Skip to main content

Configure permissions for your Databricks app

Permissions control what users can do with Databricks app, such as accessing, managing, and sharing apps. This is different from authentication, which verifies a user's identity. Permissions determine what actions the user is authorized to perform within the app.

Permission levels

  • IS_OWNER - Full control over the app, including the ability to edit, manage permissions, and delete the app.
  • CAN_MANAGE - Can manage app settings and permissions but can't delete the app unless also an owner.
  • CAN_USE - Can run and interact with the app but can't modify or manage it.

Only users with IS OWNER or CAN MANAGE permissions can assign or revoke permissions on an app.

Assign permissions in the Databricks apps UI

Manage who can view, run, or modify a Databricks app by assigning permissions directly in the Databricks Apps UI.

  1. Navigate to the app details page.
  2. Click the Permissions tab.
  3. Use the Select User, Group or Service Principal... dropdown to choose a user, group, or service principal.
  4. Select the appropriate permission level (CAN_USE, CAN_MANAGE, or IS_OWNER).
  5. Click Add, then Save to apply changes.

Permissions versus authorization

In Databricks Apps, it’s important to distinguish between permissions and authorization, which are related but separate concepts.

  • Permissions are assigned at the workspace level and define who within the workspace can manage or use an app. Permissions control access to the app itself, such as who can deploy, update, or run it. Permissions don't control what data the app or its users can access.

  • Authorization refers to controlling access to data and resources, and has two sub-categories:

    • User authorization - When users authenticate to an app, Databricks forwards their identity to the app runtime. This enables Unity Catalog and other data access policies to enforce permissions based on the user’s identity, restricting what data the app can access on their behalf.
    • App authorization - The app runs using a service principal with its own permissions to access required Databricks resources. This authorization governs what the app itself can do independently of any user.

In summary, permissions control workspace-level access to the app (who can use or manage it), while authorization governs data-level and resource access, including both user identity-based access and app service principal access.

For more information, see Configure authorization in a Databricks app.

Best practices

Follow these best practices to manage Databricks app permissions securely:

  • Follow the principle of least privilege by granting only the permissions necessary for each user’s role.
  • Prefer assigning CAN_USE permission unless users require management capabilities.
  • Use groups or service principals to efficiently manage permissions at scale.
Last updated on