DP-750 Certification Practice Question #18

Question

A data platform team at Contoso manages a Unity Catalog metastore. A nightly ingestion job runs as an Azure Databricks **service principal** named `ingest-sp` (application ID `a1b2c3d4-1111-2222-3333-444455556666`). The job must be able to read from and write to every current and future table in the `sales` schema of the `prod` catalog, but it must not be able to create new tables or alter privileges.

You connect to a SQL warehouse as the owner of the `prod` catalog and run a sequence of `GRANT` statements. Which statement set correctly gives the service principal exactly the access it needs, following the Unity Catalog privilege model?

```sql
-- Option building blocks (do not run yet)
GRANT USE CATALOG ON CATALOG prod TO `a1b2c3d4-1111-2222-3333-444455556666`;
GRANT USE SCHEMA  ON SCHEMA  prod.sales TO `a1b2c3d4-1111-2222-3333-444455556666`;
GRANT SELECT, MODIFY ON SCHEMA prod.sales TO `a1b2c3d4-1111-2222-3333-444455556666`;
```

Accepted Answer

In Unity Catalog, reading or writing a table requires the operational privilege (`SELECT`/`MODIFY`) on the object plus the usage privileges `USE CATALOG` on the parent catalog and `USE SCHEMA` on the parent schema. These usage privileges are a separate access-control boundary and are never implied by an object-level grant. Granting `SELECT, MODIFY` at the schema level uses privilege inheritance so the grant covers all current and future tables in `sales`, while deliberately omitting `CREATE TABLE` and `MANAGE`. A service principal is named by its application ID, wrapped in backticks because it contains special characters.

More DP-750 practice questions