# Lecture 35. Data Objects Privileges

In this video, we will talk about data object privileges in **Databricks**.

You will understand the **Databricks data governance model**. And you will learn how to manage permissions for different data objects like databases, tables, and views.

---

The data governance model in **Databricks** lets you programmatically grant, deny, and revoke access to your data from **Spark SQL**.

Here is a general command that allows you to give an access privilege on a specific data object to a user or group of users.

For example, we can give `read` access, translated by the ability to do a `SELECT` operation, on a table called `my_table`. This permission is assigned to **User 1**.

So this table here is a data object on which we set permissions.

---

### Data Object Types in Databricks

Let us see what other object types we have in **Databricks**.

**Databricks** allows you to configure permissions for the following object types:

- **Catalog**: To control access to the entire data catalog.
- **Schema**: To control access to a database.
- **Table**: You can control access to a table, whether it's a managed or external table.
- **SQL View**: To control access to a SQL view.
- **Named Function**: To control access to a named function.
- Additionally, with the **ANY FILE** keyword, we can control access to the underlying file system.

---

### Privileges in Databricks

Okay, now that we know the data objects on which we can configure privileges, let us see what are those privileges.

The following privileges can be configured on the data objects:

- **SELECT**: Gives `read` access to an object.
- **MODIFY**: Gives the ability to add, delete, and modify data to and from an object.
- **CREATE**: Gives the ability to create an object (for example, a table in a database).
- **READ_METADATA**: Gives the ability to view an object and its metadata.
- **USAGE**: Does not give any specific ability; however, it is an additional requirement to perform any action on a database object.
- **ALL PRIVILEGES**: Grants all the above privileges at the same time.

---

### Granting Privileges in Databricks

In order to be able to grant privileges on an object, you need to be either a **Databricks Administrator** or the **Object Owner**.

- If you are a **Database Administrator**, you can grant access privileges for all objects in the catalog and in the underlying file system.
- A **Catalog Owner** can grant a privilege for all objects in the catalog.
- A **Database Owner** can grant privileges for all objects only in that database.
- A **Table Owner** can grant privileges only for the table itself.
- Of course, similar rules apply to views and functions.

---

### Managing Privileges

Finally, in addition to the grant operation, you have other useful operations to manage object privileges.

For example, you can **deny** and **revoke** privileges. You are also able to show the granted permissions on objects using the `SHOW GRANTS` operation.

---

Great.

That's it for this video.

Let us now switch to the **Databricks** platform to see how to manage object privileges in **Databricks SQL**.