What are the privileges for volumes?
Privileges for volumes focus on working with files stored in cloud object storage.
Volumes introduce the following privileges:
See Unity Catalog privileges and securable objects.
Privileges required for volume operations
The following table lists the permissions required to work with volumes. Volumes rely on Unity Catalog, so you must be in a Unity Catalog-enabled workspace and use Unity Catalog-compatible compute to interact with volumes.
| Operation | Ownership required? | Catalog permissions | Schema permissions | Volume permissions | External location permissions |
|---|---|---|---|---|---|
| Read or list files | No | USE CATALOG | USE SCHEMA | READ VOLUME | None |
| Create, delete, or update files | No | USE CATALOG | USE SCHEMA | READ VOLUME, WRITE VOLUME | None |
| Create managed volume | No | USE CATALOG | USE SCHEMA, CREATE VOLUME | None | None |
| Create external volume | No | USE CATALOG | USE SCHEMA, CREATE VOLUME | None | CREATE EXTERNAL VOLUME |
| Drop a volume | Yes | USE CATALOG | USE SCHEMA | None | None |
| Manage volume privileges | Yes | USE CATALOG | USE SCHEMA | None | None |
Owners automatically get all privileges for a volume, and you can set privileges such as READ VOLUME and WRITE VOLUME at the catalog or schema level to cascade privileges to all contained volumes.
Volume ownership and MANAGE privileges
You must be the owner or have the MANAGE privilege on the volume to complete the following operations:
- Manage volume privileges.
- Drop the volume.
- Rename the volume.
- Change volume ownership.
Each object in Unity Catalog can only have one principal assigned as an owner, and while ownership does not cascade (that is, the owner of a catalog does not automatically become the owner of all objects in that catalog), the privileges associated with ownership apply to all objects contained within an object.
This means that for Unity Catalog volumes, the following principals can manage volume privileges:
- The owner of the parent catalog.
- The owner of the parent schema.
- The owner of the volume.
- Users with the
MANAGEprivilege on the volume, its parent schema, or its parent catalog.
While each object can only have a single owner, Databricks recommends assigning ownership for most objects to a group rather than an individual user. Initial ownership for any object is assigned to the user who creates that object. The MANAGE privilege can be granted to multiple principals. See Manage Unity Catalog object ownership.