diff --git a/extensions/spark/kyuubi-spark-authz/src/main/scala/org/apache/kyuubi/plugin/spark/authz/ranger/AccessType.scala b/extensions/spark/kyuubi-spark-authz/src/main/scala/org/apache/kyuubi/plugin/spark/authz/ranger/AccessType.scala
index 7d62229ee..c0b7d2a03 100644
--- a/extensions/spark/kyuubi-spark-authz/src/main/scala/org/apache/kyuubi/plugin/spark/authz/ranger/AccessType.scala
+++ b/extensions/spark/kyuubi-spark-authz/src/main/scala/org/apache/kyuubi/plugin/spark/authz/ranger/AccessType.scala
@@ -58,7 +58,12 @@ object AccessType extends Enumeration {
               SHOWPARTITIONS |
               ANALYZE_TABLE => SELECT
           case SHOWCOLUMNS | DESCTABLE => SELECT
-          case SHOWDATABASES | SWITCHDATABASE | DESCDATABASE | SHOWTABLES | SHOWFUNCTIONS => USE
+          case SHOWDATABASES |
+              SWITCHDATABASE |
+              DESCDATABASE |
+              SHOWTABLES |
+              SHOWFUNCTIONS |
+              DESCFUNCTION => USE
           case TRUNCATETABLE => UPDATE
           case _ => NONE
         }
diff --git a/extensions/spark/kyuubi-spark-authz/src/test/scala/org/apache/kyuubi/plugin/spark/authz/ranger/RangerSparkExtensionSuite.scala b/extensions/spark/kyuubi-spark-authz/src/test/scala/org/apache/kyuubi/plugin/spark/authz/ranger/RangerSparkExtensionSuite.scala
index b5dcf63cb..c32b63a2f 100644
--- a/extensions/spark/kyuubi-spark-authz/src/test/scala/org/apache/kyuubi/plugin/spark/authz/ranger/RangerSparkExtensionSuite.scala
+++ b/extensions/spark/kyuubi-spark-authz/src/test/scala/org/apache/kyuubi/plugin/spark/authz/ranger/RangerSparkExtensionSuite.scala
@@ -442,6 +442,17 @@ abstract class RangerSparkExtensionSuite extends AnyFunSuite
     }
     doAs(admin, assert(sql("show tables from global_temp").collect().length == 0))
   }
+
+  test("[KYUUBI #5172] Check USE permissions for DESCRIBE FUNCTION") {
+    val fun = s"$defaultDb.function1"
+
+    withCleanTmpResources(Seq((s"$fun", "function"))) {
+      doAs(admin, sql(s"CREATE FUNCTION $fun AS 'Function1'"))
+      doAs(admin, sql(s"DESC FUNCTION $fun").collect().length == 1)
+      val e = intercept[AccessControlException](doAs(denyUser, sql(s"DESC FUNCTION $fun")))
+      assert(e.getMessage === errorMessage("_any", "default/function1", denyUser))
+    }
+  }
 }
 
 class InMemoryCatalogRangerSparkExtensionSuite extends RangerSparkExtensionSuite {