Workspace Access Control

Note

Access control is available only in the Databricks Operational Security Package.

By default, all users can create and modify workspace objects unless an administrator enables workspace access control. With workspace access control, individual permissions determine a user’s abilities. This topic describes the individual permissions and how to enable and configure workspace access control.

Workspace permissions

You can assign five permission levels to notebooks and folders: No Permissions, Read, Run, Edit, and Manage. The tables list the abilities for each permission.

Notebook Notebook permissions

Ability No Permissions Read Run Edit Manage
View cells   x x x x
Comment   x x x x
Run commands     x x x
Attach/detach notebooks     x x x
Edit cells       x x
Change permissions         x

Folder Folder permissions

Ability No Permissions Read Run Edit Manage
View items   x x x x
Create, clone, import, export items   x x x x
Run commands on notebooks     x x x
Attach/detach notebooks     x x x
Delete items       x x
Move/rename items       x x
Change permissions         x

All notebooks in a folder inherit all permissions settings of that folder. For example, a user that has Run permission on a folder has Run permission on all notebooks in that folder.

Enable workspace access control

  1. Go to the Admin Console.

  2. Select the Access Control tab.

    ../../_images/access-control-tab.png
  3. Click the Enable button next to Workspace Access Control.

  4. Click Confirm to confirm the change.

Default permissions

Independent of workspace access control, the following permissions exist:

  • All users have Manage permission for items in the Workspace > Shared folder. You can grant Manage permission to notebooks and folders by moving them to the Shared folder.
  • All users have Manage permission for objects the user creates.

With workspace access control disabled, the following permissions exist:

  • All users have Edit permission for items in the Workspace folder.

With workspace access control enabled, the following permissions exist:

  • Workspace folder
    • Only administrators can create new items in the Workspace folder.
    • Existing items in the Workspace folder - Manage. For example, if the Workspace folder contained the Folder Documents and Folder Temp folders, all users continue to have the Manage permission for these folders.
    • New items in the Workspace folder - No Permissions.
  • A user has the same permission for all items in a folder, including items created or moved into the folder after you set the permissions, as the permission the user has on the folder.
  • User home directory - The user has Manage permission. All other users have No Permissions permission.

Configure workspace permissions

  1. Open the permissions dialog:

    • Notebook - click Permissions in the notebook context bar.
    • Folder - select Permissions in the folder’s drop-down menu:
    Permissions Drop Down
  2. Grant permissions. All users in your account belong to the group all users. Administrators belong to the group admins, which has Manage permissions on all items.

    To grant permissions to a user or group, select from the Add Users and Groups drop-down, select the permission, and click Add:

    Add Users

    To change the permissions of a user or group, select the new permission from the permission drop-down:

    Change Permissions
  3. Click Save Changes to save your changes or click Cancel to discard your changes.

Library and jobs access control

Library All users can view libraries. To control who can attach libraries to clusters, see Cluster Access Control.

Jobs To control who can run jobs and see the results of job runs, see Jobs Access Control.