Catalog-linked database: USAGE privilege on CATALOG INTEGRATION and EXTERNAL VOLUME required for database owner role for all operations (Preview)¶
Attention
This behavior change is in the 2025_07 bundle.
For the current status of the bundle, refer to Bundle History.
This behavior change alters the requirements for accessing tables in a catalog-linked database. It affects the following operations inside a catalog-linked database, which require access to the catalog integration and external volume for the database:
Any DML operations on an object inside the database
Any DDL operations on an object inside the database
Automatic table discovery
Automatically or manually refreshing a table in the database
Reading a table in the database
- Before the change:
To access tables in a catalog-linked database, any of the following roles must have the USAGE privilege on the external volume for the database and the USAGE privilege on the catalog integration for the database:
The role that has the OWNERSHIP privilege for the catalog-linked database.
The role that has the OWNERSHIP privilege for a table within the catalog-linked database.
Any role that is active for the session.
- After the change:
To access tables in a catalog-linked database, the following role must have the USAGE privilege on the external volume for the database and the USAGE privilege on the catalog integration for the database:
The role that has the OWNERSHIP privilege for the catalog-linked database.
For example, the ALTER command only succeeds if the database owner role has access to the catalog integration and external volume. If you try to run the ALTER command but the database owner role doesn’t have access to the catalog integration, you’ll receive the following error:
SQL access control error: Insufficient privileges to operate on integration '<name of catalog integration>'.
If you try to run the ALTER command but the database owner role doesn’t have access to the external volume, you’ll receive the following error:
SQL access control error: Insufficient privileges to operate on external volume '<name of external volume>').
If needed, grant the required USAGE privileges to the role that owns the catalog-linked database.
In the following example, the data_engineer role, which has the OWNERSHIP privilege for the catalog-linked database, is granted the necessary USAGE privileges to provide access the tables in the catalog-linked database:
GRANT USAGE ON INTEGRATION glueCatalogInt TO ROLE data_engineer; GRANT USAGE ON EXTERNAL VOLUME exvol TO ROLE data_engineer;
This change makes access management for Apache Iceberg™ tables in catalog-linked databases more efficient by routing all of this management through the owner of the catalog-linked database.
Note
If you’re using catalog-vended credentials, the requirement to have the USAGE privilege for the external volume doesn’t apply to before or after the change.
Ref: 2114