-sandbox

<div style="text-align: center; line-height: 0; padding-top: 9px;">
  <img src="https://databricks.com/wp-content/uploads/2018/03/db-academy-rgb-1200px.png" alt="Databricks Learning" style="width: 600px">
</div>

# Configuring Privileges for Production Data and Derived Tables

The instructions as detailed below are provided for pairs of users to explore how Table ACLs on Databricks work. It leverages Databricks SQL and the Data Explorer to accomplish these tasks, and assumes that neither user has admin privileges for the workspace. An admin will need to have previously granted **`CREATE`** and **`USAGE`** privileges on a catalog for users to be able to create databases in Databricks SQL.

##Learning Objectives

By the end of this lab, you should be able to:
* Use Data Explorer to navigate relational entities
* Configure permissions for tables and views with Data Explorer
* Configure minimal permissions to allow for table discovery and querying
* Change ownership for databases, tables, and views created in DBSQL

In [0]:
%run ../Includes/Classroom-Setup-11.2L

## Exchange User Names with your Partner
If you are not in a workspace where your usernames correspond with your email address, make sure your partner has your username.

They will need this when assigning privileges and searching for your database at later steps.

The following cell will print your username.

In [0]:
print(f"Your username: {DA.username}")

## Generate Setup Statements

The following cell uses Python to extract the username of the current user and format this into several statements used to create databases, tables, and views.

Both students should execute the following cell. 

Successful execution will print out a series of formatted SQL queries, which can be copied into the DBSQL query editor and executed.

In [0]:
DA.generate_query()

Steps:
1. Run the cell above
1. Copy the entire output to your clipboard
1. Navigate to the Databricks SQL workspace
1. Make sure that a DBSQL endpoint is running
1. Use the left sidebar to select the **SQL Editor**
1. Paste the query above and click the blue **Run** in the top right

**NOTE**: You will need to be connected to a DBSQL endpoint to execute these queries successfully. If you cannot connect to a DBSQL endpoint, you will need to contact your administrator to give you access.

## Find Your Database
In the Data Explorer, find the database you created earlier (this should follow the pattern **`dbacademy_<username>_dewd_acls_lab`**).

Clicking on the database name should display a list of the contained tables and views on the left hand side.

On the right, you'll see some details about the database, including the **Owner** and **Location**.

Click the **Permissions** tab to review who presently has permissions (depending on your workspace configuration, some permissions may have been inherited from settings on the catalog).

## Change Database Permissions

Steps:
1. Make sure you have the **Permissions** tab selected for the database
1. Click the blue **Grant** button
1. Select the **USAGE**, **SELECT**, and **READ_METADATA** options
1. Enter the username of your partner in the field at the top.
1. Click **OK**

Confirm with your partner that you can each see each others' databases and tables.

## Run a Query to Confirm

By granting **`USAGE`**, **`SELECT`**, and **`READ_METADATA`** on your database, your partner should now be able to freely query the tables and views in this database, but will not be able to create new tables OR modify your data.

In the SQL Editor, each user should run a series of queries to confirm this behavior in the database they were just added to.

**Make sure you specify your partner's database while running the queries below.**

**NOTE**: These first 3 queries should succeed, but the last should fail.

In [0]:
DA.generate_confirmation_query("chirag")

## Execute a Query to Generate the Union of Your Beans

Execute the query below against your own databases.

**NOTE**: Because random values were inserted for the **`grams`** and **`delicious`** columns, you should see 2 distinct rows for each **`name`**, **`color`** pair.

In [0]:
DA.generate_union_query()

## Register a Derivative View to Your Database

Execute the query below to register the results of the previous query to your database.

In [0]:
DA.generate_derivative_view()

## Query Your Partner's View

Once your partner has successfully completed the previous step, run the following query against each of your tables; you should get the same results:

In [0]:
DA.generate_partner_view("chirag")

## Add Modify Permissions

Now try to drop each other's **`beans`** tables. 

At the moment, this shouldn't work.

Using the Data Explorer, add the **`MODIFY`** permission for your **`beans`** table for your partner.

Again, attempt to drop your partner's **`beans`** table. 

It should again fail. 

**Only the owner of a table should be able to issue this statement**.<br/>
(Note that ownership can be transferred from an individual to a group, if desired).

Instead, execute a query to delete records from your partner's table:

In [0]:
DA.generate_delete_query("chirag")

This query should successfully drop all records from the target table.

Try to re-execute queries against any of the views of tables you'd previously queried in this lab.

**NOTE**: If steps were completed successfully, none of your previous queries should return results, as the data referenced by your views has been deleted. This demonstrates the risks associated with providing **`MODIFY`** privileges to users on data that will be used in production applications and dashboards.

If you have additional time, see if you can use the Delta methods **`DESCRIBE HISTORY`** and **`RESTORE`** to revert the records in your table.

-sandbox
&copy; 2022 Databricks, Inc. All rights reserved.<br/>
Apache, Apache Spark, Spark and the Spark logo are trademarks of the <a href="https://www.apache.org/">Apache Software Foundation</a>.<br/>
<br/>
<a href="https://databricks.com/privacy-policy">Privacy Policy</a> | <a href="https://databricks.com/terms-of-use">Terms of Use</a> | <a href="https://help.databricks.com/">Support</a>