Manage users
This article explains how to add, update, and remove Databricks users.
For an overview of the Databricks identity model, see Databricks identities.
To manage access for users, see Authentication and access control.
Overview of user management
To manage users in Databricks, you must be either an account admin or a workspace admin.
Account admins can add users to the account and assign them admin roles. They can also assign users to workspaces and configure data access for them across workspaces, as long as those workspaces use identity federation.
Workspace admins can add users to a Databricks workspace, assign them the workspace admin role, and manage access to objects and functionality in the workspace, such as the ability to create clusters or access specified persona-based environments. Adding a user to a Databricks workspace also adds them to the account.
Workspace admins are members of the
admins
group in the workspace, which is a reserved group that cannot be deleted.
Important
Databricks began to enable new workspaces for identity federation and Unity Catalog automatically on November 8, 2023, with a rollout proceeding gradually across accounts. If your workspace is enabled for identity federation by default, it cannot be disabled. For more information, see Automatic enablement of Unity Catalog.
Sync users to your Databricks account from an identity provider
Account admins can sync users from your identity provider (IdP) to your Databricks account using a SCIM provisioning connector.
Important
If you already have SCIM connectors that sync identities directly to your workspaces, you must disable those SCIM connectors when the account-level SCIM connector is enabled. See Migrate workspace-level SCIM provisioning to the account level.
For instructions, see Sync users and groups to your Databricks account.
Manage users in your account
Account admins can add users to your Databricks account using the account console. Users in a Databricks account do not have any default access to a workspace, data, or compute resources.
Add users to your account using the account console
As an account admin, log in to the account console.
In the sidebar, click User management.
On the Users tab, click Add User.
Enter a name and email address for the user.
Click Add user.
Note
A user cannot belong to more than 50 Databricks accounts.
To give users access to a workspace, you must add them to the workspace. See Manage users in your workspace.
Assign account admin roles to a user
As an account admin, log in to the account console.
In the sidebar, click User management.
Find and click the username.
On the Roles tab, turn on Account admin, Marketplace admin, or Billing admin.
Assign a user to a workspace using the account console
To add users to a workspace using the account console, the workspace must be enabled for identity federation. Workspace admins can also assign users to workspaces using the workspace admin settings page. See Assign a user to a workspace using the workspace admin settings page.
As an account admin, log in to the account console.
In the sidebar, click Workspaces.
Click your workspace name.
On the Permissions tab, click Add permissions.
Search for and select the user, assign the permission level (workspace User or Admin), and click Save.
Remove a user from a workspace using the account console
To remove users from a workspace using the account console, the workspace must be enabled for identity federation. When a user is removed from a workspace, the user can no longer access the workspace, however permissions are maintained on the user. If the user is later added back to the workspace, they regain their previous permissions.
As an account admin, log in to the account console
In the sidebar, click Workspaces.
Click your workspace name.
On the Permissions tab, find the user.
Click the kebab menu at the far right of the user row and select Remove.
On the confirmation dialog, click Remove.
Deactivate a user in your Databricks account
Account admins can deactivate users across a Databricks account. A deactivated user cannot login to the Databricks account or workspaces. However, all of the user’s permissions and workspace objects remain unchanged. When a user is deactivated the following is true:
The user cannot login to the account or any of their workspaces from any method.
Applications or scripts that use the tokens generated by the user can no longer access the Databricks API. The tokens remain but cannot be used to authenticate while a user is deactivated.
Notebooks owned by the user remain.
Clusters owned by the user remain running.
Scheduled jobs created by the user have to be assigned to a new owner to prevent them from failing.
When a user is reactivated, they can login to Databricks with the same permissions. Databricks recommends deactivating users from the account instead of removing them because removing a user is a destructive action. A deactivated user’s status is labeled Inactive in the account console. You can also deactivate a user from a specific workspace. See Deactivate a user in your Databricks workspace.
You cannot deactivate a user using the account console. Instead, use the Account Users API. For example:
curl --netrc -X PATCH \
https://${DATABRICKS_HOST}/api/2.1/accounts/{account_id}/scim/v2/Users/{id} \
--header 'Content-type: application/scim+json' \
--data @update-user.json \
| jq .
update-user.json
:
{
"schemas": [ "urn:ietf:params:scim:api:messages:2.0:PatchOp" ],
"Operations": [
{
"op": "replace",
"path": "active",
"value": [
{
"value": "false"
}
]
}
]
}
Remove users from your Databricks account
Account admins can delete users from a Databricks account. Workspace admins cannot. When you delete a user from the account, that user is also removed from their workspaces.
Important
When you remove a user from the account, that user is also removed from their workspaces, regardless of whether or not identity federation has been enabled. We recommend that you refrain from deleting account-level users unless you want them to lose access to all workspaces in the account. Be aware of the following consequences of deleting users:
Applications or scripts that use the tokens generated by the user can no longer access Databricks APIs
Jobs owned by the user fail
Clusters owned by the user stop
Queries or dashboards created by the user and shared using the Run as Owner credential have to be assigned to a new owner to prevent sharing from failing
When a user is removed from an account, the user can no longer access the account or their workspaces, however permissions are maintained on the user. If the user is later added back to the account, they regain their previous permissions.
