Privileges for Unity Catalog volumes

Privileges for Unity Catalog volumes focus on working with files stored in cloud object storage.

Volumes introduce the following privileges:

See Unity Catalog privileges and securable objects.

Privileges required for volume operations

The following table lists the permissions required to work with volumes. Volumes rely on Unity Catalog, so you must be in a Unity Catalog-enabled workspace and use Unity Catalog-compatible compute to interact with volumes.

Operation Ownership required? Catalog permissions Schema permissions Volume permissions External location permissions
Read or list files No USE CATALOG USE SCHEMA READ VOLUME None
Create, delete, or update files No USE CATALOG USE SCHEMA READ VOLUME, WRITE VOLUME None
Create managed volume No USE CATALOG USE SCHEMA, CREATE VOLUME None None
Create external volume No USE CATALOG USE SCHEMA, CREATE VOLUME None CREATE EXTERNAL VOLUME
Drop a volume Yes USE CATALOG USE SCHEMA None None
Manage volume privileges Yes USE CATALOG USE SCHEMA None None

Note

Owners automatically get all privileges for a volume, and you can set privileges such as READ VOLUME and WRITE VOLUME at the catalog or schema level to cascade privileges to all contained volumes.

Volume ownership and MANAGE privileges

You must be the owner or have the MANAGE privilege on the volume to complete the following operations:

  • Manage volume privileges
  • Drop the volume
  • Rename the volume
  • Change volume ownership

Each object in Unity Catalog can have only one principal as its owner. Ownership doesn't cascade. That is, owning a catalog doesn't make you the owner of all objects within it, but the privileges that come with ownership apply to all objects contained in the owned object.

For Unity Catalog volumes, the following principals can manage volume privileges:

  • The owner of the parent catalog
  • The owner of the parent schema
  • The owner of the volume
  • Any user with the MANAGE privilege on the volume, its parent schema, or its parent catalog

Databricks recommends assigning ownership to a group rather than an individual so that you can manage access collectively. By default, the user who creates an object becomes its owner. However, you can grant the MANAGE privilege to multiple principals. See Manage Unity Catalog object ownership.