AI/BI administration guide

This article describes the account and workspace-level administrative controls that can be applied to AI/BI products.

Manage dashboard and Genie access

Users are granted entitlements at the workspace level that control how they interact with the Databricks workspace. See Manage entitlements for details about each access type.

Dashboards and genie spaces can be securely shared with the following user types:

• Workspace users: Permissions are scoped to the workspace where they are a member. To access multiple workspaces, they must be added to each workspace individually. Their access is controlled by entitlements that determine how they interact with data assets.
  • With the Databricks SQL access entitlement: Users can create new dashboards and Genie spaces. Access can be granted to view, edit, and manage draft and published dashboards. Access can be granted to compute and Unity Catalog governed data.
  • With the Consumer access entitlement: Users can be granted access to published dashboards. Access can be granted to compute and Unity Catalog governed data. To learn more, see What is consumer access?.
• Account users: Can be granted access to published dashboards with embedded credentials. Account users must be registered to your Databricks account, but they do not need access to any additional resources or to be added to a workspace. Account users can be assigned as recipients for dashboards or Genie spaces across any workspace in the account. See Share a dashboard to learn more about published dashboards and embedded credentials.

See Manage entitlements.

Capabilities by access type

The following table summarizes the capabilities associated with each access type:

Capability	Account member access	Consumer access	Databricks SQL access
View/run dashboards	✓	✓	✓
View/run Genie spaces		✓	✓
Enforce row- and column-level security on view		✓	✓
Query SQL warehouses using BI tools		✓	✓
Access Unity Catalog-governed data through third-party BI tools		✓
Read/write AI/BI dashboards			✓
Read/write Genie spaces			✓

note

To allow account users to view dashboard data, dashboards must be published with embedded credentials.

Network considerations

If IP access lists are configured, dashboards are only accessible if users access them from within the approved IP range, such as when using a VPN. This applies to all users, regardless of whether they are assigned to a workspace. For more information on configuring access, see Manage IP access lists.

User and group management

All users registered with Databricks belong to your Databricks account. Registering a user in a Databricks account establishes a verifiable identity that Databricks can use for authentication when that user views a shared dashboard or Genie space. Organizing individual users into groups can make sharing easier for authors and editors. For example, an author can share with a single, named group instead of sharing with each user in the account.

note

Users must have the appropriate data and compute privileges to interact with a Genie space, which can only be granted to workspace users.

important

Dashboard account-level sharing supports email and one-time passcode authentication, as well as unified login with single sign-on (SSO). If a dashboard is shared when the recipient uses one-time passcode login and then the account is later configured for SSO with unified login, account admins should verify that dashboard recipients are allowed to accessDatabricks account using their identity provider configuration. Users who aren't allowed to log in using SSO will no longer be able to access dashboards that were previously shared with them.

Users and groups can have access to zero, one, or multiple workspaces. Authors can add users and groups to a People with access list to assign specific permissions, as with other workspace objects, when sharing a dashboard or Genie space.

For dashboards, they can configure Sharing settings with one of the following options:

• Only people with access can view
• Anyone in my account can view

If a dashboard is published with embedded credentials and shared with a specific user, group, or all users in the account, those users can access it regardless of whether they have access to the originating workspace.

The following image shows the relationship between users and groups at the workspace and account levels.

Databricks recommends that account admins use account-level SCIM provisioning to sync all users and groups automatically from your identity provider to your Databricks account. You can also manually register these users and groups as you set up identities in your Databricks account. This allows them to be included as eligible recipients before an author attempts to share a dashboard. See Enable all identity provider users to access Databricks.

No additional configuration is required beyond account registration. Users do not need to be assigned to a workspace or provided access to compute resources.

Manage dashboard embedding

Embedding allows dashboard users with at least CAN EDIT permissions to generate iframe embed code using the Share dialog. Workspace admins can manage which domains, if any, are approved for hosting an embedded dashboard. Dashboard embedding requires users to have third-party cookies enabled.

To set a policy that defines the domains where dashboards can be embedded, do the following:

1. Click your username in the top bar of the Databricks workspace and select Settings.

2. Click Security.

3. Scroll down to the External access section.

4. In the Embed dashboards section, use the drop-down menu to set the policy for your workspace.

   There are three policy options:

   • Allow: Dashboards can be embedded in any domain.
   • Allow approved domains: Dashboards can only be embedded in sites that match the approved list.
   • Deny: Dashboards cannot be embedded in any domain.

If you select Allow approved domains, you can use this section to manage your list of approved domains by doing the following:

1. Click Manage next to Embed Dashboards.
2. Type a domain in the Approved domain dialog's text field. Click Add domain after each entry.
3. Click Save.

Tips for defining approved domains and routes

To specify allowed hosts, use the grammar defined in W3C's Content Security Policy documentation. The examples in this section illustrate some common patterns.

Allow subdomains

To allow all subdomains for a given domain, use a wildcard symbol (*) before the domain name. The following examples use *.databricks.com as a sample domain.

• Matches: Any subdomain
  • some.databricks.com
  • app.databricks.com
  • anything.databricks.com
• Does not match: Anything that has a different domain.
  • another-databricks.com
  • app-databricks.com

Allow specific URL paths

To allow all pages under a base URL, use a trailing slash (/) to represent the root directory. Subdirectories and additional paths will match.

The following examples use sites.google.com/some/path/ as a sample provided path.

• Matches: sites.google.com/some/path/to/my/dashboard and sites.google.com/some/path/any-page.
• Does not match:
  • sites.google.com/some/path. This example lacks the trailing slash and so is a different URL.
  • sites.google.com/some/other/path/to/my/dashboard. This example does not share the same base path.

note

A URL without a trailing slash is treated as an exact match and omits subpaths.

Workspace admin subscription controls

Workspace admins can prevent users from distributing dashboards using subscriptions. Changing this setting prevents all users from adding email subscribers to scheduled dashboards. Dashboard editors cannot add subscribers, and dashboard viewers do not have the option to subscribe to a scheduled dashboard.

To prevent sharing email updates:

1. Click your username in the top bar of the Databricks workspace and select Settings.
2. In the Settings sidebar, click Notifications.
3. Turn the Enable dashboard email subscriptions option off.

If this setting is off, existing subscriptions are paused, and no one can modify existing subscription lists. If this setting is switched back on, subscriptions resume using the existing list.

Download controls

Workspace admins can adjust their security settings to prevent users from downloading dashboard and Genie space results using the following steps:

1. Click your username in the top bar of the Databricks workspace and select Settings.
2. In the Settings sidebar, click Security.
3. Turn the SQL results download option off.

Transfer ownership of a dashboard

Workspace admins can transfer ownership of a dashboard to a different user.

1. Go to the list of dashboards. Click a dashboard name to edit.
2. Click Share.
3. Click the icon at the top-right of the Sharing dialog.
4. Begin typing a username to search for and select the new owner.
5. Click Confirm.

The new owner appears in the Sharing dialog with Can manage permissions. To view dashboards listed by owner, go to the list of available dashboards by clicking Dashboards.

Monitor AI/BI activity

Admins can monitor the activity on dashboards and Genie spaces using audit logs. See AI/BI dashboard events and AI/BI Genie events. For code examples demonstrating how to access audit log information to answer common questions, see Monitor AI/BI usage with audit logs and alerts.