DP-750: Unity Catalog Permissions and Least Privilege Access Explained and with Real Exam Questions

By 5 min read
DP-750: Unity Catalog Permissions and Least Privilege Access Explained and with Real Exam Questions

When preparing for DP-750: Microsoft Certified: Azure Databricks Data Engineer Associate, you must understand how permissions work in Azure Databricks.

Many DP-750 questions are not asking only:

> Which permission allows a user to read a table?

They are really testing whether you understand least privilege access across different layers:

catalog
  └── schema
        └── table

In Unity Catalog, a user usually needs permissions on multiple objects before they can actually access data. For example, to read a table, the user needs access to the table itself and usage privileges on the parent schema and catalog.

---

1. What is least privilege?

Least privilege means giving a user, group, or service principal only the permissions required to complete a task, and nothing more.

For DP-750, this means you should avoid answers such as:

  • assign workspace admin
  • grant MANAGE when only SELECT is needed
  • grant permissions at a broad catalog level when schema-level access is enough
  • grant CREATE TABLE when the user only needs to update existing data
  • grant ownership when the user only needs to query or modify data

A good least-privilege answer usually gives permissions at the lowest reasonable level.

For example:

|Requirement|Least privilege pattern| |---|---| |Read one table|USE CATALOG + USE SCHEMA + SELECT on the table| |Update one table|USE CATALOG + USE SCHEMA + SELECT + MODIFY on the table| |Create tables in one schema|USE CATALOG + USE SCHEMA + CREATE TABLE on the schema| |Run one job|CAN RUN on the job| |Create unrestricted clusters|Allow unrestricted cluster creation entitlement|

---

2. Unity Catalog permission model

Unity Catalog uses a hierarchical permission model. Data and metadata live in a metastore, and data objects are organized in a three-level namespace: catalog.schema.table. Every object in this hierarchy is a securable object, and access is controlled by privileges such as SELECT, MODIFY, and USE SCHEMA.

The main hierarchy is:

metastore
  └── catalog
        └── schema
              └── table / view / volume / function / model

The important exam point is:

> Permissions on a child object are not enough if the user does not also have usage permission on the parent objects.

For example, even if a user has SELECT on a table, the user still needs:

USE CATALOG on the parent catalog
USE SCHEMA on the parent schema
SELECT on the table

Databricks documentation explicitly says that to read from a table, a user needs SELECT on the table, USE CATALOG on the parent catalog, and USE SCHEMA on the parent schema.

---

3. Usage privileges are not data privileges

This is one of the most important DP-750 exam traps.

USE CATALOG and USE SCHEMA are usage privileges. They allow a user to interact with objects inside the catalog or schema, but they do not grant access to data by themselves.

For example:

GRANT USE CATALOG ON CATALOG sales TO `analysts`;
GRANT USE SCHEMA ON SCHEMA sales.customers TO `analysts`;

This does not allow analysts to query tables yet.

They still need:

GRANT SELECT ON TABLE sales.customers.customer_details TO `analysts`;

So the full read pattern is:

GRANT USE CATALOG ON CATALOG sales TO `analysts`;
GRANT USE SCHEMA ON SCHEMA sales.customers TO `analysts`;
GRANT SELECT ON TABLE sales.customers.customer_details TO `analysts`;

For DP-750, remember:

> USE CATALOG + USE SCHEMA = can reach the object > SELECT = can read the data

Databricks documentation says USE CATALOG does not grant access to the catalog itself or to any specific objects within it, and USE SCHEMA does not grant access to the schema itself or to any specific objects within it.

---

4. Reading data: SELECT

The SELECT privilege allows a user to select from a table, view, or materialized view. However, the user must also have USE CATALOG on the parent catalog and USE SCHEMA on the parent schema.

For a table named:

catalog1.schema1.table1

the minimum read permissions are:

GRANT USE CATALOG ON CATALOG catalog1 TO `group1`;
GRANT USE SCHEMA ON SCHEMA catalog1.schema1 TO `group1`;
GRANT SELECT ON TABLE catalog1.schema1.table1 TO `group1`;

In DP-750, when the question says:

> The user or service principal must query data.

you should look for:

USE CATALOG + USE SCHEMA + SELECT

---

5. Modifying data: MODIFY

The MODIFY privilege allows a user to insert, update, and delete data in a table. Databricks documentation says that when MODIFY is applied to a table, the user must also have SELECT on the table, USE SCHEMA on the parent schema, and USE CATALOG on the parent catalog.

For example:

GRANT USE CATALOG ON CATALOG sales TO `data_engineers`;
GRANT USE SCHEMA ON SCHEMA sales.customers TO `data_engineers`;
GRANT SELECT ON TABLE sales.customers.customer_details TO `data_engineers`;
GRANT MODIFY ON TABLE sales.customers.customer_details TO `data_engineers`;

For DP-750, when the question says:

> User1 can update the data in a table but cannot create new tables.

the answer should include:

USE CATALOG on catalog
USE SCHEMA on schema
MODIFY on table

Do not choose CREATE TABLE, because that would allow creating new tables.

