What causes PERMISSION_DENIED?

User or service principal missing SELECT, MODIFY, or CREATE TABLE on a Unity Catalog securable. This is the most common cause after a Unity Catalog migration when old Hive grants are not carried over.. The service principal running a scheduled job was not granted USE CATALOG and USE SCHEMA on the parent catalog and schema. Unity Catalog enforces hierarchical permissions — table-level grants alone are not enough.. Row-level security (RLS) policies or column masks block the querying principal. The error message may not mention RLS explicitly, making this hard to diagnose without checking `DESCRIBE TABLE EXTENDED`.. A workspace-local Hive Metastore table is queried through a Unity Catalog-enabled SQL warehouse, but the table was never registered in Unity Catalog. The warehouse cannot resolve the table and returns PERMISSION_DENIED instead of TABLE_NOT_FOUND.. An external location or storage credential (e.g. for S3 or ADLS) is not granted to the principal. This happens when reading from external tables or using COPY INTO from a cloud storage path.. Service principal credentials were rotated or the client secret expired, causing the authentication to fall back to an anonymous identity that has no grants.. A cluster policy restricts data access configuration to specific service principals, and the job's cluster was started with a different identity than expected.

How do I fix PERMISSION_DENIED?

Identify the exact missing privilege from the error message. It will say something like `User X does not have SELECT on table catalog.schema.table`. Note the principal, privilege, and securable.. Run `SHOW GRANTS ON TABLE . . ` in a Databricks SQL editor or notebook to see all current grants on the target object. Compare against the principal in the error.. Grant the missing privilege: `GRANT SELECT ON TABLE . . TO `. For service principals, use the application ID: `GRANT SELECT ON TABLE main.finance.revenue TO `sp-etl-prod``.. Verify hierarchical access: `SHOW GRANTS ON CATALOG ` and `SHOW GRANTS ON SCHEMA . `. The principal needs USE CATALOG and USE SCHEMA on the parent objects. Grant if missing: `GRANT USE CATALOG ON CATALOG main TO `sp-etl-prod``.. If the job runs on a SQL warehouse, open Databricks workspace → SQL Warehouses → select the warehouse → Data Access Configuration. Confirm the service principal or run-as identity listed there matches the one you just granted privileges to.. Check for RLS or column masks: run `DESCRIBE TABLE EXTENDED . . ` and look for row filter or column mask entries. If present, verify the querying principal is allowed by the filter function.. After granting, re-run the failed job or query. Unity Catalog grants take effect immediately — no cluster restart needed. Verify the job completes successfully and downstream tables are refreshed.

High severityaccess controlDatabricks →

Databricks Error:
PERMISSION_DENIED

Impact

When scheduled production jobs start failing after a Unity Catalog migration, a service principal rotation, or a permission audit. Every failed run means downstream Delta tables go stale and Power BI refreshes will fail on the next cycle, potentially breaking SLA-bound dashboards.

PERMISSION_DENIED causes an immediate hard failure — no partial data is written, no retries are attempted. The downstream Delta table stays at its previous version, which means any dbt model, Power BI dataset, or orchestrated notebook that reads from it will either use stale data or fail as well. In pipelines with SLA requirements, a single PERMISSION_DENIED on an upstream table can cascade into missed refresh windows across multiple dashboards. Time-to-fix is typically short (a single GRANT statement), but detection delay is the real risk: without monitoring, the error can go unnoticed for hours until end users report stale reports.

What does this error mean?

Databricks raises PERMISSION_DENIED when the principal running a query — a user account, service principal, or group — lacks the required privilege on a Unity Catalog or Hive Metastore securable. The error fires at query parse time, before any data is read, so the query fails immediately with no partial results. In pipeline context this typically surfaces during a scheduled Databricks Job, a notebook task, or a SQL warehouse query triggered by an orchestrator like Azure Data Factory or dbt Cloud. The symptom is a hard failure: the task status flips to FAILED, downstream Delta tables are not updated, and any Power BI dataset refresh that depends on those tables will also fail within its next refresh cycle. The error message includes the missing privilege and the securable path (e.g. `User does not have SELECT on table main.finance.revenue`).

