Amazon
Web Services
Microsoft Azure
Google Cloud PlatformRestrict workspace admins
By default, workspace admins can change a job owner to any user or service principal in their workspace. Workspace admins can change the job run as setting to service principals they have the Service Principal User role on or to any user in their workspace.
Workspace admins can also create a personal access token on behalf of any service principal in their workspace by default.
Account admins can configure a workspace setting called RestrictWorkspaceAdmins to restrict workspace admins to only change a job owner to themselves and the job run as setting to a service principal that they have the Service Principal User role on.
The setting also restricts workspace admins to only create a personal access token for service principals that they have the Service Principal User role on.
To enable the RestrictWorkspaceAdmins setting, you must be an account admin and you must be a member of the workspace that you want to restrict. The following example uses the Databricks CLI v0.215.0.
databricks settings restrict-workspace-admins update --json '{
"setting": {
"restrict_workspace_admins": {
"status": "RESTRICT_TOKENS_AND_JOB_RUN_AS"
}
}
}'
To disable the RestrictWorkspaceAdmins, use the example as above, and set the status to ALLOW_ALL.
You can also use the Restrict Workspace Admins API or the Databricks Terraform provider.
