--- name: ckg-databricks-unity-catalog description: "Databricks Unity Catalog — complete CKG of the docs.databricks.com Unity Catalog surface. 205 nodes, 327 edges, 9 domains. Covers the account/workspace/metastore model and three-level namespace, the catalog/schema/table/view/volume/function/model object model + system tables, Catalog Explorer discovery and AI-generated docs/certification, Lakehouse Monitoring and pipeline expectations, automatic table & column lineage, the privilege/ownership/inheritance access model with row filters/column masks/dynamic views and ABAC governed tags, storage credentials/external locations/managed storage, audit logs, business context (governed tags, tag policies, certification, data products), open formats (Delta Lake, managed Iceberg/UniForm, Iceberg REST Catalog API, Unity Catalog OSS, Lakehouse Federation), and sharing (Delta Sharing, Clean Rooms, Marketplace)." metadata: node_type: reference type: reference version: 1.0.0 date: 2026-06-18 source: "Databricks documentation — https://docs.databricks.com (Unity Catalog)" nodes: 205 edges: 327 domains: 9 formats: - md --- # Databricks Unity Catalog — Compressed Knowledge Graph (CKG) v1.0.0 # Source: docs.databricks.com (live docs, fetched 2026-06-18) # NOTE: Unity Catalog is the unified governance layer for data & AI on the Databricks Lakehouse; # the open-source server (unitycatalog.io, Apache 2.0 / LF AI & Data) mirrors the same object model. # Generated by Graphify.md | graphifymd.com # 205 concepts · 327 dependency edges · 9 domains # Paste into any LLM, ask: "What depends on [concept]?" or "Trace the path from External Location to Managed Iceberg Table." ## META domain: databricks-unity-catalog nodes: 205 edges: 327 domains: 9 (CORE · META · SRCH · DQ · LIN · GOV · GLOS · OPEN · SHARE) edge_type: technical dependency (source concept required to understand/implement the target) version: 1.0.0 ## CORE — Account, Workspace, Metastore & Namespace (22 concepts) # Source: data-governance/unity-catalog (overview) · enable-workspaces · create-metastore · admin-privileges · catalogs Databricks Lakehouse Platform deps: none (root) Unity Catalog deps: Databricks Lakehouse Platform Databricks Account deps: none (root) Account Console deps: Databricks Account Workspace deps: Databricks Account Cloud Object Storage deps: none (root) Metastore deps: Unity Catalog | Databricks Account Metastore per Region deps: Metastore Workspace-Metastore Assignment deps: Workspace | Metastore Identity Federation deps: Databricks Account | Workspace Account-Level Identities (users/groups/SPs) deps: Identity Federation Account Admin deps: Databricks Account | Account-Level Identities (users/groups/SPs) Metastore Admin deps: Metastore | Account-Level Identities (users/groups/SPs) Workspace Admin deps: Workspace | Account-Level Identities (users/groups/SPs) Three-Level Namespace (catalog.schema.object) deps: Metastore Securable Object deps: Metastore | Three-Level Namespace (catalog.schema.object) Workspace-Catalog Binding deps: Workspace | Three-Level Namespace (catalog.schema.object) Default Catalog deps: Three-Level Namespace (catalog.schema.object) | Workspace Workspace Catalog (auto-provisioned) deps: Default Catalog | Workspace-Metastore Assignment hive_metastore (legacy catalog) deps: Workspace | Three-Level Namespace (catalog.schema.object) Legacy Hive Metastore Migration (UCX) deps: hive_metastore (legacy catalog) | Metastore Unified Governance for Data & AI deps: Unity Catalog | Securable Object ## META — Object Model — Catalogs, Schemas, Tables, Views, Volumes, Functions, Models, System Tables (35 concepts) # Source: catalogs · tables/managed · views · volumes · machine-learning/manage-model-lifecycle · admin/system-tables · information_schema Catalog deps: Three-Level Namespace (catalog.schema.object) | Metastore Schema (database) deps: Catalog Table deps: Schema (database) Managed Table deps: Table External Table deps: Table Foreign Table deps: Table View deps: Schema (database) Materialized View deps: Schema (database) | View Streaming