# Lecture 36. Managing Permissions (Hands On)

In this demo, we will explore how to manage permissions for **databases**, **tables**, and **views** in **Databricks SQL**.


### Reference
  - [Documentation > Data governance with Unity Catalog > What is Catalog Explorer?](https://docs.databricks.com/en/catalog-explorer/index.html)  

## Make sure that your **SQL warehouse** is running

Navigate to the **Databricks SQL Workspace**.  
Make sure that your **SQL warehouse** is running.  

<div  style="text-align: center; line-height: 0; padding-top: 9px;">
<img src="../../assets/images/Screen-Captures/SQL Warehouses - list Demo Warehouse running.jpg" style="width: 1280px">
</div>

Now, navigate to the **SQL editor** in the left sidebar.


## Creating a Database and Table

In this demo, we will create a database called `hr_db`.  

Within this database, we will create a table called `employees` with `id`, `name`, `salary`, and `city` columns.  

Then, we will insert some data into this table. 

Lastly, we will create a view for `employees` in **Paris** city.

```sql
USE CATALOG hive_metastore;
CREATE DATABASE IF NOT EXISTS hr_db;

USE hr_db;
CREATE TABLE employees (id INT, name STRING, salary DOUBLE, city STRING);

INSERT INTO employees 
VALUES (1, 'Anna', 2500, 'Paris'),
       (2, 'Thomas', 3000, 'London'),
       (3, 'Bilal', 3500, 'Paris'),
       (4, 'Maya', 2000, 'Paris'),
       (5, 'Sophie', 2500, 'London'),
       (6, 'Adam', 3500, 'London'),
       (7, 'Ali', 3000, 'Paris');

CREATE VIEW paris_employees_vw
AS SELECT * FROM employees WHERE city = 'Paris';
```

Let us run these commands.

<div  style="text-align: center; line-height: 0; padding-top: 9px;">
<img src="../../assets/images/Screen-Captures/SQL Editor - New Query - hr_db.jpg" style="width: 1280px">
</div>


## Configuring Permissions in SQL Editor

### Assigning Privileges to Group Members

Now, in order to allow other users to access this new database and table, let us configure their permissions.  

<div  style="text-align: center; line-height: 0; padding-top: 9px;">
<img src="../../assets/images/Screen-Captures/Settings - Identity and access - Groups.jpg" style="width: 1280px">
</div>

We create a new query.

Let us start by granting several privileges on the whole `hr_db` database to a group of users called **HR Team**.  

```sql
USE CATALOG hive_metastore;
GRANT SELECT, MODIFY, READ_METADATA, CREATE ON SCHEMA hr_db TO admins;
```

So, all the members in this group will have the ability to:

- **Read** and **modify** the data.
- Access **metadata information**.
- Create a new object like tables and views in this database.

Let us run this command.  

<div  style="text-align: center; line-height: 0; padding-top: 9px;">
<img src="../../assets/images/Screen-Captures/SQL Editor - New Query - hr_db GRANT TO hr_team.jpg" style="width: 1280px">
</div>

Great. Now, the **hr_team** has the necessary privileges.

However, for users to perform any action on a database object, they must have an additional privilege, which is the **USAGE** privilege.  
Without this privilege, the objects in the database cannot be used.

```sql
GRANT USAGE ON SCHEMA hr_db TO hr_team;
```

We can run a specific SQL command simply by selecting it and clicking **Run Selected**.  

<div  style="text-align: center; line-height: 0; padding-top: 9px;">
<img src="../../assets/images/Screen-Captures/SQL Editor - New Query - hr_db GRANT USAGE TO hr_team.jpg" style="width: 1280px">
</div>



### Assigning Privileges to Individual Users

We can also assign privileges to individual users.

<div  style="text-align: center; line-height: 0; padding-top: 9px;">
<img src="../../assets/images/Screen-Captures/Settings - Identity and access - Users.jpg" style="width: 1280px">
</div>

Here, for example, we are granting **read access** on our view object to a user from outside of the **HR team**.  

```sql
GRANT SELECT ON VIEW hr_db.paris_employees_vw TO `dlexpertman@gmail.com`;
```

Let us select this query and click **Run Selected**.  

