Every organisation dealing with data at scale eventually faces the same problems: scattered permissions, unclear ownership and no simple way to trace how data flows through pipelines. Unity Catalog is Databricks’ unified governance layer for data and AI assets. It gives organisations one place to define access policies, capture audit logs, track end-to-end lineage and discover assets across all your workspaces.

‍

Key Features of Unity Catalog

Define Once, Secure Everywhere

• Unity Catalog offers a single place to administer data access policies that apply across all workspaces.

Centralised Access Control

• Unity Catalog offers a single place to administer data access control that apply across all workspaces. This ensures that data governance is consistent and secure throughout the organisation.

Standards-Compliant Security Model

• Unity Catalog uses a security model based on standard ANSI SQL, so admins can grant permissions using familiar syntax. Permissions can be set at different levels, such as catalogs, schemas (databases), tables, and views.

Auditing and Lineage

• Unity Catalog automatically captures user-level audit logs to track data access. It also captures data lineage in real time down to the table and column level, as well as for other assets like notebooks, workflows, and dashboards.

Data Discovery

• Unity Catalog allows you to tag and document data assets, providing a search interface to help data consumers find data easily.

‍

Hierarchical Structure in Unity Catalog

Managing data at scale often leads to confusion over where data lives, who owns it, and how access should be structured. Without a clear framework, enforcing consistent governance across workspaces and teams becomes difficult. Unity Catalog solves this with a logical, layered hierarchy that organises all data assets and permissions & roles from the account level down to individual tables and views making governance scalable and transparent.

1. Account Level
This is the highest level in the hierarchy, representing your entire Databricks account.

• It includes all workspaces and metastores under your organisation.
• Resources are centrally managed here for governance and operational efficiency.
  

2. Workspace Level
Workspaces are environments where users collaborate, run notebooks, and access data.

• Multiple workspaces can share a single metastore if they’re in the same region.
• This setup enables centralised governance with flexible workspace-level isolation.
  

3. Metastore Level
The metastore is the top-level container for data governance in Unity Catalog. It stores metadata and manages access controls for all objects within it. Below the metastore, Unity Catalog  uses a three-level hierarchy to organise and control securable data objects:

• Catalogs: Group high-level data domains commonly aligned with departments, teams, projects, or environments.
• Schemas: Also known as databases, schemas organise related objects within a catalog, such as tables, views, volumes, functions, and models.
• Objects: The individual data assets like your tables, views, functions, volumes, and models.
  
  Schema Objects are referenced using the format:
  ‘catalog.schema.object’
  Example: SELECT * FROM analytics.sales.transactions;
  ‍
  • Fine-Grained Access Control
    One of the biggest challenges in data governance is ensuring the right people have access to the right data and no more, no less. Unity Catalog addresses this with fine-grained access control, allowing organisations to define permissions precisely and securely.
    
    Access Control Across the Unity Catalog Object model:
    
    • Catalog-level: Manage access to entire catalog.
    • Schema-level: Restrict access to specific schema.
    • Table/View-level: Control who can access specific tables or views.
    • Row/Column-level: Limit access to sensitive data within a table, such as hiding PII columns from unauthorised users.

‍

Admin Privileges in Unity Catalog

Different admins manage different parts of this hierarchy, with clearly defined responsibilities:

• Account Admins
  • Manage the entire Databricks account.
  • Create and assign metastores and workspaces.
  • Handle user and group provisioning, account-level settings, and usage monitoring.
• Workspace Admins
  • Can manage users, groups, and admin roles within the workspace, as well as control job ownership and run settings.
  • Have full access to view and manage all workspace content, including notebooks, dashboards, and compute resources.

• Metastore Admins
  • Have full control over all objects in the metastore, including catalogs, storage credentials, external locations, connections, and Delta Sharing resources like shares, recipients, and providers.
  • Can manage permissions, transfer ownership, read and update metadata, and configure managed storage. They’re also the only users who can grant privileges at the metastore level.

‍

Auditing Data Access

Unity Catalog keeps a detailed record of every action in your metastore. This means you can see exactly who looked at or changed any dataset, and what they did. The audit information is available through system tables in Unity Catalog, so you can run SQL queries to review access logs, spot unusual behaviour and meet compliance requirements.

