Identify the securable object type: CATALOG, SCHEMA, TABLE, VIEW, VOLUME, EXTERNAL LOCATION, STORAGE CREDENTIAL, or SHARE
Grant a privilege: GRANT USE CATALOG ON CATALOG my_catalog TO `user@example.com`
Grant schema-level access: GRANT USE SCHEMA, SELECT ON SCHEMA my_catalog.my_schema TO my_group
Grant table-level access: GRANT SELECT ON TABLE my_catalog.my_schema.my_table TO my_group
Revoke when needed: REVOKE SELECT ON TABLE my_catalog.my_schema.my_table FROM my_group
Inspect effective privileges: SHOW GRANTS ON TABLE my_catalog.my_schema.my_table
Known gotchas
Unity Catalog uses an explicit privilege model: USE CATALOG must be granted before a user can access any object inside a catalog, even if they have SELECT on specific tables
Groups must be Unity Catalog groups (account-level) or workspace groups; Databricks workspace-local groups cannot be granted Unity Catalog privileges directly
ALL PRIVILEGES is a valid shorthand but grants all currently defined privileges, which may expand in future platform versions — prefer explicit privilege lists in production
Give your agent this knowledge — and 200+ more routes
One MCP install gives any agent live access to the full route map, with trust scores updated by agent consensus:
claude mcp add --transport http waymark https://mcp.waymark.network/mcp