Skip to main content
Copy this SQL script and run it as a catalog owner or metastore admin.
Replace the placeholder values before running:
  • your_catalog → Your Unity Catalog name
  • anomalyarmor → Your service principal or user name

Prerequisites

  • Databricks workspace with Unity Catalog enabled
  • SQL Warehouse (serverless or classic)
  • Service principal or user account for AnomalyArmor

Full Catalog Access

Recommended for simplicity: 
-- =============================================================================
-- AnomalyArmor Databricks Unity Catalog Permissions
-- =============================================================================
-- WHAT THIS GRANTS:
-- - USE CATALOG: Access catalog metadata
-- - USE SCHEMA: Access schema metadata
-- - SELECT: Read table data for freshness checks
--
-- WHAT THIS DOES NOT GRANT:
-- - CREATE: No table/schema/catalog creation
-- - MODIFY: No data modification
-- - MANAGE: No permission management
-- =============================================================================

-- Grant access to the catalog
GRANT USE CATALOG ON CATALOG your_catalog TO `anomalyarmor`;

-- Grant access to all schemas in the catalog
GRANT USE SCHEMA ON CATALOG your_catalog TO `anomalyarmor`;

-- Grant read access to all tables in the catalog
GRANT SELECT ON CATALOG your_catalog TO `anomalyarmor`;

Per-Schema Permissions

For granular access to specific schemas only: 
-- Grant catalog access (required)
GRANT USE CATALOG ON CATALOG your_catalog TO `anomalyarmor`;

-- Grant schema access per schema
GRANT USE SCHEMA ON SCHEMA your_catalog.raw TO `anomalyarmor`;
GRANT USE SCHEMA ON SCHEMA your_catalog.staging TO `anomalyarmor`;
GRANT USE SCHEMA ON SCHEMA your_catalog.marts TO `anomalyarmor`;

-- Grant read access per schema
GRANT SELECT ON SCHEMA your_catalog.raw TO `anomalyarmor`;
GRANT SELECT ON SCHEMA your_catalog.staging TO `anomalyarmor`;
GRANT SELECT ON SCHEMA your_catalog.marts TO `anomalyarmor`;

Service Principal Setup

Service principals are more secure than personal access tokens:
  • Organization-owned, not tied to individual users
  • Persist regardless of employee changes
  • Can be managed centrally
  1. Create service principal: Admin Console → Service Principals → Add Service Principal
  2. Generate OAuth secret: Select the service principal → Secrets → Generate Secret
  3. Copy the Client ID and Client Secret for AnomalyArmor
-- Grant permissions to service principal
GRANT USE CATALOG ON CATALOG your_catalog TO `anomalyarmor-monitoring`;
GRANT USE SCHEMA ON CATALOG your_catalog TO `anomalyarmor-monitoring`;
GRANT SELECT ON CATALOG your_catalog TO `anomalyarmor-monitoring`;

Verification

-- Run as the AnomalyArmor user/service principal

-- Test 1: Can list schemas
SHOW SCHEMAS IN CATALOG your_catalog;

-- Test 2: Can list tables
SHOW TABLES IN SCHEMA your_catalog.your_schema;

-- Test 3: Can query for freshness
SELECT MAX(event_timestamp) FROM your_catalog.your_schema.your_table;

View Current Permissions

-- Show grants on catalog
SHOW GRANTS ON CATALOG your_catalog;

-- Show grants to specific user/service principal
SHOW GRANTS TO `anomalyarmor`;

Cleanup

REVOKE SELECT ON CATALOG your_catalog FROM `anomalyarmor`;
REVOKE USE SCHEMA ON CATALOG your_catalog FROM `anomalyarmor`;
REVOKE USE CATALOG ON CATALOG your_catalog FROM `anomalyarmor`;

Back to Databricks Guide

Complete setup instructions