Enable cluster access control for your workspace

Note

Access control is available only in the Premium plan (or, for customers who subscribed to Databricks before March 3, 2020, the Operational Security package).

By default, all users can create and modify clusters unless an administrator enables cluster access control. With cluster access control, permissions determine a user’s abilities. This article describes how to enable cluster access control and configure cluster creation permission.

For information about assigning permissions and configuring cluster access control, see Cluster access control.

Enable cluster access control

  1. Go to the Admin Console.

  2. Select the Access Control tab.

    Access control tab
  3. Click the Enable button next to Cluster and Jobs Access Control.

    Enable access control
  4. Click Confirm to confirm the change.

Configure cluster creation permission

You can assign the Allow cluster creation permission to individual users or to groups.

To assign to an individual user:

  1. Go to the Admin Console.

  2. Go to the Users tab.

  3. Select the Allow cluster creation checkbox in the user’s row.

    User row
  4. Click Confirm to confirm the change.

To assign to a group:

  1. Go to the Admin Console.
  2. Go to the Groups tab.
  3. Select the group you want to update.
  4. On the Entitlements tab, select Allow cluster creation.

Example: using cluster-level permissions to enforce cluster configurations

One benefit of cluster access control is the ability to enforce cluster configurations so that users cannot change them.

For example, configurations that admins might want to enforce include:

  • Tags to charge back costs
  • Instance profiles or IAM credential passthrough to control access to data
  • Spot instances to save costs
  • Standard libraries

Databricks recommends the following workflow for organizations that need to lock down cluster configurations:

  1. Disable Allow cluster creation for all users.

    Cluster creation checkbox
  2. After you create all of the cluster configurations that you want your users to use, give the users who need access to a given cluster Can Restart permission. This allows a user to freely start and stop the cluster without having to set up all of the configurations manually.

    Can restart