Manage groups

Groups let you assign the same entitlements and instance profiles to multiple users. An admin user can manage groups using the admin console, the Groups API, the SCIM API, or a SCIM-enabled identity provider like Okta or Azure Active Directory. This article discusses group management using the Databricks admin console.

Groups tab

Using the admin console, you can:

  • Add groups.
  • Add users or service principals to groups and remove them.
  • Add groups to other groups and remove them.
  • Grant and revoke the ability to create clusters for all group members (if cluster access control has been enabled for the workspace).
  • Add and remove instance profiles for all group members.
  • Manage administrator rights by adding users to the admins group or removing them. You can also assign a user to the admins group in the User management interface.

Add a group

  1. Go to the admin console and click the Groups tab.

  2. Click + Create Group.

  3. Enter a group name and click Confirm.

    Group names must be unique. You cannot change a group name. If you want to change a group name, you must delete the group and recreate it with the new name.

Add users and child groups to a group

Note

You cannot add a child group to the admins group.

  1. Go to the admin console and click the Groups tab.
  2. Select the group you want to update.
  3. On the Members tab, click + Add users or groups.
  4. On the Add users or groups dialog, click the down arrow to display a drop-down list of users and groups, and select the ones you want to add.
  5. Click the down arrow to hide the drop-down list and click Confirm.

Manage a group’s entitlements

An entitlement is a property that allows a user, service principal, or group to interact with Databricks in a specified way. In the following table, each entitlement’s UI and API name is shown.

Entitlement name (UI) Entitlement name (API) Default Description
Workspace access allow-workspace-access Granted by default.

When granted to a user or service principal, they can access Databricks.

Can’t be removed from workspace administrators.

Databricks SQL access databricks-sql-access Not granted by default. When granted to a user or service principal, they can access Databricks SQL.
Allow cluster creation allow-cluster-create Not granted to users or service principals by default.

When granted to a user or service principal, they can create clusters. You can restrict access to existing clusters using cluster-level permissions.

Can’t be removed from admin users.

allow-instance-pool-create allow-instance-pool-create Can’t be granted to individual users or service principals.

When granted to a group, its members can create instance pools.

Can’t be removed from workspace administrators.

If Databricks SQL is disabled, then:

  • Workspace access and Databricks SQL access entitlements do not appear in the Databricks UI.
  • Workspace access can’t be explicitly enabled or disabled for a user or group. Disable the user instead.

Add or remove an entitlement for a group

  1. Go to the admin console and click the Groups tab.
    1. Select the group you want to update.
    2. On the Entitlements tab, select the entitlement you want to grant to all users in the group.
      • Allow cluster creation: Group members are allowed to create and launch new clusters. You can restrict access to existing clusters using cluster-level permissions.
      • allow-instance-pool-create: Group members are allowed to create new instance pools.
      • Databricks SQL access: Group members are allowed to access Databricks SQL.
    3. To remove an entitlement from a group, deselect it.
    4. On the confirmation dialog, click Confirm.

Add an instance profile to a group

You can set up instance profiles that grant access to S3 buckets that your users need access to from Databricks clusters, and assign these using groups.

  1. Go to the admin console and click the Groups tab.
  2. Select the group you want to update.
  3. On the Instance Profiles tab, click + Add Instance Profiles to group.
  4. On the Add Instance Profiles dialog, click the down arrow to display a drop-down list of instance profiles, and select the ones you want to add.
  5. Click the down arrow to hide the drop-down list and click Add.

View parent groups

  1. Go to the admin console and click the Groups tab.
  2. Select the group you want to update.
  3. On the Parents tab, view the parent groups for your group.

Remove a user or child group

  1. Go to the admin console and click the Groups tab.
  2. Select the group you want to update.
  3. On the Members tab, find the user or group you want to remove and click the X in the Actions column.
  4. Click Remove Member to confirm.

The user or child group loses all child group memberships and entitlements and instance profiles granted by virtue of membership in this group. However, they may retain those entitlements by virtue of membership in other groups or user-level grants.

Remove an entitlement

  1. Go to the admin console and click the Groups tab.
  2. Select the group you want to update.
  3. On the Entitlements tab, clear the checkbox for the entitlement you want to revoke for all users in the group.
  4. On the confirmation dialog, click Remove.

Group members lose the entitlement, unless they have permission granted as an individual user or through another group membership.

Remove an instance profile

To remove an instance profile from a group:

  1. Go to the admin console and click Groups tab.
  2. Select the group you want to update.
  3. On the Instance Profiles tab, find the instance profile you want to remove and click the X in the Actions column.
  4. On the confirmation dialog, click Delete.

Group members lose the instance profile, unless they have it as an individual user or through another group membership.

Remove a group from its parent group

  1. Go to the admin console and click the Groups tab.
  2. Select the group you want to update.
  3. On the Parents tab, find the parent group you want to secede from and click the X in the Actions column.
  4. On the confirmation dialog, click Remove parent.

All entitlements and instance profiles assigned to the parent group are removed from the members of the group. However they may retain those entitlements and instance profiles by virtue of membership in other groups or user-level grants.