Table deps: Table Metric View deps: Schema (database) | View Temporary View deps: View Volume deps: Schema (database) Managed Volume deps: Volume External Volume deps: Volume Volume Path (/Volumes/catalog/schema/volume) deps: Volume | Three-Level Namespace (catalog.schema.object) Function deps: Schema (database) SQL User-Defined Function (UDF) deps: Function Python UDF deps: Function Registered Model (Models in Unity Catalog) deps: Schema (database) | Function Model Version deps: Registered Model (Models in Unity Catalog) Model Alias deps: Model Version MLflow Model Registry (databricks-uc) deps: Registered Model (Models in Unity Catalog) Column deps: Table | View Comment (object/column) deps: Table | Column | Schema (database) | Catalog Constraint deps: Table System Catalog (system) deps: Catalog | Metastore system.access schema deps: System Catalog (system) system.billing schema deps: System Catalog (system) system.compute schema deps: System Catalog (system) system.lakeflow schema deps: System Catalog (system) system.query schema deps: System Catalog (system) system.storage schema deps: System Catalog (system) system.marketplace schema deps: System Catalog (system) information_schema (per-catalog) deps: Catalog External Metadata (external system object) deps: Metastore | Securable Object ## SRCH — Discovery, Catalog Explorer, Search, Tags, AI Docs, Certification (19 concepts) # Source: catalog-explorer · certify-deprecate-data · tags · Discover (curated internal marketplace) · search Catalog Explorer deps: Unity Catalog | Securable Object Browse Catalogs / Schemas / Objects deps: Catalog Explorer | Three-Level Namespace (catalog.schema.object) Workspace Search deps: Catalog Explorer Sample Data Preview deps: Catalog Explorer | Table Object Details / Schema View deps: Catalog Explorer | Table | Column Tag (key + optional value) deps: Securable Object Apply Tag to Object / Column deps: Tag (key + optional value) | Column AI-Generated Comments deps: Catalog Explorer | Comment (object/column) AI-Generated Documentation deps: AI-Generated Comments | Table | Column Natural Language Exploration (LLM) deps: Catalog Explorer | Sample Data Preview Genie Code Interface deps: Catalog Explorer Certification Status (system.certification_status) deps: Tag (key + optional value) Certified Flag deps: Certification Status (system.certification_status) Deprecated Flag deps: Certification Status (system.certification_status) Certification Status Search Filter deps: Workspace Search | Certification Status (system.certification_status) Intelligent Signals (quality/usage/relationships) deps: Catalog Explorer | Certification Status (system.certification_status) Discover Experience (curated marketplace) deps: Catalog Explorer | Data Steward Curation Data Steward Curation deps: Catalog Explorer | Certified Flag Insights (popularity/frequent queries) deps: Catalog Explorer | Workspace Search ## DQ — Data Quality — Lakehouse Monitoring, Expectations, Constraints (23 concepts) # Source: lakehouse-monitoring · ldp/expectations · ldp/expectation-patterns · table constraints Lakehouse Monitoring deps: Unity Catalog | Table Monitor deps: Lakehouse Monitoring Snapshot Profile Monitor deps: Monitor Time Series Profile Monitor deps: Monitor Inference Log Monitor deps: Monitor Profile Metrics Table deps: Monitor Drift Metrics Table deps: Monitor Baseline Table deps: Monitor Data Slices / Time Windows deps: Profile Metrics Table Monitor Dashboard deps: Profile Metrics Table | Drift Metrics Table Monitor Alerts deps: Monitor Dashboard Lakeflow Declarative Pipelines (DLT) deps: Streaming Table | Materialized View Pipeline Expectation deps: Lakeflow Declarative Pipelines (DLT) expect (retain + track) deps: Pipeline Expectation expect_or_drop (drop invalid) deps: Pipeline Expectation expect_or_fail (halt pipeline) deps: Pipeline Expectation Expectation Metrics (pass/fail counts) deps: Pipeline Expectation Table Constraint deps: Constraint CHECK Constraint deps: Table Constraint NOT NULL Constraint deps: Table Constraint Primary Key (informational) deps: Table Constraint Foreign Key (informational) deps: Table Constraint data_quality_monitoring system table deps: system.access schema | Monitor ## LIN — Lineage — Automatic Table & Column Lineage (15 concepts) # Source: data-lineage · lineage graph · system.access.table_lineage / column_lineage Data Lineage deps: Unity Catalog | Metastore Automatic Lineage Capture deps: Data Lineage Table-Level Lineage deps: Automatic Lineage Capture | Table Column-Level Lineage deps: Table-Level Lineage | Column Lineage Graph deps: Table-Level Lineage | Column-Level Lineage Lineage Graph Visualization (Catalog Explorer) deps: Lineage Graph | Catalog Explorer Upstream / Downstream Lineage deps: Lineage Graph Visualization (Catalog Explorer) Notebook / Job / Pipeline Lineage deps: Automatic Lineage Capture | Workspace Dashboard / Query Lineage deps: Automatic Lineage Capture ML Model Lineage deps: Automatic Lineage Capture | Registered Model (Models in Unity Catalog) External Asset Lineage (External Metadata) deps: Automatic Lineage Capture | External Metadata (external system object) Lineage System Tables (table_lineage/column_lineage) deps: system.access schema | Table-Level Lineage | Column-Level Lineage Lineage Permissions (BROWSE/SELECT gating) deps: Lineage Graph | Privilege Lineage Retention (1-yr system tables) deps: Lineage System Tables (table_lineage/column_lineage) Impact Analysis / Root-Cause Tracing deps: Upstream / Downstream Lineage ## GOV — Governance — Privileges, Storage, FGAC, ABAC, Audit (42 concepts) # Source: permissions-concepts · privileges (reference) · manage-privileges · row-and-column-filters · abac · external-locations · audit-logs Principal (user/group/service principal) deps: Account-Level Identities (users/groups/SPs) Privilege deps: Securable Object Ownership / Owner deps: Securable Object | Principal (user/group/service principal) GRANT deps: Privilege | Principal (user/group/service principal) REVOKE deps: Privilege | Principal (user/group/service principal) Privilege Inheritance (downward) deps: Privilege | Three-Level Namespace (catalog.schema.object) ALL PRIVILEGES deps: Privilege MANAGE privilege deps: Privilege BROWSE privilege deps: Privilege USE CATALOG deps: Privilege | Catalog USE SCHEMA deps: Privilege | Schema (database) CREATE SCHEMA / CREATE TABLE / CREATE VOLUME / CREATE FUNCTION / CREATE MODEL deps: Privilege | Catalog | Schema (database) SELECT deps: Privilege | Table | View MODIFY deps: Privilege | Table EXECUTE deps: Privilege | Function READ VOLUME / WRITE VOLUME deps: Privilege | Volume APPLY TAG deps: Privilege | Tag (key + optional value) EXTERNAL USE SCHEMA deps: Privilege | Schema (database) Storage Credential deps: Metastore | Cloud Object Storage IAM Role / Managed Identity / Service Principal (cloud auth) deps: Storage Credential External Location deps: Storage Credential | Cloud Object Storage Managed Storage Location deps: External Location | Metastore | Catalog | Schema (database) Default Storage deps: Managed Storage Location READ FILES / WRITE FILES deps: Privilege | Storage Credential | External Location Service Credential deps: Metastore Allowlist (init scripts/JARs) deps: Metastore | External Location Dynamic View (FGAC) deps: View | Privilege current_user() / is_account_group_member() deps: Dynamic View (FGAC) Row Filter Function deps: SQL User-Defined Function (UDF) | Table Column Mask Function deps: SQL User-Defined Function (UDF) | Column ALTER TABLE SET ROW FILTER deps: Row Filter Function ALTER COLUMN SET MASK deps: Column Mask Function Fine-Grained Access Control (FGAC) deps: Row Filter Function | Column Mask Function | Dynamic View (FGAC) Attribute-Based Access Control (ABAC) deps: Governed Tag | Privilege Inheritance (downward) ABAC Policy deps: Attribute-Based Access Control (ABAC) Row Filter Policy deps: ABAC Policy | Row Filter Function Column Mask Policy deps: ABAC Policy | Column Mask Function GRANT Policy (Beta) deps: ABAC Policy | GRANT Audit Logs deps: Metastore | Databricks Account system.access.audit (audit system table) deps: