Manage users, service principals, and groups
This article introduces the Databricks identity management model and provides an overview of how to manage users, groups, and service principals in Databricks.
For an opinionated perspective on how to best configure identity in Databricks, see Identity best practices.
To manage access for users, service principals, and groups, see Authentication and access control.
Databricks identities
There are three types of Databricks identity:
-
Users: User identities recognized by Databricks and represented by email addresses.
-
Service principals: Identities for use with jobs, automated tools, and systems such as scripts, apps, and CI/CD platforms.
-
Groups: A collection of identities used by admins to manage group access to workspaces, data, and other securable objects. All Databricks identities can be assigned as members of groups.
A Databricks account can have a maximum of 10,000 combined users and service principals, along with up to 5,000 groups. Each workspace also can have a maximum of 10,000 combined users and service principals as members, along with up to 5,000 groups.
For details, see:
Who can manage identities in Databricks?
To manage identities in Databricks, you must have one of the following roles:
-
Account admins can add, update, and delete users, service principals, and groups in the account. They can assign admin roles and grant users access to workspaces, as long as those workspaces use identity federation.
-
Workspace admins can add users and service principals to the Databricks account. If their workspaces are enabled for identity federation, they can also add groups to the account. Workspace admins can grant users, service principals, and groups access to their workspaces, but cannot delete users or service principals from the account.
Workspace admins can also manage legacy workspace-local groups. For more information, see Manage workspace-local groups (legacy).
-
Group managers can manage group membership and delete groups. They can also assign the group manager role to other users. Account admins have the group manager role on all groups in the account. Workspace admins have the group manager role on account groups that they create. See Who can manage groups?.
-
Service principal managers can manage roles on a service principal. Account admins have the service principal manager role on all service principals in the account. Workspace admins have the service principal manager role on service principals that they create. For more information, see Roles for managing service principals.
Enable identity federation
Most workspaces are enabled for identity federation by default. Databricks began to enable new workspaces for identity federation and Unity Catalog automatically on November 8, 2023, with a rollout proceeding gradually across accounts. If your workspace is enabled for identity federation by default, it cannot be disabled. For more information, see Automatic enablement of Unity Catalog.
To enable identity federation in a workspace, an account admin needs to enable the workspace for Unity Catalog by assigning a Unity Catalog metastore. When the assignment is complete, identity federation is marked as Enabled on the workspace's Configuration tab in the account console. See Enable a workspace for Unity Catalog.
In an identity federated workspace, when you choose to add a user, service principal, or group in workspace admin settings, you have the option to select a user, service principal, or group from your account to add to the workspace.
In a non-identity federated workspace, you do not have the option to add users, service principals, or groups from your account.
Assign users to Databricks
Databricks recommends using SCIM provisioning to sync all users and groups automatically from your identity provider to your Databricks account. Users in a Databricks account do not have any default access to a workspace, data, or compute resources. Account admins and workspace admins can assign account users to workspaces. Workspace admins can also add a new user directly to a workspace, which both automatically adds the user to the account and assigns them to that workspace. For detailed instructions, see Sync users and groups from your identity provider using SCIM
When SSO is configured, You can configure just-in-time (JIT) provisioning to automatically create new user accounts from your identity provider upon their first login. See Automatically provision users (JIT).
Assign users to workspaces
To enable a user, service principal, or group to work in a Databricks workspace, an account admin or workspace admin needs to assign them to a workspace. You can assign workspace access to users, service principals, and groups that exist in the account as long as the workspace is enabled for identity federation.
Workspace admins can also add a new user, service principal, or group directly to a workspace. This action automatically adds the chosen user, service principal, or group to the account and assigns them to that particular workspace.
For those workspaces that aren't enabled for identity federation, workspace admins manage their workspace users, service principals, and groups entirely within the scope of the workspace. Users and service principals added to non-identity federated workspaces are automatically added to the account. If the workspace user shares a username (email address) with an account user or admin that already exists, those users are merged. Groups added to non-identity federated workspaces are legacy workspace-local groups that are not added to the account.
For detailed instructions, see:
Sharing dashboards with account users
Users can share published dashboards with other users in the Databricks account, even if those users are not members of their workspace. Users in the Databricks account who are not members of any workspace are the equivalent of view-only users in other tools. They can view objects that have been shared with them, but they cannot modify objects. For more information, see User and group management.
Assigning roles, entitlements, and permissions
Admins can assign roles, entitlements, and permissions to users, service principals, and groups. For more information, see Access control overview.
Configuring single sign-on (SSO)
Single sign-on (SSO) enables you to authenticate your users using a third-party identity provider like Okta. To enable SSO, see Configure SSO in Databricks.