By default, Databricks personnel do not have access to customer workspaces or to the production multi-tenant environments. Databricks staff may request temporary access to a customer workspace in order to investigate an outage, security event, or to support your deployment.
Databricks technology controls enforce the following in such scenarios:
Limited personnel can request production access to resolve an engineering support ticket or a customer-reported issue.
Time limits are set in advance to the expected duration of the support session.
You can configure workspace audit logs to review Databricks personnel access to your workspace’s resources. Logs are delivered in typically under 15 minutes.
For Databricks on AWS, you can choose to block access to your workspace by Databricks support personnel using a feature called Customer Approved Workspace Login. If needed, you can temporarily approve access to your workspace for only the duration of the support session.
The Customer Approved Workspace Login feature allows admins to give Databricks engineers and support staff access to their workspace for a temporary session.
Customer Approved Workspace Login is not enabled in your workspaces by default. It is added to your workspace by an account-level setting that must be added by Databricks personnel. Contact your Databricks representative to enable this feature on your account if required.
Once it is enabled at the account level, workspace admins can verify that the feature is enabled by viewing the current status in their workspace settings. See Configure workspace access for your workspace.
Ask your Databricks representative to enable Customer Approved Workspace Login.
Wait for confirmation that the feature is enabled.
As an admin, go to the Admin Console.
Click the Workspace Settings tab.
In the Access Control section, click the Workspace access for Databricks Support toggle.
Set the amount of hours you would like to allow access to your workspace. Sessions can last up to 48 hours.
After access is turned on, workspace admins can track the expiration time of access in the the Workspace Settings tab. They can also disable the workspace access before the expiration time is up.