Common causes

1User or service principal missing SELECT, MODIFY, or CREATE TABLE on a Unity Catalog securable. This is the most common cause after a Unity Catalog migration when old Hive grants are not carried over.
2The service principal running a scheduled job was not granted USE CATALOG and USE SCHEMA on the parent catalog and schema. Unity Catalog enforces hierarchical permissions — table-level grants alone are not enough.
3Row-level security (RLS) policies or column masks block the querying principal. The error message may not mention RLS explicitly, making this hard to diagnose without checking `DESCRIBE TABLE EXTENDED`.
4A workspace-local Hive Metastore table is queried through a Unity Catalog-enabled SQL warehouse, but the table was never registered in Unity Catalog. The warehouse cannot resolve the table and returns PERMISSION_DENIED instead of TABLE_NOT_FOUND.
5An external location or storage credential (e.g. for S3 or ADLS) is not granted to the principal. This happens when reading from external tables or using COPY INTO from a cloud storage path.
6Service principal credentials were rotated or the client secret expired, causing the authentication to fall back to an anonymous identity that has no grants.
7A cluster policy restricts data access configuration to specific service principals, and the job's cluster was started with a different identity than expected.

How to fix it

1Identify the exact missing privilege from the error message. It will say something like `User X does not have SELECT on table catalog.schema.table`. Note the principal, privilege, and securable.
2Run `SHOW GRANTS ON TABLE <catalog>.<schema>.<table>` in a Databricks SQL editor or notebook to see all current grants on the target object. Compare against the principal in the error.
3Grant the missing privilege: `GRANT SELECT ON TABLE <catalog>.<schema>.<table> TO <principal>`. For service principals, use the application ID: `GRANT SELECT ON TABLE main.finance.revenue TO `sp-etl-prod``.
4Verify hierarchical access: `SHOW GRANTS ON CATALOG <catalog>` and `SHOW GRANTS ON SCHEMA <catalog>.<schema>`. The principal needs USE CATALOG and USE SCHEMA on the parent objects. Grant if missing: `GRANT USE CATALOG ON CATALOG main TO `sp-etl-prod``.
5If the job runs on a SQL warehouse, open Databricks workspace → SQL Warehouses → select the warehouse → Data Access Configuration. Confirm the service principal or run-as identity listed there matches the one you just granted privileges to.
6Check for RLS or column masks: run `DESCRIBE TABLE EXTENDED <catalog>.<schema>.<table>` and look for row filter or column mask entries. If present, verify the querying principal is allowed by the filter function.
7After granting, re-run the failed job or query. Unity Catalog grants take effect immediately — no cluster restart needed. Verify the job completes successfully and downstream tables are refreshed.

Example log output

[2026-05-11T08:14:22.531Z] [ERROR] SparkDriverError: io.databricks.sql.SparkException: [PERMISSION_DENIED] User `sp-etl-prod@myorg.databricks.com` does not have SELECT on TABLE `main.finance.revenue`. SQLSTATE: 42000
[2026-05-11T08:14:22.534Z] [ERROR] Task run_id=489201 failed with status FAILED. Error code: PERMISSION_DENIED
[2026-05-11T08:14:22.540Z] [WARN] Job 12847 run 489201: no retry attempted (non-retryable error class)

Frequently asked questions

Does PERMISSION_DENIED always mean a missing GRANT?

In most cases yes — a GRANT statement will fix it. But the error can also come from row-level security policies, column masks, expired service principal credentials, or an external location credential the principal cannot access. Check the full error message for the specific securable and privilege mentioned.

How do I grant permissions to all users in a workspace?

Grant privileges to the `account users` group: `GRANT SELECT ON SCHEMA main.finance TO `account users``. This applies to all users in the Databricks account. For workspace-scoped access, use a workspace-level group instead.

Will a PERMISSION_DENIED job automatically retry?

No. Databricks does not retry permission errors because they are deterministic — retrying the same query with the same principal will fail again. You must fix the grant first, then manually re-trigger the job or wait for the next scheduled run.

I granted SELECT but still get PERMISSION_DENIED — what am I missing?

Unity Catalog requires hierarchical access. Even with SELECT on a table, the principal also needs USE CATALOG on the catalog and USE SCHEMA on the schema. Run `SHOW GRANTS ON CATALOG <catalog>` and `SHOW GRANTS ON SCHEMA <catalog>.<schema>` to check. Also verify you granted to the correct principal — service principals and user accounts are separate identities.

Source · docs.databricks.com/aws/en/error-messages/error-classes.html