Enable cluster access control for your workspace

By default, all users can create and modify clusters unless an administrator enables cluster access control. With cluster access control, permissions determine a user’s abilities. This article describes how to enable cluster access control, configure cluster creation permission, and prevent users from seeing clusters they don’t have access to.

For information about assigning permissions and configuring cluster access control, see Cluster access control.


This feature requires the Premium plan (or, for customers who subscribed to Databricks before March 3, 2020, the Operational Security package).

Enable cluster access control

  1. Go to the Admin Console.
  2. Click the Workspace Settings tab.
  3. Click the Cluster Access Control toggle.
  4. Click Confirm.

Prevent users from seeing clusters they do not have access to


Cluster visibility control is enabled by default for workspaces created after the release of Databricks platform version 3.34 (released in December 2020). If your workspace was created earlier, an admin must enable the feature.

Cluster access control by itself does not prevent users from seeing clusters displayed in the Databricks UI even when the users have no permissions on those clusters. To prevent these clusters from being visible to a user:

  1. Go to the admin console.
  2. Click the Workspace Settings tab.
  3. Click the Cluster Visibility Control toggle.
  4. Click Confirm.

Configure cluster creation permission

You can assign the Allow cluster creation permission to individual users or to groups.

To assign to an individual user:

  1. Go to the Admin Console.

  2. Go to the Users tab.

  3. Select the Allow cluster creation checkbox in the user’s row.

    User row
  4. Click Confirm to confirm the change.

To assign to a group:

  1. Go to the Admin Console.
  2. Go to the Groups tab.
  3. Select the group you want to update.
  4. On the Entitlements tab, select Allow cluster creation.

Example: using cluster-level permissions to enforce cluster configurations

One benefit of cluster access control is the ability to enforce cluster configurations so that users cannot change them.

For example, configurations that admins might want to enforce include:

  • Tags to charge back costs
  • Instance profiles or IAM credential passthrough to control access to data
  • Spot instances to save costs
  • Standard libraries

Databricks recommends the following workflow for organizations that need to lock down cluster configurations:

  1. Disable Allow cluster creation for all users.

    Cluster creation checkbox
  2. After you create all of the cluster configurations that you want your users to use, give the users who need access to a given cluster Can Restart permission. This allows a user to freely start and stop the cluster without having to set up all of the configurations manually.

    Can restart