Skip to main content

Manage users

This article explains how to add, update, and remove Databricks users.

For an overview of the Databricks identity model, see Databricks identities.

To manage access for users, see Authentication and access control.

Who can manage users?

To manage users in Databricks, you must be either an account admin or a workspace admin.

  • Account admins can add users to the account and assign them admin roles. They can also assign users to workspaces and configure data access for them across workspaces, as long as those workspaces use identity federation.

  • Workspace admins can add users to a Databricks workspace, assign them the workspace admin role, and manage access to objects and functionality in the workspace, such as the ability to create clusters or access specified persona-based environments. Adding a user to a Databricks workspace also adds them to the account.

    Workspace admins are members of the admins group in the workspace, which is a reserved group that cannot be deleted.

Sync users to your Databricks account from an identity provider

Account admins can sync users from an identity provider (IdP) to their Databricks account using a SCIM provisioning connector. For instructions, see Sync users and groups to your Databricks account.

Add users to your account

Account admins can add users to your Databricks account using the account console. Users in a Databricks account do not have any default access to a workspace, data, or compute resources. A user cannot belong to more than 50 Databricks accounts.

  1. As an account admin, log in to the account console.
  2. In the sidebar, click User management.
  3. On the Users tab, click Add User.
  4. Enter a name and email address for the user.
  5. Click Add user.

Assign account admin roles to a user

  1. As an account admin, log in to the account console.
  2. In the sidebar, click User management.
  3. Find and click the username.
  4. On the Roles tab, select one or more roles.

Assign a user to a workspace

Account admins and workspace admins can assign service principals to a Databricks workspace using the account console or the workspace admin settings page.

To add users to a workspace using the account console, the workspace must be enabled for identity federation.

  1. As an account admin, log in to the account console.
  2. In the sidebar, click Workspaces.
  3. Click your workspace name.
  4. On the Permissions tab, click Add permissions.
  5. Search for and select the user, assign the permission level (workspace User or Admin), and click Save.

Remove a user from a workspace

When a user is removed from a workspace, the user can no longer access the workspace, however permissions are maintained on the user. If the user is later added back to the workspace, they regain their previous permissions.

To remove users from a workspace using the account console, the workspace must be enabled for identity federation.

  1. As an account admin, log in to the account console.
  2. In the sidebar, click Workspaces.
  3. Click your workspace name.
  4. On the Permissions tab, find the user.
  5. Click the Kebab menu kebab menu at the far right of the user row and select Remove.
  6. On the confirmation dialog, click Remove.

Assign the workspace admin role to a user

  1. As a workspace admin, log in to the Databricks workspace.
  2. Click your username in the top bar of the Databricks workspace and select Settings.
  3. Click on the Identity and access tab.
  4. Next to Users, click Manage.
  5. Select the user.
  6. Under Entitlements, turn on Admin access.

To remove the workspace admin role from a workspace user, perform the same steps, but clear the Admin access toggle.

Deactivate a user

You can deactivate a user at either the account or workspace level.

Account admins can deactivate users across a Databricks account. Deactivation prevents the user from authenticating and accessing the account, workspaces, or Databricks APIs, but does not remove its permissions or objects. This is preferable to removal, which is a destructive action.

Effects of deactivation:

  • The user cannot authenticate or access the Databricks UI or APIs.
  • Applications or scripts that use the tokens generated by the user are no longer able to access the Databricks API. The tokens remain but cannot be used to authenticate while a user is deactivated.
  • Compute resources owned by the user remain running.
  • Scheduled jobs created by the user fail unless they are assigned to a new owner.

When reactivated, the user regains access with the same permissions.

Account admins can deactivate a user across the a Databricks account. When a user is deactivated at the account-level they cannot authenticate to the Databricks account or to any workspaces in the account.

You cannot deactivate a user using the account console. Instead, use the Account Users API. For example:

Bash
curl --netrc -X PATCH \
https://${DATABRICKS_HOST}/api/2.1/accounts/{account_id}/scim/v2/Users/{id} \
--header 'Content-type: application/scim+json' \
--data @update-user.json \
| jq .

update-user.json:

JSON
{
  "schemas": ["urn:ietf:params:scim:api:messages:2.0:PatchOp"],
  "Operations": [
    {
      "op": "replace",
      "path": "active",
      "value": [
        {
          "value": "false"
        }
      ]
    }
  ]
}

Remove users from your Databricks account

Account admins can delete users from a Databricks account. Workspace admins cannot. When you delete a user from the account, that user is also removed from their workspaces. If you remove a user using the account console, you must ensure that you also remove the user using any SCIM provisioning connectors or SCIM API applications that have been set up for the account. If you don’t, SCIM provisioning adds the user back the next time it syncs. See Sync users and groups from your identity provider using SCIM.

important

When you remove a user from the account, that user is also removed from their workspaces, regardless of whether or not identity federation has been enabled. We recommend that you refrain from deleting account-level users unless you want them to lose access to all workspaces in the account. Be aware of the following consequences of deleting users:

  • Applications or scripts that use the tokens generated by the user can no longer access Databricks APIs
  • Jobs owned by the user fail
  • Clusters owned by the user stop
  • Queries or dashboards created by the user and shared using the Run as Owner credential have to be assigned to a new owner to prevent sharing from failing

When a user is removed from an account, the user can no longer access the account or their workspaces, however permissions are maintained on the user. If the user is later added back to the account, they regain their previous permissions.

To remove a user using the account console, do the following:

  1. As an account admin, log in to the account console.
  2. In the sidebar, click User management.
  3. Find and click the username.
  4. On the User Information tab, click the Kebab menu kebab menu in the upper-right corner and select Delete.
  5. On the confirmation dialog, click Confirm delete.

Manage users using the API

Account admins and workspace admins can manage users in the Databricks account and workspaces using Databricks APIs.

Manage users in the account using the API

Admins can add and manage users in the Databricks account using the Account Users API. Account admins and workspace admins invoke the API using a different endpoint URL:

  • Account admins use {account-domain}/api/2.1/accounts/{account_id}/scim/v2/.
  • Workspace admins use {workspace-domain}/api/2.0/account/scim/v2/.

For details, see the Account Users API.

Manage users in the workspace using the API

Account and workspace admins can use the Workspace Assignment API to assign users to workspaces enabled for identity federation. The Workspace Assignment API is supported through the Databricks account and workspaces.

  • Account admins use {account-domain}/api/2.0/accounts/{account_id}/workspaces/{workspace_id}/permissionassignments.
  • Workspace admins use {workspace-domain}/api/2.0/preview/permissionassignments/principals/{user_id}.

See Workspace Assignment API.

If your workspace is not enabled for identity federation, a workspace admin can use the workspace-level APIs to assign users to their workspaces. See Workspace Users API.

Last updated on