Share via

How to give permission to workspace level group on databricks catalog

Koteswara Pushadapu 0 Reputation points
2025-12-10T09:41:10.9633333+00:00

Hi All,
Using automation we are creating databricks components those are required for the SAAS customer.

As part of this we are able to create the following components.

  • External Location
  • Catalog (Volumes, Schemas and Tables)
  • Jobs 
  • Customer Groups at Workspace level ( Not Account Level)
  • Warehouse Computes
  • Repo folder

We are looking option to give catalog access to this customer specific group so that they can access with out any issue.

We tried in multiple ways the same but failing. Here is the error

[RequestId=96bb2f59-1801-445c-b5f7-38db70da1aca ErrorClass=PRINCIPAL_DOES_NOT_EXIST.PRINCIPAL_DOES_NOT_EXIST] Could not find principal with name koti74_admin_grp.

Request you suggest if we are doing something wrong. We are strongly believing that we can use workspace level groups for these components.

Moved from: Community Center | Discuss the Q&A site | Get started on Q&A

Azure Databricks
Azure Databricks
An Apache Spark-based analytics platform optimized for Azure.
Answer accepted by question author
  1. Manoj Kumar Boyini 1,735 Reputation points Microsoft External Staff Moderator
    2025-12-10T11:33:31.85+00:00

    Hi Koteswara Pushadapu,

    The error PRINCIPAL_DOES_NOT_EXIST: Could not find principal with name koti74_admin_grp occurs because Unity Catalog does not recognize workspace-level groups.

    Even though the group exists inside the Databricks workspace, Unity Catalog only supports account-level identities (from Databricks Account Console or Entra ID sync). Workspace-local groups cannot be assigned catalog, schema, table, volume, or external location permissions.

    Unity Catalog checks the metastore’s identity store (account level). Workspace groups do not exist there → so the GRANT command fails with PRINCIPAL_DOES_NOT_EXIST.

    1. Go to Databricks Account Console → User Management → Groups
    2. Create group koti74_admin_grp, add members, retry the permission grant

    GRANT USE CATALOG ON CATALOG <catalog_name> TO `koti74_admin_grp`;

    This will now work because the principal exists at the UC level.

    Option 2 :Use Entra ID groups with SCIM sync

    If you are provisioning customers automatically:

    Create AAD group: koti74_admin_grp, Ensure SCIM provisioning is enabled for your workspace, After sync, grant UC permissions:

    GRANT USE CATALOG ON CATALOG <catalog_name> TO `koti74_admin_grp`;

    This is the best method for multi-tenant SaaS automation.

    Hope this helps, Please let us know if you have any questions and concerns

    You found this answer helpful.
    0 comments

1 additional answer

Sort by: Most helpful
Most helpful Newest Oldest
  1. Q&A Assist
    2025-12-10T09:41:27.44+00:00
    AI generated content. This question contains an answer created with AI from Q&A Assist. Learn more

    To grant permissions to a workspace-level group on a Databricks catalog, you need to ensure that the group exists and is correctly referenced. The error message you are encountering, PRINCIPAL_DOES_NOT_EXIST, indicates that the specified group (koti74_admin_grp) cannot be found. Here are some steps to troubleshoot and ensure proper access:

    1. Verify Group Existence: Ensure that the workspace-level group koti74_admin_grp has been created successfully in your Databricks workspace. You can check this in the user management section of the Databricks workspace.
    2. Correct Group Reference: When assigning permissions, make sure you are using the exact name of the group as it appears in Databricks. Any discrepancies in the name will lead to the error you are seeing.
    3. Assign Permissions: Once you have verified the group exists and is correctly referenced, you can assign permissions to the catalog. This typically involves using the Unity Catalog privileges and securable objects management features. You can grant the group the necessary privileges by navigating to the catalog settings and assigning the appropriate access level to koti74_admin_grp.
    4. Use Account Groups: If you continue to face issues with workspace-level groups, consider migrating to account-level groups, as they are more flexible and can be used across multiple workspaces. This might require some adjustments in your automation scripts.
    5. Check Documentation: For detailed steps on managing permissions and groups, refer to the Databricks documentation on identity management and permissions.

    If you follow these steps and still encounter issues, you may want to reach out to Databricks support for further assistance.

    References:

    0 comments

Your answer

Answers can be marked as 'Accepted' by the question author and 'Recommended' by moderators, which helps users know the answer solved the author's problem.