Question 30
Domain 4: Assembling and Deploying ApplicationsAn ML engineer needs to grant data scientists the ability to load and run inference with registered models in the catalog main, schema ml_models, but should not allow them to create new models or modify existing ones. Which SQL statement accomplishes this with minimum privileges? (Select one!)
Correct answer: D
Explanation
`GRANT EXECUTE ON CATALOG main` gives permission to “load and run inference with registered models” without granting model creation or modification rights. Because it is scoped to the catalog, it uses the minimum privilege needed for models in `main.ml_models` while avoiding broader write access.
Why each option is right or wrong
A. GRANT EXECUTE ON FUNCTION main.ml_models.* TO `data-scientists`;
Function execution applies to functions, not the broader registered-model access scope described here.
B. GRANT CREATE MODEL ON SCHEMA main.ml_models TO `data-scientists`;
CREATE MODEL allows authoring new models, which violates the no-create requirement.
C. GRANT SELECT, USE SCHEMA ON SCHEMA main.ml_models TO `data-scientists`;
SELECT and USE SCHEMA support discovery/access patterns, not executing registered models for inference.
D. GRANT EXECUTE ON CATALOG main TO `data-scientists`;
Under Databricks Unity Catalog, the privilege required to load a registered model and use it for inference is `EXECUTE` on the catalog object that contains the model, per the Unity Catalog privileges model. Granting `EXECUTE` on catalog `main` allows use of models in `main.ml_models` without conferring `CREATE MODEL` or `MODIFY` capabilities, which are separate write privileges on the schema/model objects. This is the minimum grant that satisfies inference access while preserving read-only behavior.