What causes Permission Denied / Insufficient Privileges?

The dbt service account was not granted USAGE on the target schema or database. The role assigned to the dbt service account was changed and lost required privileges. Dbt attempts to CREATE OR REPLACE a table in a schema where only SELECT is granted. Post-model hooks try to GRANT permissions to downstream roles, but the service account itself lacks GRANT OPTION. The target schema does not exist and the service account lacks CREATE SCHEMA privilege to create it

How do I fix Permission Denied / Insufficient Privileges?

Run the dbt permission audit query for your warehouse to identify missing grants (dbt documentation provides warehouse-specific permission setup scripts).. For Snowflake: `GRANT USAGE ON DATABASE TO ROLE ; GRANT ALL ON SCHEMA TO ROLE ;`.. For BigQuery: ensure the service account has `BigQuery Data Editor` on the target dataset and `BigQuery Job User` on the project.. For Databricks: grant `ALL PRIVILEGES ON SCHEMA TO ` in the Unity Catalog.. If the issue is with post-hooks granting to downstream roles, ensure the service account has WITH GRANT OPTION on the objects it tries to share.

High severitydbt

Power BI Refresh Error:
Permission Denied / Insufficient Privileges

What does this error mean?

The dbt service account does not have the necessary privileges to perform an operation on a warehouse object — CREATE, DROP, INSERT, UPDATE, or SELECT on a schema, table, or view. The model fails at the warehouse level with an authorization error.

Common causes

1The dbt service account was not granted USAGE on the target schema or database
2The role assigned to the dbt service account was changed and lost required privileges
3Dbt attempts to CREATE OR REPLACE a table in a schema where only SELECT is granted
4Post-model hooks try to GRANT permissions to downstream roles, but the service account itself lacks GRANT OPTION
5The target schema does not exist and the service account lacks CREATE SCHEMA privilege to create it

How to fix it

1Run the dbt permission audit query for your warehouse to identify missing grants (dbt documentation provides warehouse-specific permission setup scripts).
2For Snowflake: `GRANT USAGE ON DATABASE <db> TO ROLE <dbt_role>; GRANT ALL ON SCHEMA <schema> TO ROLE <dbt_role>;`.
3For BigQuery: ensure the service account has `BigQuery Data Editor` on the target dataset and `BigQuery Job User` on the project.
4For Databricks: grant `ALL PRIVILEGES ON SCHEMA <schema> TO <service_principal>` in the Unity Catalog.
5If the issue is with post-hooks granting to downstream roles, ensure the service account has WITH GRANT OPTION on the objects it tries to share.

Frequently asked questions

Does dbt create target schemas automatically?

Yes — dbt creates schemas if they don't exist, but only if the service account has CREATE SCHEMA privilege. Without it, dbt fails on the first model targeting a new schema.

Why does the permission error only affect some models and not others?

Permission grants are schema- or object-level. A model in schema A may succeed while schema B fails if the service account lacks USAGE and CREATE on B. Check the schema in the failing model's target config.

After fixing permissions, do I need to do anything special to re-run the failed models?

No — re-trigger the dbt Cloud job or run `dbt run --select <failed_model>+`. Permission fixes take effect immediately on the next execution; dbt does not cache failures between runs.

Official documentation: https://docs.getdbt.com/docs/core/connect-data-platform/connection-profiles