Databricks Catalog, Schema & Table Permissions (RBAC)
π A Simple Story β βToo Many People, Too Much Dataββ
Imagine a company where:
- Analysts need access to Gold tables
- Data engineers need access to Bronze/Silver
- Data scientists need feature tables
- Finance wants restricted datasets
- Interns should not see sensitive customer info
Without proper access controls, your Databricks environment becomes:
β οΈ Messy
β οΈ Risky
β οΈ Hard to audit
What you need is a clean, structured permission system that controls who can access what β and keeps everything consistent.
This is where RBAC (Role-Based Access Control) in Databricks shines.
π Understanding the Structure: Catalog β Schema β Tableβ
Databricks organizes storage and permissions in three layers:
CATALOG
βββ SCHEMA
βββ TABLE / VIEW / FUNCTION
Think of it like:
- Catalog = entire building
- Schema = floor inside the building
- Table = rooms inside the floor
You can set permissions at any level.
π’ 1. Catalog β The Top Levelβ
A catalog contains schemas and tables.
In Unity Catalog, this is the highest namespace.
Example:
hive_metastore
main
sales_catalog
ml_catalog
Permissions Often Set Here:β
USE CATALOGCREATE SCHEMAOWNREAD FILES(for external locations)
Example:β
GRANT USE CATALOG ON CATALOG sales_catalog TO analyst_team;
This allows the team to see and navigate the catalog.
π 2. Schema β Organizing Tablesβ
A schema groups related objects.
Examples:
sales_catalog
βββ bronze
βββ silver
βββ gold
Permissions Often Set Here:β
USE SCHEMACREATE TABLESELECTMODIFYOWN
Example:β
GRANT USE SCHEMA ON SCHEMA sales_catalog.gold TO bi_team;
Now BI users can query tables inside the Gold schema.
π 3. Table β The Most Detailed Levelβ
Tables hold actual data.
Examples:
sales_catalog.gold.daily_revenue
sales_catalog.silver.cleaned_orders
Permissions Often Set Here:β
SELECT(read data)MODIFY(insert/update/delete)OWN(full control)
Example:β
GRANT SELECT ON TABLE sales_catalog.gold.daily_revenue TO finance_team;
Now finance users can read the Gold revenue table β and only that table.
π§ Important RBAC Conceptsβ
β Ownershipβ
Every object (catalog, schema, table) has an owner.
Owners can:
- Modify
- Grant permissions
- Drop objects
You typically assign ownership to:
- Admin groups
- Data engineering teams
β Principle of Least Privilegeβ
Always give only the access required:
- Analysts β Gold
- Data Scientists β Feature tables
- Engineers β Bronze/Silver
- Finance β Restricted Gold tables
- Interns β Only learning datasets
This keeps your environment safe and compliant.
β Inheritanceβ
If you grant a privilege at a higher level, it flows downward.
Example:
GRANT SELECT ON SCHEMA sales_catalog.gold TO bi_team;
This gives read access to all tables inside gold.
π§ͺ Practical Real-World Permission Patternsβ
Pattern 1 β BI/Analytics Teamsβ
Only Gold data is needed.
GRANT SELECT ON SCHEMA sales_catalog.gold TO bi_team;
Pattern 2 β Data Engineersβ
Full control of Bronze/Silver.
GRANT MODIFY ON SCHEMA sales_catalog.bronze TO data_eng;
GRANT MODIFY ON SCHEMA sales_catalog.silver TO data_eng;
Pattern 3 β Secure Financial Dataβ
Only the finance group can read.
GRANT SELECT ON TABLE sales_catalog.gold.finance_metrics TO finance_team;
Pattern 4 β External Tablesβ
Need READ FILES privilege.
GRANT READ FILES ON EXTERNAL LOCATION finance_location TO finance_team;
π‘ Unity Catalog Makes RBAC Easyβ
Unity Catalog centralizes permissions across:
- Databricks SQL
- Notebooks
- Jobs
- MLflow
- Delta Lake
So the same RBAC rules apply everywhere β clean, consistent, reliable.
π Summaryβ
- Databricks uses Catalog β Schema β Table for organizing data.
- RBAC (Role-Based Access Control) lets you define who can do what.
- You can control access at any level: catalog, schema, or table.
- Permissions include:
USE,SELECT,MODIFY,CREATE,OWN, etc. - Unity Catalog provides centralized, secure, enterprise-grade permission management.
- Always follow the least privilege model for safety and compliance.
RBAC ensures the Lakehouse stays clean, secure, and easy to manage as your organization grows.
π Next Topic
Optimize Command (OPTIMIZE, Z-ORDER)