In [0]:
-- ==========================================================
-- Unity Catalog Governance for AP
-- Roles: Data Engineers (Editors), Analytics Team (Readers)
-- ==========================================================

-- ---------------------------
-- Create Groups
-- ---------------------------
CREATE GROUP IF NOT EXISTS data_engineers;
CREATE GROUP IF NOT EXISTS analytics_team;

-- ---------------------------
-- Add Users to Groups
-- ---------------------------
ALTER GROUP data_engineers ADD USER 'anthony@smartdatacorp.com';
ALTER GROUP data_engineers ADD USER 'adrian@smartdatacorp.com';
ALTER GROUP data_engineers ADD USER 'andre@smartdatacorp.com';
ALTER GROUP data_engineers ADD USER 'armando@smartdatacorp.com';
ALTER GROUP data_engineers ADD USER 'arturo@smartdatacorp.com';

ALTER GROUP analytics_team ADD USER 'jorge@smartdatacorp.com';
ALTER GROUP analytics_team ADD USER 'andres@smartdatacorp.com';
ALTER GROUP analytics_team ADD USER 'mili@smartdatacorp.com';
ALTER GROUP analytics_team ADD USER 'keila@smartdatacorp.com';

-- Special privileged individual user
CREATE USER IF NOT EXISTS 'ever@smartdatacorp.com';

-- ---------------------------
-- Define Catalog & Schema
-- ---------------------------
CREATE CATALOG IF NOT EXISTS ap;
CREATE SCHEMA IF NOT EXISTS ap.gold;

-- -----------------------------------------------------------
-- Grant Catalog-Level Access (minimum required)
-- -----------------------------------------------------------
-- Data engineers need full write access to the schema
GRANT USE CATALOG ON CATALOG ap TO `data_engineers`;
GRANT USE SCHEMA ON SCHEMA ap.gold TO `data_engineers`;

-- Analytics readers need only read
GRANT USE CATALOG ON CATALOG ap TO `analytics_team`;
GRANT USE SCHEMA ON SCHEMA ap.gold TO `analytics_team`;

-- Eve gets elevated access for admin tasks
GRANT OWNERSHIP ON CATALOG ap TO `eve@smartdatacorp.com`;

-- -----------------------------------------------------------
-- Schema-Level Permissions
-- -----------------------------------------------------------

-- ============================
-- DATA ENGINEERS (Editors)
-- ============================
-- Best practice: Assign full editing via group
GRANT SELECT ON SCHEMA ap.gold TO `data_engineers`;
GRANT MODIFY ON SCHEMA ap.gold TO `data_engineers`;
GRANT CREATE TABLE ON SCHEMA ap.gold TO `data_engineers`;
GRANT CREATE VIEW ON SCHEMA ap.gold TO `data_engineers`;
GRANT CREATE FUNCTION ON SCHEMA ap.gold TO `data_engineers`;
GRANT CREATE MODEL ON SCHEMA ap.gold TO `data_engineers`;
GRANT CREATE MATERIALIZED VIEW ON SCHEMA ap.gold TO `data_engineers`;
GRANT CREATE VOLUME ON SCHEMA ap.gold TO `data_engineers`;
GRANT WRITE VOLUME ON SCHEMA ap.gold TO `data_engineers`;
GRANT APPLY TAG ON SCHEMA ap.gold TO `data_engineers`;

-- ============================
-- ANALYTICS TEAM (Read-only)
-- ============================
GRANT SELECT ON SCHEMA ap.gold TO `analytics_team`;
GRANT READ VOLUME ON SCHEMA ap.gold TO `analytics_team`;

-- No modify, no create:
-- Explicitly *not* granted MODIFY, CREATE TABLE, etc.

-- ============================
-- SPECIAL USER: Ever (Elevated Permissions)
-- ============================
GRANT MODIFY ON SCHEMA ap.gold TO `ever@smartdatacorp.com`;
GRANT CREATE TABLE ON SCHEMA ap.gold TO `ever@smartdatacorp.com`;
GRANT CREATE VIEW ON SCHEMA ap.gold TO `ever@smartdatacorp.com`;

-- Allow Ever to manage grants
GRANT ALL PRIVILEGES ON SCHEMA ap.gold TO `ever@smartdatacorp.com`;

-- -----------------------------------------------------------
-- Table-level permissions
-- -----------------------------------------------------------

-- Example: Limit analytics team to one table only
GRANT SELECT ON TABLE ap.silver.ap_invoices TO `analytics_team`;

