From c09b3621a8f295b14a60c676c36ac3c2f9cf3721 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Timoth=C3=A9e=20Lecomte?= Date: Tue, 4 Nov 2025 10:25:35 +0100 Subject: [PATCH 1/2] docs: clarify scope of databricks_grant, reword reference to principals --- docs/resources/grant.md | 4 ++-- docs/resources/grants.md | 2 +- 2 files changed, 3 insertions(+), 3 deletions(-) diff --git a/docs/resources/grant.md b/docs/resources/grant.md index a4db6581ad..e8fa721312 100644 --- a/docs/resources/grant.md +++ b/docs/resources/grant.md @@ -7,9 +7,9 @@ subcategory: "Unity Catalog" -> Most of Unity Catalog APIs are only accessible via **workspace-level APIs**. This design may change in the future. Account-level principal grants can be assigned with any valid workspace as the Unity Catalog is decoupled from specific workspaces. More information in [the official documentation](https://docs.databricks.com/data-governance/unity-catalog/index.html). -~> This resource is _authoritative_ for grants on securables for a given _singular_ principal. Configuring this resource for a securable will **OVERWRITE** any existing grants for the principal and changes made outside of Terraform will be reset. Use [databricks_grants](https://registry.terraform.io/providers/databricks/databricks/latest/docs/resources/grants) for authoritative control of all grants on a securable. +~> This resource is _authoritative_ for the privilege grants for a given securable and a given principal. Configuring this resource for a securable and a principal will **OVERWRITE** any existing privilege grants for this securable and this principal, and changes made outside of Terraform will be reset. Use [databricks_grants](https://registry.terraform.io/providers/databricks/databricks/latest/docs/resources/grants) for authoritative control of all grants on a securable, across all users. -In Unity Catalog all users initially have no access to data. Only Metastore Admins can create objects and can grant/revoke access on individual objects to users and groups. Every securable object in Unity Catalog has an owner. The owner can be any account-level user or group, called principals in general. The principal that creates an object becomes its owner. Owners receive `ALL_PRIVILEGES` on the securable object (e.g., `SELECT` and `MODIFY` on a table), as well as the permission to grant privileges to other principals. +In Unity Catalog all users initially have no access to data. Only Metastore Admins can create objects and can grant/revoke access on individual objects to users and groups. Every securable object in Unity Catalog has an owner. The owner can be any account-level user or group, referred to as principals. The principal that creates an object becomes its owner. Owners receive `ALL_PRIVILEGES` on the securable object (e.g., `SELECT` and `MODIFY` on a table), as well as the permission to grant privileges to other principals. Securable objects are hierarchical and privileges are inherited downward. The highest level object that privileges are inherited from is the catalog. This means that granting a privilege on a catalog or schema automatically grants the privilege to all current and future objects within the catalog or schema. Privileges that are granted on a metastore are not inherited. diff --git a/docs/resources/grants.md b/docs/resources/grants.md index 1698225e36..9ab99ba62e 100644 --- a/docs/resources/grants.md +++ b/docs/resources/grants.md @@ -9,7 +9,7 @@ subcategory: "Unity Catalog" ~> This resource is _authoritative_ for grants on securables. Configuring this resource for a securable will **OVERWRITE** any existing grants and changes made outside of Terraform will be reset. Use [databricks_grant](https://registry.terraform.io/providers/databricks/databricks/latest/docs/resources/grant) for more granular grant management. -In Unity Catalog all users initially have no access to data. Only Metastore Admins can create objects and can grant/revoke access on individual objects to users and groups. Every securable object in Unity Catalog has an owner. The owner can be any account-level user or group, called principals in general. The principal that creates an object becomes its owner. Owners receive `ALL_PRIVILEGES` on the securable object (e.g., `SELECT` and `MODIFY` on a table), as well as the permission to grant privileges to other principals. +In Unity Catalog all users initially have no access to data. Only Metastore Admins can create objects and can grant/revoke access on individual objects to users and groups. Every securable object in Unity Catalog has an owner. The owner can be any account-level user or group, referred to as principals. The principal that creates an object becomes its owner. Owners receive `ALL_PRIVILEGES` on the securable object (e.g., `SELECT` and `MODIFY` on a table), as well as the permission to grant privileges to other principals. Securable objects are hierarchical and privileges are inherited downward. The highest level object that privileges are inherited from is the catalog. This means that granting a privilege on a catalog or schema automatically grants the privilege to all current and future objects within the catalog or schema. Privileges that are granted on a metastore are not inherited. From 2012bde856b1044586b60901fc391eb97f663415 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Timoth=C3=A9e=20Lecomte?= Date: Tue, 4 Nov 2025 10:27:19 +0100 Subject: [PATCH 2/2] Add entry in NEXT_CHANGELOG --- NEXT_CHANGELOG.md | 2 ++ 1 file changed, 2 insertions(+) diff --git a/NEXT_CHANGELOG.md b/NEXT_CHANGELOG.md index e974787df3..a9e5e0be8c 100644 --- a/NEXT_CHANGELOG.md +++ b/NEXT_CHANGELOG.md @@ -10,6 +10,8 @@ ### Documentation + * Clarify scope of `databricks_grant`, reword reference to principals ([#5182](https://github.com/databricks/terraform-provider-databricks/pull/5182)). + ### Exporter ### Internal Changes