# 🔐 Data Object Privileges in Databricks

## 🛡️ Introduction to the Data Governance Model

Databricks implements a **fine-grained data governance model** that allows administrators and users to control access to various data objects. These include:

- **Databases (Schemas)**
- **Tables** (Managed and External)
- **SQL Views**
- **Named Functions**

This model ensures secure and role-based access throughout the data platform.

---

## 🔑 Granting, Revoking, and Denying Access

Access to data objects can be programmatically controlled using SQL commands:

- **GRANT** – Assign specific privileges to users or groups.
- **REVOKE** – Remove previously granted privileges.
- **DENY** – Explicitly prevent access, even if access is otherwise inherited.

---

## 📦 Data Objects with Configurable Permissions

Permissions can be configured for the following object types:

- **Catalogs**
- **Schemas (Databases)**
- **Tables**
- **SQL Views**
- **Named Functions**
- **ANY FILE** – For accessing files directly from the underlying storage system.

---

## 🔍 Privileges Explained

Here are the key privileges that can be assigned to data objects:

- **SELECT** – Read access to the data.
- **MODIFY** – Insert, update, and delete operations on the data.
- **CREATE** – Allows the creation of new objects within a container (e.g., tables in a schema).
- **READ_METADATA** – Enables access to metadata like table schema or description.
- **USAGE** – Required to interact with an object but grants no direct data access.
- **ALL PRIVILEGES** – Grants all the above permissions for full access.

---

## 👥 Roles in Permission Management

Different roles have the ability to manage access to objects:

- **Databricks Admins** – Can assign privileges across the workspace.
- **Catalog Owners** – Control all objects in their catalog.
- **Schema (Database) Owners** – Manage permissions within their specific schema.
- **Table Owners** – Control access to their individual tables.
- **Object Owners** – Grant privileges to their respective owned objects.
- **Database Administrators** – Can also manage underlying storage permissions.

---

## ⚙️ Managing Object Privileges

Common operations for permission management include:

- **DENY / REVOKE** – Remove or restrict access when needed.
- **SHOW GRANTS** – View the current privileges assigned to a user or object, useful for auditing.

---

## 🧪 Practical Demonstration

The session concludes with a **hands-on demo** in Databricks SQL, showing how to:

- Manage privileges for data objects.
- Apply the governance concepts discussed.
- Secure data access in real-world scenarios.

---

Databricks’ role-based permission model provides a powerful and flexible way to **control who can see, modify, or manage data**, helping ensure compliance and data integrity across your organization.
