add recipient.
On the Add recipient dialog, start typing the recipient name or click the drop-down menu to select the recipients you want to add to the share.
Click Add.
To grant share access to a recipient, starting at the recipient:
In your Azure Databricks workspace, click Catalog.
At the top of the Catalog pane, click the gear icon and select Delta Sharing.
Alternatively, from the Quick access page, click the Delta Sharing > button.
On the Shared by me tab, click Recipients and select the recipient.
Click Grant share.
On the Grant share dialog, start typing the share name or click the drop-down menu to select the shares you want to grant.
Click Grant.
SQL
Run the following command in a notebook or the Databricks SQL query editor.
GRANT SELECT ON SHARE <share-name> TO RECIPIENT <recipient-name>;
SELECT
is the only privilege that you can grant a recipient on a share.
CLI
Run the following command using the Databricks CLI. Replace <share-name>
with the name of the share you want to grant to the recipient, and replace <recipient-name>
with the recipient's name. SELECT
is the only privilege that you can grant on a share.
databricks shares update <share-name> \
--json='{
"changes": [
{
"principal": "<recipient-name>",
"add": [
"SELECT"
]
}
]
}'
Revoke recipient access to a share
To revoke a recipient's access to a share, you can use Catalog Explorer, the Databricks Unity Catalog CLI, or the REVOKE ON SHARE
SQL command in an Azure Databricks notebook or the Databricks SQL query editor.
Permissions required: Metastore admin, user with the USE SHARE
privilege, or share object owner.
Catalog Explorer
To revoke a recipient's access to a share, starting at the share:
In your Azure Databricks workspace, click Catalog.
At the top of the Catalog pane, click the gear icon and select Delta Sharing.
Alternatively, from the Quick access page, click the Delta Sharing > button.
On the Shared by me tab, find and select the share.
On the Recipients tab, find the recipient.
Click the kebab menu and select Revoke.
On the confirmation dialog, click Revoke.
To revoke a recipient's access to a share, starting at the recipient:
In your Azure Databricks workspace, click Catalog.
At the top of the Catalog pane, click the gear icon and select Delta Sharing.
Alternatively, from the Quick access page, click the Delta Sharing > button.
On the Shared by me tab, click Recipients and select the recipient.
On the Shares tab, find the share.
Click the kebab menu on the share row and select Revoke.
On the confirmation dialog, click Revoke.
SQL
Run the following command in a notebook or the Databricks SQL query editor.
REVOKE SELECT ON SHARE <share-name> FROM RECIPIENT <recipient-name>;
CLI
Run the following command using the Databricks CLI. Replace <share-name>
with the name of the share you want to remove for the recipient, and replace <recipient-name>
with the recipient's name. SELECT
is the only privilege that you can remove for a recipient.
databricks shares update <share-name> \
--json='{
"changes": [
{
"principal": "<recipient-name>",
"remove": [
"SELECT"
]
}
]
}'
View grants on a share or grants possessed by a recipient
To view the current grants on a share, you can use Catalog Explorer, the Databricks Unity Catalog CLI, or the SHOW GRANTS ON SHARE
SQL command in an Azure Databricks notebook or the Databricks SQL query editor.
Permissions required: If you are viewing recipients granted access to a share, you must be a metastore admin, a user with the USE SHARE
privilege, or the share object owner. If you are viewing shares granted to a recipient, you must be a metastore admin, a user with the USE RECIPIENT
privilege, or the recipient object owner.
Catalog Explorer
To view recipients with access to a share:
In your Azure Databricks workspace, click Catalog.
At the top of the Catalog pane, click the gear icon and select Delta Sharing.
Alternatively, from the Quick access page, click the Delta Sharing > button.
On the Shared by me tab, find and select the share.
Go to the Recipients tab to view all recipients who have access to the share.
SQL
Run the following command in a notebook or the Databricks SQL query editor.
SHOW GRANT ON SHARE <share-name>;
CLI
Run the following command using the Databricks CLI.
databricks shares share-permissions <share-name>
To view the current share grants possessed by a recipient, you can use Catalog Explorer, the Databricks CLI, or the SHOW GRANTS TO RECIPIENT
SQL command in an Azure Databricks notebook or the Databricks SQL query editor.
Catalog Explorer
To view shares granted to a recipient:
In your Azure Databricks workspace, click Catalog.
At the top of the Catalog pane, click the gear icon and select Delta Sharing.
Alternatively, from the Quick access page, click the Delta Sharing > button.
On the Shared by me tab, click Recipients and select the recipient.
Go to the Shares tab to view all shares that the recipient has access to.
SQL
Run the following command in a notebook or the Databricks SQL query editor.
SHOW GRANTS TO RECIPIENT <recipient-name>;
CLI
Run the following command using the Databricks CLI.
databricks recipients share-permissions <recipient-name>