system.access schema | Audit Logs Verbose Audit Logs deps: Audit Logs Encryption (CMK / at-rest) deps: Cloud Object Storage | Metastore ## GLOS — Business Context — Governed Tags, Tag Policies, Certification, Attributes (11 concepts) # Source: tags · governed-tags · tag-policies · certify-deprecate-data · abac Governed Tag deps: Tag (key + optional value) | Databricks Account Tag Policy deps: Governed Tag Allowed Tag Values deps: Tag Policy ASSIGN permission (governed tags) deps: Governed Tag | Privilege System Tag (Databricks-predefined) deps: Governed Tag Tag-Based Inheritance deps: Tag (key + optional value) | Privilege Inheritance (downward) Business Domain (Sales/Marketing/Finance) deps: Discover Experience (curated marketplace) | Governed Tag Data Product deps: Discover Experience (curated marketplace) | Certified Flag Data Steward / Ownership Context deps: Ownership / Owner | Data Steward Curation Data Classification (PII tagging) deps: System Tag (Databricks-predefined) | Governed Tag Attribute (for ABAC) deps: Governed Tag | Attribute-Based Access Control (ABAC) ## OPEN — Open Formats — Delta, Iceberg/UniForm, Iceberg REST, UC OSS, Federation (24 concepts) # Source: tables/managed · external-access/iceberg · delta/uniform · open-sourcing-unity-catalog · query-federation Delta Lake deps: Table Apache Iceberg deps: Table Managed Iceberg Table deps: Managed Table | Apache Iceberg Foreign Iceberg Table deps: Foreign Table | Apache Iceberg Delta UniForm (Iceberg reads on Delta) deps: Delta Lake | Apache Iceberg Iceberg Metadata Generation (async) deps: Delta UniForm (Iceberg reads on Delta) Iceberg REST Catalog API deps: Apache Iceberg | Unity Catalog IRC Endpoint (/api/2.1/unity-catalog/iceberg-rest) deps: Iceberg REST Catalog API Credential Vending deps: IRC Endpoint (/api/2.1/unity-catalog/iceberg-rest) | Storage Credential External Data Access (metastore setting) deps: Metastore | EXTERNAL USE SCHEMA External Engine Access (Trino/Snowflake/DuckDB/Spark/Dremio) deps: Iceberg REST Catalog API | Credential Vending Predictive Optimization (OPTIMIZE/VACUUM/ANALYZE) deps: Managed Table | Delta Lake Unity Catalog REST API (open) deps: Unity Catalog | Securable Object Unity Catalog OSS (Apache 2.0) deps: Unity Catalog REST API (open) UC OSS OpenAPI Spec + Server + Clients deps: Unity Catalog OSS (Apache 2.0) LF AI & Data Foundation (Linux Foundation) deps: Unity Catalog OSS (Apache 2.0) Multi-Format Support (Delta/Iceberg/Hudi/Parquet) deps: Unity Catalog OSS (Apache 2.0) | Delta Lake | Apache Iceberg Lakehouse Federation deps: Unity Catalog | Cloud Object Storage Connection (external system) deps: Metastore | Lakehouse Federation Foreign Catalog deps: Connection (external system) | Catalog Query Federation (JDBC + pushdown) deps: Foreign Catalog | Connection (external system) Catalog Federation (Hive/Glue/Snowflake) deps: Foreign Catalog Hive Metastore Federation deps: Catalog Federation (Hive/Glue/Snowflake) | hive_metastore (legacy catalog) Supported Sources (MySQL/Postgres/Snowflake/Redshift/BigQuery/SQL Server) deps: Query Federation (JDBC + pushdown) ## SHARE — Sharing & Collaboration — Delta Sharing, Clean Rooms, Marketplace (14 concepts) # Source: delta-sharing · clean-rooms · marketplace Delta Sharing (open protocol) deps: Unity Catalog | Metastore Share deps: Delta Sharing (open protocol) | Metastore Recipient deps: Delta Sharing (open protocol) Provider deps: Delta Sharing (open protocol) Databricks-to-Databricks Sharing deps: Share | Recipient Open Sharing (Databricks-to-Open) deps: Share | Recipient Recipient Bearer Token deps: Open Sharing (Databricks-to-Open) Shared Catalog (mount of a share) deps: Share | Catalog Shared Assets (tables/views/volumes/models/notebooks) deps: Share | Table | Volume | Registered Model (Models in Unity Catalog) Databricks Marketplace deps: Delta Sharing (open protocol) | Provider Marketplace Listing / Data Product deps: Databricks Marketplace | Data Product Clean Rooms deps: Delta Sharing (open protocol) | Securable Object Clean Room Task / Collaboration deps: