Set permissions for resources in Databricks Asset Bundles
This article describes how to set permissions for resources in Databricks Asset Bundles. For information about resources supported in bundles, see Databricks Asset Bundles resources.
In Databricks bundle configuration files, you can define permissions at the top level to apply to all resources defined in the bundle, or you can define permissions to apply to specific resources.
Permissions cannot overlap. In other words, permissions for a user, group, or service principal cannot be defined in both the top-level permissions
mapping and within the resources
mapping.
Define permissions to apply to all resources
You can define permissions to apply to all supported resources defined in resources
using the top-level permissions
mapping. Databricks recommends this approach for managing Databricks Asset Bundles resource permissions.
Permissions define the allowed permissions level for a user_name
, group_name
, or service_principal_name
. Allowed top-level permission levels are CAN_VIEW
, CAN_MANAGE
, and CAN_RUN
. For more information about the top-level permissions
mapping, see permissions.
The following example sets top-level permissions for the dev
target. The user someone@example.com
will have CAN_RUN
permissions on my-job
:
bundle:
name: my-bundle
resources:
jobs:
my-job:
# ...
targets:
dev:
# ...
permissions:
- user_name: someone@example.com
level: CAN_RUN
Define permissions for a specific resource
You can use the permissions
mapping in a dashboard, experiment, job, model, or pipeline definition in resources
to define one or more permissions for that resource.
Each permission in the permissions
mapping must include the following:
- Either
user_name
,group_name
, orservice_principal_name
, set to the name of the user, group, or service principal, respectively. level
, set to the name of the permission level. Allowed permission levels for each resource are the following:- Dashboards:
CAN_EDIT
,CAN_MANAGE
CAN_VIEW
, andCAN_READ
. - Experiments:
CAN_EDIT
,CAN_MANAGE
andCAN_READ
. - Jobs:
CAN_MANAGE
,CAN_MANAGE_RUN
,CAN_VIEW
, andIS_OWNER
. - Models:
CAN_EDIT
,CAN_MANAGE
,CAN_MANAGE_STAGING_VERSIONS
,CAN_MANAGE_PRODUCTION_VERSIONS
, andCAN_READ
. - Pipelines:
CAN_MANAGE
,CAN_RUN
,CAN_VIEW
, andIS_OWNER
.
- Dashboards:
Allowed permission levels for resources cannot necessarily be applied to resources using the top-level permissions
mapping. For valid permission levels for the top-level permissions
mapping, see permissions.
The following syntax shows how to declare permissions for a resource type (in this example, pipelines) in the top-level resources
mapping and in a resources
mapping within a target:
# ...
resources:
pipelines:
<some-programmatic-identifier-for-this-pipeline>:
# ...
permissions:
- user_name: <user-name> # Or:
group_name: <group-name-1> # Or:
service_principal_name: <service-principal-name>
level: <permission-level>
# ...
targets:
<some-programmatic-identifier-for-this-target>:
resources:
pipelines:
<some-programmatic-identifier-for-this-pipeline>:
# ...
permissions:
- user_name: <user-name> # Or:
group_name: <group-name> # Or:
service_principal_name: <service-principal-name>
level: <permission-level>
# ...
# ...
Any permissions that are declared for a resource in the top-level resources
mapping are combined with any permissions that are declared for that same resources
mapping in an individual target. For example, given the following resources
mapping for the same resource at both the top level and in a target:
bundle:
name: my-bundle
resources:
jobs:
my-job:
# ...
permissions:
- group_name: test-group
level: CAN_VIEW
# ...
targets:
dev:
# ...
resources:
jobs:
my-job:
# ...
permissions:
- user_name: someone@example.com
level: CAN_MANAGE_RUN
# ...
When you run databricks bundle validate
for this example, the resulting graph is as follows:
{
"...": "...",
"resources": {
"jobs": {
"my-job": {
"permissions": [
{
"level": "CAN_VIEW",
"group_name": "test-group"
},
{
"level": "CAN_MANAGE_RUN",
"user_name": "someone@example.com"
}
],
"...": "..."
}
}
}
}
Permissions order of precedence
If you have permissions
defined in multiple places in your bundle configuration, the permissions granted to resources, workspace directories, and files specified in the bundle are in the following order:
- The permissions defined for the resource in the target deployment
- The permissions defined for the target deployment
- The permissions defined for the resource in the bundle
- The permissions defined in the bundle's top-level permissions
For example, in the following configuration, the group test-group
will have CAN_MANAGE
permissions for the job in the dev
target, but CAN_MANAGE_RUN
permissions for the job in the prod
target:
bundle:
name: my-bundle
permissions:
- group_name: test-group
level: CAN_VIEW
resources:
jobs:
my-job:
# ...
permissions:
- group_name: test-group
level: CAN_MANAGE_RUN
# ...
targets:
dev:
# ...
resources:
jobs:
my-job:
# ...
permissions:
- group_name: test-group
level: CAN_MANAGE
# ...
prod:
# ...
resources:
jobs:
my-job:
# ...