‍

Tracking Data Lineage

Understanding how data moves and transforms within an organisation is crucial for troubleshooting, auditing, and ensuring trust in data. Unity Catalog automatically captures end-to-end data lineage, providing visibility into data sources, transformations, and downstream usage.

This makes it easier to track changes, diagnose errors, and verify data integrity. For compliance-heavy industries, automated lineage tracking simplifies regulatory audits by offering a clear record of how data is used across various workflows.

‍

Secure Sharing with Delta Sharing & Clean Rooms

Delta Sharing lets you share tables, views or files in your cloud storage to partners, vendors or other teams without copying data. Permissions you’ve set in Unity Catalog carry over to these shares. For scenarios requiring tighter controls, clean rooms provide an isolated compute environment where multiple parties can collaborate on data without exposing raw tables to each other. You define the exact transformations allowed, and all outputs remain governed by the providers predefined access control.

‍

Governed Metrics with Unity Catalog Metrics

(Announced at the 2025 Data + AI Summit: now in Public Preview across AWS, Azure, and GCP)

As the lakehouse evolves, so does the need to treat metrics as first-class citizens. Traditionally, KPI’s and business metrics are scattered across dashboards, embedded SQL, or spreadsheets, leading to inconsistencies, errors, and duplication. Unity Catalog Metrics solves this by allowing you to define governed, reusable metric views directly in Unity Catalog.

These metrics are:

• Centrally defined using YAML files
• Queryable in SQL notebooks, dashboards, workflows, Genie space & AI models
• Governed using the same access control model as other Metastore objects.
• Lineage-tracked so you know exactly where metrics are used

This means Finance, BI, and Data Science teams can all rely on the same version of "monthly revenue", "active users", or "conversion rate" across the organisation without reimplementing logic in every tool.

‍

Best Practices  

• Use groups, not individuals
  Assign permissions to groups (data-engineers, data analysts, audit-team, DS, BI) rather than individual users, for cleaner audit trails and easier management.
  ‍
  
• Enforce least privilege
  Start with minimal access and elevate only as projects demand it.
  ‍
  
• Organise your data
  Use catalogs to separate data by environment (e.g. dev, test, prod), team, or business unit. This keeps your data well-structured and easier to govern. You can also bind catalogs to specific workspaces when stricter isolation is needed. Use schemas within catalogs to group related tables, views, and volumes, and to manage permissions more precisely.
  ‍
  
• Centralised or distributed governance model
  Unity Catalog supports both centralised and distributed governance models. In a centralised model, metastore admins manage all data and permissions across the data domain. In a distributed model, ownership is delegated, and each catalog can represent a data domain, with its own owner responsible for managing objects and access within that domain.
  

• Isolate storage per domain
  Assign dedicated storage locations at metastore, catalog or schema level (for example, an S3 bucket bound to finance) to meet compliance.
  ‍
  
• Secure cloud storage access
  Use external locations and storage credentials to give Unity Catalog controlled access to cloud storage. For better isolation, bind locations and credentials to specific workspaces and avoid using mounts for storage governed by Unity Catalog .
  

• Limit admin roles
  Keep metastore-admin and workspace-admin rights to a minimum. Use workspace-catalog bindings to prevent accidental overrides.
  ‍
  
• Monitor continuously
  Build dashboards on Unity Catalog ‘s system tables to spot unusual access patterns or policy changes in real time.

‍

Final Thoughts: Building Trust and Scalability with Unity Catalog

In the evolving landscape of modern data and AI platforms, governance is a baseline necessity. Unity Catalog isn’t just a tool for access control; it’s a strategic foundation for secure collaboration, data discoverability, and regulatory compliance across your entire organisation.

We’ve delivered solutions with Unity Catalog as the central governance layer for clients across various industries and have seen firsthand how it enables faster project delivery, reduces risk, and builds trust in data and AI outcomes. From streamlining access in highly regulated multi tenancy environments to simplifying lineage for complex pipelines, Unity Catalog has proven to be a critical enabler of both agility and control.

As your data estate grows, so does the importance of having a clear, scalable governance framework. With Databricks’ Unity Catalog, you're not only protecting your assets, you’re creating the foundation for trusted, collaborative, and future-ready data and AI projects.