Principal
Applies to: Databricks SQL Databricks Runtime
A principal is a user, service principal, or group known to the metastore. Principals can be granted privileges and may own securable objects.
Syntax
{ `<user>@<domain-name>` |
`<sp-application-id>` |
group_name |
users |
`account users` }
Parameters
<user>@<domain-name>
An individual user. You must quote the identifier with back-ticks (`) due to the @ character.
<sp-application-id>
A service principal, specified by its
applicationId
value. You must quote the identifier with back-ticks (`) because of the dash characters in the ID.group_name
An identifier specifying a group of users or groups.
users
The root group to which all users in the workspace belong. You cannot grant
users
privileges to securable objects in the Unity Catalog because it is a workspace-local group.account users
The root group to which all users in the account belong. You must quote the identifier with back-ticks (`) because of the blank character.
Workspace-local and account groups
Azure Databricks has the concept of account groups and workspace-local groups, with special behaviors:
- Account groups Account groups can be created by account admins and workspace admins of identity-federated workspaces. They can be granted access to identity-federated workspaces and privileges to securable objects in the Unity Catalog.
- Workspace-local groups can be created only by workspace admins. These groups are identified as workspace-local in the workspace admin settings page and on the workspace Permissions tab in the account console. Workspace-local groups cannot be assigned to additional workspaces or granted privileges to securable objects in the Unity Catalog. The system groups
users
andadmins
are a workspace-local groups.
Examples
-- Granting a privilege to the user alf@melmak.et
> GRANT SELECT ON TABLE t TO `alf@melmak.et`;
-- Granting a privilege to the service principal fab9e00e-ca35-11ec-9d64-0242ac120002
> GRANT SELECT ON TABLE t TO `fab9e00e-ca35-11ec-9d64-0242ac120002`;
-- Revoking a privilege from the general public group.
> REVOKE SELECT ON TABLE t FROM `account users`;
-- Transferring ownership of an object to `some_group`
> ALTER SCHEMA some_schema OWNER TO some_group;