Do not choose MANAGE, because that is broader than data modification and can involve managing privileges or ownership-like operations.

---

6. Creating tables: CREATE TABLE

The CREATE TABLE privilege allows a user to create a table or view in a schema. Databricks recommends granting CREATE TABLE at the schema level for least privilege. The user must also have USE CATALOG on the parent catalog and USE SCHEMA on the parent schema.

For example:

GRANT USE CATALOG ON CATALOG catalog1 TO `group1`;
GRANT USE SCHEMA ON SCHEMA catalog1.schema1 TO `group1`;
GRANT CREATE TABLE ON SCHEMA catalog1.schema1 TO `group1`;

In DP-750, when the question says:

> group1 can create tables in schema1 > group1 must not be able to grant permissions

you should choose:

USE SCHEMA + CREATE TABLE

not:

MANAGE

because MANAGE would be too broad.

---

7. MANAGE vs data permissions

The MANAGE privilege allows a user to manage privileges on an object, transfer ownership, and delete an object without being the owner. Databricks documentation also says users with MANAGE are not automatically granted all privileges, but they can explicitly grant themselves privileges.

For DP-750, this matters because:

MANAGE is not the same as SELECT.
MANAGE is not the same as MODIFY.
MANAGE is broader than normal data access.

If the requirement says:

> Cannot grant permissions for the schema and its objects.

then do not choose MANAGE.

If the requirement says:

> Can update table data.

then choose MODIFY, not MANAGE.

---

8. Privilege inheritance

Unity Catalog supports privilege inheritance. When a privilege is granted on a parent object, it applies to current and future child objects. For example, granting a privilege on a schema can apply to all current and future tables in that schema.

Example:

GRANT SELECT ON SCHEMA sales.customers TO `analysts`;

This can grant SELECT on all current and future tables and views in that schema.

This is useful when a group needs access to many tables in the same schema.

But for least privilege, be careful:

|Grant level|Access scope| |---|---| |Table level|Narrowest| |Schema level|All current and future objects in one schema| |Catalog level|All current and future objects in one catalog|

For DP-750, if the question says all data in Catalog1 and Catalog2, granting at the catalog level might be reasonable. If the question says one table only, grant table-level access.

---

9. Service principals and SQL warehouses

A service principal is often used by external applications, automation, or jobs.

If an external application connects to a SQL warehouse and needs to query Unity Catalog data, the service principal needs the same Unity Catalog data privileges as a normal user.

For example, if service principal SP1 must query tables in Catalog1 and Catalog2, it needs:

USE CATALOG
USE SCHEMA
SELECT

For DP-750, remember:

> Authentication is not enough. > The service principal also needs Unity Catalog privileges.

---

10. Job permissions vs Run as permissions

Lakeflow Jobs use two permission concepts:

  1. Job privileges: who can view, run, or manage the job.
  1. Run as privileges: what identity the job uses to access data and resources during execution.

Databricks documentation says job privileges are evaluated when a user performs an action on the job, such as editing or running it, while Run as privileges are evaluated during the job run.

For DP-750, this means:

|Requirement|Permission type| |---|---| |User can run a job|Job permission, such as CAN RUN| |Job can read/write data|Run as user or service principal needs data privileges| |User can edit job settings|Higher job permission, such as manage permission| |User only needs to trigger a job|CAN RUN is usually enough|

In exam questions, if the requirement says:

> User1 can run Databricks jobs.

the least-privilege answer is:

Grant CAN RUN permissions for the jobs.

Do not assign workspace admin.

---

11. Workspace entitlements vs Unity Catalog privileges

Not every permission in Databricks is a Unity Catalog privilege.

Some permissions are workspace entitlements.

For example, Databricks documentation says the Allow unrestricted cluster creation entitlement gives users or service principals permission to create unrestricted clusters. Non-admin users are not granted this entitlement unless explicitly assigned.

This is different from Unity Catalog data access.

|Requirement|Permission category| |---|---| |Query table data|Unity Catalog privileges| |Update table data|Unity Catalog privileges| |Create tables in a schema|Unity Catalog privileges| |Run a Databricks job|Job permission| |Create unrestricted clusters|Workspace entitlement|

For DP-750, do not confuse:

USE CATALOG / USE SCHEMA / SELECT / MODIFY

with:

CAN RUN
Allow unrestricted cluster creation
Workspace admin

They solve different problems.

---

12. Basic GRANT syntax

Unity Catalog privileges are usually granted with SQL.

Common examples:

GRANT USE CATALOG ON CATALOG catalog1 TO `group1`;
GRANT USE SCHEMA ON SCHEMA catalog1.schema1 TO `group1`;
GRANT SELECT ON TABLE catalog1.schema1.table1 TO `group1`;
GRANT MODIFY ON TABLE catalog1.schema1.table1 TO `group1`;
GRANT CREATE TABLE ON SCHEMA catalog1.schema1 TO `group1`;

In some older exam-style options, you may see USAGE. In current Databricks documentation, the Unity Catalog terminology is generally USE CATALOG and USE SCHEMA.

