Manage groups

Groups let you assign the same entitlements and instance profiles to multiple users. As an admin user, you can manage groups using the Admin Console, the Groups API, the SCIM API, or a SCIM-enabled Identity Provider like Okta or Azure Active Directory. This article discusses group management using the Admin Console.

Groups tab

Using the Admin Console, you can:

  • Add groups.
  • Add users to groups and remove them.
  • Add groups to other groups and remove them.
  • Grant and revoke the ability to create clusters for all group members (if Cluster access control has been enabled for the workspace).
  • Add and remove instance profiles for all group members.
  • Manage administrator rights by adding users to the admins group or removing them. (You can also assign a user to the admins group using the User management interface.)

Add a group

  1. Go to the Admin Console and click the Groups tab.

  2. Click + Create Group.

  3. Enter a group name and click Confirm.

    Group names must be unique. You cannot change a group name. If you want to change a group name, you must delete the group and recreate it with the new name.

Add users and child groups to a group

Note

You cannot add a child group to the admins group.

  1. Go to the Admin Console and click the Groups tab.
  2. Select the group you want to update.
  3. On the Members tab, click +Add users or groups.
  4. On the Add users or groups dialog, click the down arrow to display a drop-down list of users and groups, and select the ones you want to add.
  5. Click the down arrow to hide the drop-down list and click Confirm.

Add entitlements to a group

  1. Go to the Admin Console and click the Groups tab.

  2. Select the group you want to update.

  3. On the Entitlements tab, select the entitlement you want to grant to all users in the group.

    Allow cluster creation is the only entitlement available to grant, although others will be added in the future. When you grant this entitlement to users, they are allowed to create and launch new clusters. You can restrict access to existing clusters using cluster-level permissions.

  4. On the confirmation dialog, click Confirm.

Add instance profiles roles to a group

You can set up instance profiles that grant access to S3 buckets that your users need access to from Databricks clusters, and assign these using groups.

  1. Go to the Admin Console and click the Groups tab.
  2. Select the group you want to update.
  3. On the Instance Profiles tab, click +Add Instance Profiles to group.
  4. On the Add Instance Profiles dialog, click the down arrow to display a drop-down list of instance profiles, and select the ones you want to add.
  5. Click the down arrow to hide the drop-down list and click Add.

View parent groups

  1. Go to the Admin Console and click the Groups tab.
  2. Select the group you want to update.
  3. On the Parents tab, view the parent groups for your group.

Remove a user or child group

  1. Go to the Admin Console and click the Groups tab.
  2. Select the group you want to update.
  3. On the Members tab, find the user or group you want to remove and click the X in the Actions column.
  4. Click Remove Member to confirm.

The user or child group loses all entitlements, instance profiles, and child group memberships granted by virtue of membership in this group. Be aware, however, that they may retain some or all of those instance profiles and entitlements by virtue of membership in other groups or user-level grants.

Remove an entitlement

  1. Go to the Admin Console and click the Groups tab.
  2. Select the group you want to update.
  3. On the Entitlements tab, clear the checkbox for the entitlement you want to revoke for all users in the group.
  4. On the confirmation dialog, click Remove.

Group members lose the entitlement, unless they have permission granted as an individual user or through another group membership.

Remove an instance profile

To remove an instance profile from a group:

  1. Go to the Admin Console and click Groups tab.
  2. Select the group you want to update.
  3. On the Instance Profiles tab, find the instance profile you want to remove and click the X in the Actions column.
  4. On the confirmation dialog, click Delete.

Group members lose the instance profile, unless they have it as an individual user or through another group membership.

Remove a group from its parent group

  1. Go to the Admin Console and click the Groups tab.
  2. Select the group you want to update.
  3. On the Parents tab, find the parent group you want to secede from and click the X in the Actions column.
  4. On the confirmation dialog, click Remove parent.

All entitlements and instance profiles assigned to the parent group are removed from the members of the group. Be aware, however, that they may retain those entitlements and instance profiles by virtue of membership in other groups or user-level grants.