Clean Rooms sharing.materialization_history system table deps: system.access schema | Share --- ## APPENDIX A — KEY RESOURCES / API SURFACE - **CORE** — Account -> Metastore (1 per region) -> Workspace assignment. Three-level namespace catalog.schema.object. Securables under the metastore. Identity federation lifts users/groups/service principals to the account; admins: account / metastore / workspace. Legacy hive_metastore catalog coexists; migrate with UCX. - **META** — Securable tree: Catalog -> Schema -> {Table (managed/external/foreign), View, Materialized View, Streaming Table, Metric View, Volume (managed/external), Function (SQL/Python UDF), Registered Model (subtype of FUNCTION; versions + aliases; databricks-uc registry)}. system catalog schemas: access, billing, compute, lakeflow, query, storage, marketplace; per-catalog information_schema. - **SRCH** — Catalog Explorer (Catalog icon) — browse, search, sample-data preview, details. AI-generated comments/docs, NL exploration (Preview), Genie Code (/getTableLineages, /getTableInsights). Certification via system.certification_status tag (certified/deprecated) + search filter. Discover = curated internal marketplace of certified data products by business domain (Private Preview). - **DQ** — Lakehouse Monitoring: Snapshot / Time series / Inference Log monitors -> Profile Metrics + Drift Metrics tables + dashboard + alerts; optional Baseline table. Lakeflow Declarative Pipelines (DLT) expectations: expect / expect_or_drop / expect_or_fail with pass/fail metrics. Table constraints: CHECK, NOT NULL (enforced); PRIMARY KEY / FOREIGN KEY (informational). - **LIN** — Automatic table + column lineage across all workspaces on a metastore; graph in Catalog Explorer (Lineage tab -> See Lineage Graph). Covers notebooks/jobs/pipelines/dashboards/queries/ML models/external assets. system.access.table_lineage + system.access.column_lineage (1-yr retention); BROWSE/SELECT gates visibility. - **GOV** — Owner has all privileges + can manage all children (ownership does NOT inherit; privileges DO inherit downward). MANAGE = grant/revoke/transfer/delete without owning. Key privileges: USE CATALOG/SCHEMA, CREATE *, SELECT, MODIFY, EXECUTE, READ/WRITE VOLUME, BROWSE, APPLY TAG, EXTERNAL USE SCHEMA, ALL PRIVILEGES. FGAC: row filters (ALTER TABLE SET ROW FILTER), column masks (ALTER COLUMN SET MASK), dynamic views. ABAC policies (row filter / column mask / GRANT Beta) keyed on governed tags. Storage credential -> external location -> managed storage / default storage. Audit via system.access.audit. - **GLOS** — Governed tags (account-level, lock icon) enforced by tag policies (allowed values) + ASSIGN permission; system tags (wrench icon, Databricks-predefined) for classification/lifecycle. Tag-based inheritance feeds ABAC. Business domains, data products, data stewardship, PII/data-classification context. - **OPEN** — Managed tables in Delta Lake (default) or Apache Iceberg (USING iceberg). Delta UniForm exposes Iceberg reads on Delta (async metadata). Iceberg REST Catalog API at /api/2.1/unity-catalog/iceberg-rest (read/write managed Iceberg; read UniForm/foreign Iceberg) + credential vending; external engines: Trino, Snowflake, DuckDB, Spark, Dremio, Daft. Unity Catalog OSS = Apache-2.0 server/clients/OpenAPI (LF AI & Data). Lakehouse Federation: connection -> foreign catalog (query federation w/ pushdown, or catalog federation incl. Hive metastore federation). - **SHARE** — Delta Sharing (open protocol): provider -> share -> recipient. Databricks-to-Databricks (no token) and Open Sharing (bearer token / OIDC). Shares hold tables/views/volumes/models/notebooks; recipients mount a shared catalog. Databricks Marketplace (data products on Delta Sharing) + Clean Rooms (secure multi-party collaboration). sharing.materialization_history system table. ## APPENDIX B — KEY ROLES & PRIVILEGES - **Account admin** — creates/links metastores & workspaces, assigns admin roles, manages account identities & identity federation. - **Metastore admin** (optional role) — manages the