To remove a user using the account console, do the following:
As an account admin, log in to the account console.
In the sidebar, click User management.
Find and click the username.
On the User Information tab, click the kebab menu in the upper-right corner and select Delete.
On the confirmation dialog, click Confirm delete.
If you remove a user using the account console, you must ensure that you also remove the user using any SCIM provisioning connectors or SCIM API applications that have been set up for the account. If you don’t, SCIM provisioning adds the user back the next time it syncs. See Sync users and groups from your identity provider.
To remove a user from a Databricks account using SCIM APIs, you must be an account admin. See Sync users and groups to your Databricks account and the Account Groups API.
Manage users in your workspace
Workspace admins can add and manage users using the workspace admin settings page.
Assign a user to a workspace using the workspace admin settings page
To add a user to a workspace using the workspace admin settings page, do the following:
As a workspace admin, log in to the Databricks workspace.
Click your username in the top bar of the Databricks workspace and select Settings.
Click on the Identity and access tab.
Next to Users, click Manage.
Click Add User.
Select an existing user to assign to the workspace or click Add new to create a new user.
Click Add.
Databricks sends a confirmation email. If the user does not receive the confirmation email within five minutes, ask the user to check their spam folder. Adding a new user to your workspace also adds the user to your Databricks account.
Note
If your workspace is not enabled for identity federation, you only see the option to add a new user to the workspace. If you add a user that shares a username (email address) with an existing account user, those users are merged.
Assign the workspace admin role to a user using the workspace admin settings page
To assign the workspace admin role using the workspace admin settings page, do the following:
As a workspace admin, log in to the Databricks workspace.
Click your username in the top bar of the Databricks workspace and select Settings.
Click on the Identity and access tab.
Next to Users, click Manage.
Select the user.
Click the Entitlements tab.
Click the toggle next to Admin access.
To remove the workspace admin role from a workspace user, perform the same steps, but clear the Admin access toggle.
Deactivate a user in your Databricks workspace
Workspace admins can deactivate users in a Databricks workspace. A deactivated user cannot login to the workspace or access it from Databricks APIs, however all of the user’s permissions and workspace objects remain unchanged. When a user is deactivated:
The user cannot login to the workspaces from any method.
The user’s status shows as Inactive in the workspace admin setting page.
Applications or scripts that use the tokens generated by the user can no longer access the Databricks API. The tokens remain but cannot be used to authenticate while a user is deactivated.
Notebooks owned by the user remain.
Clusters owned by the user remain running.
Scheduled jobs created by the user have to be assigned to a new owner to prevent them from failing.
When a user is reactivated, they can login to the workspace with the same permissions. Databricks recommends deactivating users instead of removing them because removing a user is a destructive action. You cannot deactivate a user using the workspace admin settings page. Instead, use the Workspace Users API. For example:
curl --netrc -X PATCH \
https://<databricks-instance>/api/2.0/preview/scim/v2/Users/<user-id> \
--header 'Content-type: application/scim+json' \
--data @update-user.json \
| jq .
update-user.json
:
{
"schemas": [ "urn:ietf:params:scim:api:messages:2.0:PatchOp" ],
"Operations": [
{
"op": "replace",
"path": "active",
"value": [
{
"value": "false"
}
]
}
]
}
Remove a user from a workspace using the workspace admin settings page
When a user is removed from a workspace, the user can no longer access the workspace, however permissions are maintained on the user. If the user is later added back to the workspace, they regain their previous permissions.
As a workspace admin, log in to the Databricks workspace.
Click your username in the top bar of the Databricks workspace and select Settings.
Click on the Identity and access tab.
Next to Users, click Manage.
Find the user and kebab menu at the far right of the user row and select Remove.
Click Delete to confirm.
Manage users using the API
Account admins and workspace admins can manage users in the Databricks account and workspaces using Databricks APIs.
Manage users in the account using the API
Admins can add and manage users in the Databricks account using the Account Users API. Account admins and workspace admins invoke the API using a different endpoint URL:
Account admins use
{account-domain}/api/2.1/accounts/{account_id}/scim/v2/
.Workspace admins use
{workspace-domain}/api/2.0/account/scim/v2/
.
For details, see the Account Users API.
Manage users in the workspace using the API
Account and workspace admins can use the Workspace Assignment API to assign users to workspaces enabled for identity federation. The Workspace Assignment API is supported through the Databricks account and workspaces.
Account admins use
{account-domain}/api/2.0/accounts/{account_id}/workspaces/{workspace_id}/permissionassignments
.Workspace admins use
{workspace-domain}/api/2.0/preview/permissionassignments/principals/{user_id}
.
If your workspace is not enabled for identity federation, a workspace admin can use the workspace-level APIs to assign users to their workspaces. See Workspace Users API.