Pre-created roles and permissions
This feature is in Public Preview in the following regions: us-east-1, us-west-2, eu-west-1, ap-southeast-1, ap-southeast-2, eu-central-1, us-east-2, ap-south-1.
Lakebase (Public Preview) is the current production-ready version. For the latest features including database branching, autoscaling, and scale-to-zero, try Lakebase Postgres (Beta), available for evaluation only. See choosing between versions to understand which version is right for you.
This page explains the Postgres roles that you can use to govern access to a Databricks Lakebase database instance, including their privileges, purpose, and configuration.
Pre-created roles
After a database instance is created, Databricks automatically creates a Postgres role for the user who created the instance.
Role | Description | Inherited privileges |
|---|---|---|
| The Databricks identity of the instance creator (for example, | Member of |
| An internal administrative role. Used to configure and manage access across the instance. This role is granted broad privileges and should not be used in automated applications. | Inherits from |
Role capabilities
Role | LOGIN | CREATEDB | CREATEROLE | BYPASSRLS | Other privileges |
|---|---|---|---|---|---|
| NOLOGIN | — | — | — |
|
| ✅ | ✅ | ✅ | ✅ |
|
System roles created by Databricks
In addition to the databricks_superuser and admin roles, Databricks creates system roles required for internal services. These roles are assigned the minimum privileges required for functionality. Modifying them can impact instance behavior.
Role | Purpose |
|---|---|
| Used by internal Databricks components for management operations |
| Used by internal metrics collection services |
| Per-database role used to create and manage synced tables |
| Per-database role used to read tables registered in Unity Catalog |
| Used for internal connections for managed data serving services |
To learn how roles, privileges, and role memberships work in Postgres, use the following resources in the Postgres documentation: