Skip to main content
Last updated on

Restrict workspace admins

This article explains how account admins can use the RestrictWorkspaceAdmins setting to limit workspace admin permissions around jobs, queries, legacy alerts, and legacy dashboards.

This setting also restricts workspace admins from creating personal access tokens for service principals that the workspace admin doesn't have the Service Principal User role on.

Default permissions

Without enabling the RestrictWorkspaceAdmins setting, workspace admins have the following permissions:

  • Can change a job owner to any user or service principal in their workspace.
  • Can update a job's Run as setting to any user in their workspace or to any service principal where they have the Service Principal User role.
  • Can change a query owner to any user in their workspace.
  • Can change a legacy alert owner to any user in their workspace.
  • Can change a legacy dashboard owner to any user in their workspace.
  • Can create a personal access token on behalf of any service principal in their workspace.

Restricted permissions

After enabling the RestrictWorkspaceAdmins setting, workspace admins have the following permissions:

  • Can only change a job, query, legacy alert, or legacy dashboard owner to themselves.
  • Can update a job's Run as setting to themselves or to any service principal where they have the Service Principal User role.
  • Can only create a personal access token for service principals where they have the Service Principal User role.

Enable the restriction setting

To enable the RestrictWorkspaceAdmins setting, you must be an account admin and you must be a member of the workspace that you want to restrict. The following example uses the Databricks CLI v0.215.0.

The RestrictWorkspaceAdmins setting uses an etag field to ensure consistency. To enable or disable the setting, first issue a GET to receive an etag in response. You can update the setting using the etag. For example:

Bash
databricks settings restrict-workspace-admins get

Example response:

JSON
{
  "etag": "<etag>",
  "restrict_workspace_admins": {
    "status": "ALLOW_ALL"
  },
  "setting_name": "default"
}

Copy the etag field from the response body and use it to update the RestrictWorkspaceAdmins setting. For example:

Bash
databricks settings restrict-workspace-admins update --json '{
  "setting": {
    "setting_name": "default",
    "restrict_workspace_admins": {
      "status": "RESTRICT_TOKENS_AND_JOB_RUN_AS"
    },
    "etag": "<etag>"
  },
  "allow_missing": true,
  "field_mask": "restrict_workspace_admins.status"
}'

Example response:

JSON
{
  "etag": "<response-etag>",
  "restrict_workspace_admins": {
    "status": "RESTRICT_TOKENS_AND_JOB_RUN_AS"
  },
  "setting_name": "default"
}

To disable the RestrictWorkspaceAdmins set the status to ALLOW_ALL.

You can also use the Restrict Workspace Admins API or the Databricks Terraform provider.