<div  style="text-align: center; line-height: 0; padding-top: 9px;">
<img src="../../assets/images/Screen-Captures/SQL Editor - New Query - hr_db view GRANT TO a user.jpg" style="width: 1280px">
</div>



### Reviewing Assigned Permissions

Lastly, let us review the assigned permissions using the `SHOW GRANTS` command.  
```sql
SHOW GRANTS ON SCHEMA hr_db;
```

<div  style="text-align: center; line-height: 0; padding-top: 9px;">
<img src="../../assets/images/Screen-Captures/SQL Editor - New Query - hr_db SHOW GRANTS.jpg" style="width: 1280px">
</div>

Yes, indeed, the **HR team** has all the granted privileges.  
And I am the **owner** of this database as I was the one who created it.

We can also show the granted privileges on our view.  

<div  style="text-align: center; line-height: 0; padding-top: 9px;">
<img src="../../assets/images/Screen-Captures/SQL Editor - New Query - hr_db view SHOW GRANTS.jpg" style="width: 1280px">
</div>

Here, we can see the user **dlexpertman@gmail.com** indeed has the **SELECT** privilege on this view.
And the **HR team** inherited the database privileges.



## Using Catalog Explorer for Permissions Management

In addition to the **SQL editor**, we can also use the **Catalog Explorer** to manage permissions.  
From the left-side navigator, select the **Catalog** tab to access the **Catalog Explorer**.

The **Catalog Explorer** allows users and admins to:

- Navigate different data objects like **databases**, **tables**, and **views**.
- Explore data schema, metadata, and history.
- Set and modify permissions.

<div  style="text-align: center; line-height: 0; padding-top: 9px;">
<img src="../../assets/images/Screen-Captures/Catalog - hive_metastore - hr_db.jpg" style="width: 1280px">
</div>

From here, we can find the database we created previously.  
By clicking on the database name, it displays a list of the containing tables and views on the left-hand side.  
On the right, you will see some details about the database, like the **owner information**.

Use the **Permissions** tab to review who currently has permissions on this database.  

<div  style="text-align: center; line-height: 0; padding-top: 9px;">
<img src="../../assets/images/Screen-Captures/Catalog - hive_metastore - hr_db Permissions.jpg" style="width: 1280px">
</div>

As expected, we see here the granted privileges for the **HR team** group.  



### Revoking Privileges

You can select a privilege here and click on **Revoke** to remove this privilege.  
The privilege has been successfully revoked.



### Changing the Owner

We can also change the owner.  
If you click there, you have the option to **edit the owner**.  
An owner can be set as an individual or a group.

Let us set the owner to **Admins**, which is the default group containing all workspace administrators.  
As you can see, the **Admins** group now is the owner of this database.



### Granting Permissions to Users

Of course, from this window, you can also grant permissions.  
Let's say we would like to allow all users to review **metadata** about this database.  
  - We click the **Grant** button.  
  - We select **All workspace users** group.  
  - And we choose both **READ_METADATA** and **USAGE** privileges.  
  - Click on **Grant**.

Now, we see here the granted privileges to the **All workspace users** group.



### Managing Permissions for Tables and Views

Similarly, we can manage permissions for tables and views.  
Simply, we click on the table name.  
Then, you click on the **Permissions** tab.  
From here, let us, for example, give all users the ability to query this table.

- We click first on the **Grant** button.  
- We select the **All Users** group.  
- And we choose the **SELECT** privilege.  
- Lastly, we click **Grant**.  

Now, all users can query this table.



### Catalog Explorer Limitations

As you can see, the **Catalog Explorer** is a really useful and powerful tool to manage your data objects.  
However, at present, only the **ANY FILE** object cannot be set from the **Catalog Explorer**.  
You need to use the **SQL editor** instead.



## SQL Query History

What’s interesting about **Databricks SQL** is that you can see all the SQL queries run behind the **Catalog Explorer**.  
Simply, navigate to the **Query History** in the left sidebar.  

<div  style="text-align: center; line-height: 0; padding-top: 9px;">
<img src="../../assets/images/Screen-Captures/SQL Query History.jpg" style="width: 1280px">
</div>

As you can see, **query history** shows all the queries run in the **Databricks SQL**, including the **Catalog Explorer**.