---

13. DP-750 decision table for permissions

|Scenario in the question|Best answer pattern| |---|---| |Query table data|USE CATALOG + USE SCHEMA + SELECT| |Query many tables in a schema|USE CATALOG + USE SCHEMA + SELECT on schema| |Query many tables in a catalog|USE CATALOG + USE SCHEMA + SELECT at catalog/schema scope| |Update table data|USE CATALOG + USE SCHEMA + MODIFY| |Create tables in one schema|USE CATALOG + USE SCHEMA + CREATE TABLE| |Cannot grant permissions|Do not grant MANAGE or ownership| |Run Databricks jobs|CAN RUN on the job| |Provision clusters of any size|Allow unrestricted cluster creation entitlement| |Least privilege|Avoid workspace admin, owner, broad catalog grants if narrower grants work|

---

Real Exam Questions

Question 22

You have an Azure Databricks workspace that is enabled for Unity Catalog and contains two catalogs named Catalog1 and Catalog2.

An external application uses a service principal named SP1 to connect to a SQL warehouse.

You need to ensure that SP1 can query the data in Catalog1 and Catalog2. The solution must follow the principle of least privilege.

Which permissions should you grant to SP1 for the catalogs?

A. USE SCHEMA and SELECT B. USE CATALOG and SELECT C. USE CATALOG, USE SCHEMA, and SELECT ✅ Correct Answer D. USE CATALOG and USE SCHEMA

---

Question 24

You have an Azure Databricks workspace that is enabled for Unity Catalog and contains a catalog named catalog1.

You have a group named group1.

You plan to create a schema named schema1 in catalog1.

You need to ensure that group1 meets the following requirements:

  1. Can create tables in schema1
  2. Can modify and query tables
  3. Cannot grant permissions for the schema and its objects

How should you complete the SQL statements?

CREATE SCHEMA catalog1.schema1;

GRANT {} ON SCHEMA catalog1.schema1 {};

|Area|Answer| |---|---| |Privileges|USAGE, CREATE TABLE ✅ Correct Answer| |Principal|TO ROLE group1 ✅ Correct Answer|

---

Question 31

You have an Azure Databricks workspace named Workspace1. You have a user named User1 that is a non-admin user for Workspace1. You need to ensure that User1 can perform the following tasks:

  1. Provision clusters of any size.
  2. Run Databricks jobs.

The solution must follow the principle of least privilege.

What should you do?

Options:

  1. Assign the workspace admins role
  2. Assign the Consumer access entitlement
  3. Grant the CAN RUN permissions for the jobs
  4. Assign the Contributor role for a resource group
  5. Assign the Allow unrestricted cluster creation entitlement

|Requirement|Answer| |---|---| |To ensure that User1 can provision clusters|5. Assign the Allow unrestricted cluster creation entitlement ✅ Correct Answer| |To ensure that User1 can run jobs|3. Grant the CAN RUN permissions for the jobs ✅ Correct Answer|

---

Question 33

You have an Azure Databricks workspace that is enabled for Unity Catalog and contains a catalog named catalog1.

You have a group named group1. Group1 already has the USE CATALOG privilege on catalog1.

You create a schema named schema1 in catalog1.

You need to ensure that group1 can create tables in schema1. Group1 must not be able to grant permissions on the schema or its objects. The solution must follow the principle of least privilege.

How should you complete the SQL statement?

GRANT {} ON SCHEMA catalog1.schema1 {};

|Area|Answer| |---|---| |Privileges|CREATE TABLE, USE SCHEMA ✅ Correct Answer| |Principal|TO group1 ✅ Correct Answer|

---

Question 34

You have an Azure Databricks workspace that is attached to a Unity Catalog metastore named metastore1.

metastore1 contains:

  • A catalog named Sales
  • A schema named Customers in the Sales catalog
  • A table named Customer_details in the Customers schema

You need to ensure that a user named User1 can update the data in Customer_details.

The solution must meet the following requirements:

  1. Ensure that User1 cannot create new tables.
  2. Follow the principle of least privilege.

Which permission should you grant to User1 for each object?

|Object|Answer| |---|---| |The Sales catalog|USE CATALOG ✅ Correct Answer| |The Customers schema|USE SCHEMA ✅ Correct Answer| |The Customer_details table|MODIFY ✅ Correct Answer|

---

Key takeaways

For DP-750, Unity Catalog permission questions usually test whether you understand the full access path.

Remember these patterns:

  • To read data: USE CATALOG + USE SCHEMA + SELECT
  • To update data: USE CATALOG + USE SCHEMA + MODIFY
  • To create tables: USE CATALOG + USE SCHEMA + CREATE TABLE
  • USE CATALOG does not mean SELECT.
  • USE SCHEMA does not mean SELECT.
  • MODIFY is for data changes.
  • CREATE TABLE is for creating new tables.
  • MANAGE is broader and can allow permission management.
  • CAN RUN is for job execution, not data access.
  • Allow unrestricted cluster creation is a workspace entitlement, not a Unity Catalog privilege.

If you can identify whether the question is about data access, object creation, job execution, or cluster provisioning, you can usually find the correct DP-750 permission answer quickly.

Add Comments

Comments

Loading comments...