Support Questions
Find answers, ask questions, and share your expertise

Restrict Create Database Permissions

New Contributor


We are running HDP 2.2.6 with ranger & kerberos enabled. We have AD integration via LDAP. I would like to disable users within certain groups from having the ability to create new hive databases. These users still need to be able to create tables within certain databases. We are having trouble figuring this out.


David Bess



- To specify list of users/groups who can create a database, create a Ranger policy with: resource={table=*; column=*; database=<db-name-pattern>;}; permissions={'create'}.

- To allow users to create tables in specific databases, create a Ranger policy with: resource={database=<db-name1>, <db-name2>; table=*; column=*}; permissions={'create'}.

- Please note that 'create' permission is used to authorize both create-database and create-table. To authorize create-database, Ranger would require a policy that has table=*, column=* and database=<db-name-pattern>

- Also, please note that you can not explicitly specify list of users/groups that should be denied specific access. When no Ranger policy authorizes the access, the access request will be denied; so, please ensure that no policy authorizes create access to those users/groups.