-- Browse the namespace
SHOW CATALOGS;
SHOW SCHEMAS IN prod;
SHOW TABLES IN prod.sales;

-- Fully qualified reference
SELECT * FROM prod.sales.orders;

Securables, Principals, and Privileges

Unity Catalog grants are SQL-standard GRANT / REVOKE statements. Privileges flow down the hierarchy: a privilege on a catalog implies the same privilege on all schemas and objects below it, unless explicitly revoked.

-- Catalog-level grants
GRANT USE CATALOG ON CATALOG prod TO `data-platform`;
GRANT CREATE SCHEMA ON CATALOG prod TO `data-platform`;

-- Schema-level grants
GRANT USE SCHEMA, SELECT ON SCHEMA prod.sales TO `analyst-team`;

-- Table-level grants
GRANT SELECT ON TABLE prod.sales.orders TO `analyst-team`;
GRANT MODIFY ON TABLE prod.sales.orders TO `etl-service-principal`;

-- Volume (files) grant
GRANT READ VOLUME, WRITE VOLUME ON VOLUME prod.raw.landing TO `ingest-service`;

-- Model grant
GRANT EXECUTE ON FUNCTION prod.ml.fraud_score TO `prod-app-sp`;

Privileges that matter most in practice:

Row Filters and Column Masks

For regulated workloads — healthcare, financial services, anything with PII — table-level grants are not enough. Unity Catalog supports row filters and column masks defined as SQL functions, applied at query time.

-- Mask the email column for non-privileged users
CREATE OR REPLACE FUNCTION prod.sec.email_mask(email STRING)
RETURN CASE
  WHEN is_member('pii-readers') THEN email
  ELSE regexp_replace(email, '(^.).+(@.+$)', '$1***$2')
END;

ALTER TABLE prod.sales.customers
  ALTER COLUMN email
  SET MASK prod.sec.email_mask;

-- Row filter: only show rows for a user's region
CREATE OR REPLACE FUNCTION prod.sec.region_filter(region STRING)
RETURN region IN (
  SELECT region FROM prod.sec.user_regions WHERE user_email = current_user()
);

ALTER TABLE prod.sales.orders
  SET ROW FILTER prod.sec.region_filter ON (region);

This is significantly less brittle than the row-access-policy patterns common on legacy data warehouses. The functions are first-class SQL, version-controlled in source, and auditable in lineage.

Lineage, Audit, and System Tables

Unity Catalog automatically captures column-level lineage across SQL and notebook code. The lineage graph shows which downstream tables depend on a source column, which queries last touched it, and which users ran them. For incident response — "who saw this PII column in the last 90 days?" — the answer is one query against the system tables:

SELECT user_identity.email, request_params.full_name_arg AS table, event_time
FROM system.access.audit
WHERE service_name = 'unityCatalog'
  AND action_name = 'getTable'
  AND request_params.full_name_arg = 'prod.sales.customers'
  AND event_time > current_date() - INTERVAL 90 DAYS
ORDER BY event_time DESC;

The system.access.audit, system.lineage.table_lineage, and system.billing.usage tables are populated automatically and queryable via SQL. For organisations under DORA or NIS2, this is a meaningful uplift over the bolted-together audit pipelines that Hive metastore deployments needed.

Governing ML Models and Vector Indexes

Unity Catalog governs models the same way as tables. A model registered to UC has a fully qualified name (catalog.schema.model), versioning, ACLs, and lineage that links the training tables, the model, and the inference queries that use it.

# MLflow registration into Unity Catalog
import mlflow
mlflow.set_registry_uri("databricks-uc")

with mlflow.start_run():
    mlflow.sklearn.log_model(
        sk_model=clf,
        artifact_path="model",
        registered_model_name="prod.ml.fraud_score",
    )

Mosaic AI Vector Search indexes are also UC-governed: the index is a UC object, and access to query the index follows the same GRANT model. This matters for AI workloads under regulation — the auditor wants the same lineage and access trail for an LLM-powered application as for a SQL report.

External Locations and Cross-Cloud Sharing

External locations register cloud storage paths (S3 buckets, ADLS containers, GCS buckets) with Unity Catalog, so file access can be governed alongside table access. Combined with Delta Sharing — Databricks' open protocol for sharing live data without copying — UC enables both internal cross-workspace sharing and external sharing with partners on different clouds, even non-Databricks recipients.

Migration from Hive Metastore

The legacy hive_metastore catalog still exists in every workspace for backwards compatibility, but it does not get new features. Migration involves three phases: enable Unity Catalog at the account level, create the new catalog hierarchy, and migrate tables using SYNC SCHEMA or table cloning. Plan 1-3 quarters for a meaningful estate, run both catalogs in parallel during cutover, and treat the migration as the moment to right-size your namespace design — not just lift-and-shift the old database structure.

How Opsio Helps

Opsio designs and rolls out Unity Catalog as part of databricks implementation services engagements, with particular focus on the governance and audit posture demanded by NIS2, GDPR, DORA, and ISO 27001. We pair UC rollout with broader cloud security services for identity federation, network isolation, and key management, and with end-to-end data analytics engagements when the goal is end-to-end governed delivery from raw ingestion to executive dashboards.