metastore, can grant on all securables, owns objects with no explicit owner. - **Workspace admin** — manages workspace-level objects, users, and compute; not automatically a data owner. - **Object owner** — full control of one securable + ability to manage (not own) its children; can GRANT/REVOKE, transfer ownership, DROP. - **MANAGE** — grant/revoke/transfer/delete an object without owning it (does not auto-grant data access; holder can self-grant SELECT). - **Metastore-level**: CREATE CATALOG / CONNECTION / EXTERNAL LOCATION / STORAGE CREDENTIAL / SERVICE CREDENTIAL / SHARE / RECIPIENT / PROVIDER / CLEAN ROOM / EXTERNAL METADATA; MANAGE ALLOWLIST; USE/SET SHARE PERMISSION; USE MARKETPLACE ASSETS. - **Catalog/Schema**: USE CATALOG, USE SCHEMA, CREATE SCHEMA/TABLE/VIEW/MATERIALIZED VIEW/VOLUME/FUNCTION/MODEL, BROWSE, APPLY TAG, EXTERNAL USE SCHEMA. - **Table/View/MV**: SELECT, MODIFY, REFRESH (MV), APPLY TAG, MANAGE, ALL PRIVILEGES. - **Volume**: READ VOLUME, WRITE VOLUME. **Function/Model**: EXECUTE, CREATE MODEL VERSION. - **Storage credential / external location**: READ FILES, WRITE FILES, CREATE EXTERNAL TABLE/VOLUME, CREATE MANAGED STORAGE, CREATE FOREIGN SECURABLE, EXTERNAL USE LOCATION. - **Connection**: USE CONNECTION, CREATE FOREIGN CATALOG. **Governed tags**: ASSIGN (plus APPLY TAG). ## APPENDIX C — NAMING & DESIGN NOTES - **Clean three-level namespace** (catalog.schema.object) is the spine — unlike Google Dataplex's logical lake/zone/asset overlay, Unity Catalog securables ARE the physical registry; objects outside the namespace (storage credentials, external locations, connections, shares, recipients, providers, clean rooms) sit directly under the metastore. - **Ownership vs inheritance:** privileges inherit DOWNWARD (grant on catalog -> all schemas/tables); ownership does NOT inherit, but an owner can manage all child objects. MANAGE decouples administration from data access. - **Managed is the default & recommended table type** — Databricks owns storage, optimization (Predictive Optimization: OPTIMIZE/VACUUM/ANALYZE), and lifecycle. External tables/volumes keep data in customer cloud storage governed via storage credential -> external location. - **Open formats / no lock-in:** managed tables can be Delta Lake (default) or Apache Iceberg; Delta UniForm serves Iceberg reads on Delta; the Iceberg REST Catalog API (/api/2.1/unity-catalog/iceberg-rest) + credential vending lets Trino/Snowflake/DuckDB/Spark/Dremio read (and write managed Iceberg). Unity Catalog OSS open-sources the server, clients, and OpenAPI spec under Apache 2.0 (LF AI & Data Foundation). - **Lakehouse Federation** governs external systems without moving data: a connection yields a foreign catalog (query federation with JDBC pushdown, or catalog federation incl. Hive metastore federation) — read-only, with Unity Catalog table-level access controls. - **Two governance mechanisms for fine-grained access:** (1) classic table-level row filters + column masks (SQL UDFs via ALTER TABLE) and dynamic views; (2) ABAC policies keyed on GOVERNED TAGS (row-filter / column-mask / GRANT-Beta) that attach at catalog/schema and apply automatically wherever a tag appears — analogous to, but distinct from, Google's policy-tag taxonomies. - **System tables (system catalog)** are the programmatic backbone: access (audit, table_lineage, column_lineage), billing (usage, list_prices), compute, lakeflow, query, storage, marketplace, sharing — plus per-catalog information_schema (ANSI metadata). - **Sharing rides Delta Sharing** (open protocol): Databricks-to-Databricks (token-free) and Open Sharing (bearer token / OIDC) underpin both Databricks Marketplace and Clean Rooms. --- **Version:** 1.0.0 — extracted from live Databricks documentation, 2026-06-18. **Use for:** onboarding to Unity Catalog, data-governance & lakehouse architecture design, cert/exam prep, grounding an LLM/agent, mapping a governance program. **Ask the graph:** "What must I understand before ABAC Policy?" · "Trace Storage Credential -> Managed Iceberg Table." · "What depends on Metastore?"