Manage users

A Databricks admin is a member of the admins group.

A Databricks admin can manage user accounts using the Databricks admin console, the SCIM API, or a SCIM-enabled identity provider like Okta or Azure Active Directory. This article discusses user management using the admin console.

You can use the Users tab on the admin console to:

  • Add and remove users.
  • Grant and revoke membership in the admins group.
  • Manage a user’s entitlements:
    • Grant and revoke access to the Data Science & Engineering workspace and Databricks SQL entitlements.
    • Grant and revoke the ability to create clusters (if cluster access control has been enabled for the workspace).

You can also perform the following user management tasks in other parts of the admin console, covered in other articles:

Add a user

  1. Go to the admin console.

  2. On the Users tab, click Add User.

  3. Enter the user email ID.

    Add user
  4. Click Send invite.

    Databricks sends a confirmation email with a temporary password. If the user does not receive the confirmation email within 5 minutes, ask the user to check their spam folder.

The user is added to the workspace.

Added user

The Workspace access entitlement gives the user access to the Data Science & Engineering workspace. Although the Workspace access checkbox is not selected, the user inherits this entitlement as a member of the users group, which has the entitlement. Workspace admins can remove the entitlement from the users group and assign it individually to users on the Users page.

For information about the Databricks SQL access entitlement, see Grant a user access to Databricks SQL.

If cluster access control is enabled, and you don’t select the Allow cluster creation checkbox, the user is added without the cluster creation entitlement.

If the user previously existed in the workspace, the user’s previous entitlements are restored.

Tip

Another way to add users is with single sign-on (SSO) or an integration with SCIM.

Remove a user

  1. Go to the admin console.
  2. On the Users tab, find the user and click the Remove User Icon at the far right of the user row.
  3. Click Remove User to confirm.

Manage user entitlements

An entitlement is a property that allows a user, service principal, or group to interact with Databricks in a specified way. In the following table, each entitlement’s UI and API name is shown.

Entitlement name (UI) Entitlement name (API) Default Description
Workspace access allow-workspace-access Granted by default.

When granted to a user or service principal, they can access Databricks.

Can’t be removed from workspace administrators.

Databricks SQL access databricks-sql-access Not granted by default. When granted to a user or service principal, they can access Databricks SQL.
Allow cluster creation allow-cluster-create Not granted to users or service principals by default.

When granted to a user or service principal, they can create clusters. You can restrict access to existing clusters using cluster-level permissions.

Can’t be removed from admin users.

allow-instance-pool-create allow-instance-pool-create Can’t be granted to individual users or service principals.

When granted to a group, its members can create instance pools.

Can’t be removed from workspace administrators.

If Databricks SQL is disabled, then:

  • Workspace access and Databricks SQL access entitlements do not appear in the Databricks UI.
  • Workspace access can’t be explicitly enabled or disabled for a user or group. Disable the user instead.

Add or remove an entitlement for a user

As a workspace administrator:

  1. Go to the admin console and click the Users tab.
  2. Go to the the row for the user.
  3. To add an entitlement, select the checkbox in the corresponding column.
  4. To remove an entitlement, deselect the checkbox in the corresponding column.

Note

Admin is not an entitlement. The Admin checkbox is a convenient way to add the user to the admins group.

If an entitlement is inherited from a group, a user can have an entitlement even when the entitlement checkbox is empty. To explicitly add the entitlement, you can select its corresponding checkbox. To remove an inherited entitlement, either remove the user from the group that has the entitlement, or remove the entitlement from the group.

The allow-instance-pool-create entitlement can’t be granted directly to a user. Instead, you can grant the entitlement to a group and add the user to that group.

You can add or remove an entitlement for a group.