Manage project permissions
Lakebase Postgres (Autoscaling Preview) is available in the following regions: us-east-1, us-west-2, eu-west-1.
Lakebase Autoscaling Preview is the new version of Lakebase. It supports autoscaling compute, branching, instant restore, and other advanced features. For the previous version of Lakebase, see Lakebase Provisioned Preview. See choosing between versions to understand which version is right for you.
Project permissions control who can access and manage your Lakebase project resources. Use project permissions to grant access to Databricks identities, groups, and service principals for performing actions such as creating branches, managing computes, and viewing connection details.
Project permissions are separate from database access permissions. Project permissions control Lakebase platform actions, while Postgres role permissions control database access. See Understanding permission levels for more information.
For a step-by-step tutorial on granting both project and database access to users, see Tutorial: Grant project and database access to a new user.
Permission types
Lakebase projects support two permission levels:
- CAN CREATE: View and create project resources
- CAN MANAGE: Full control over project configuration and resources
For a detailed breakdown of what actions each permission allows, see Project permission capabilities.
Default permissions
When you create a Lakebase project, the following permissions are automatically assigned to identities in the workspace where the project was created:
Identity/Group | Permission | Description |
|---|---|---|
Workspace users | CAN CREATE | All workspace users can view and create projects |
Project owner | CAN MANAGE | The user who created the project has full control |
Workspace admins | CAN MANAGE | All workspace admins have full control |
These default permissions ensure that the project creator and workspace admins have full control, while all workspace users can discover and create project resources. To grant access to others, you must explicitly grant CAN MANAGE permissions to specific users, groups, or service principals.
About workspace users and admins:
- Workspace users are all users in the workspace, who are members of the
usersgroup. See Default workspace permissions. - Workspace admins have elevated privileges and can manage all projects in the workspace. See Create a workspace.
- Project permissions are scoped to the workspace where the project was created. Users from other workspaces don't automatically have access to your project.
Grant project permissions
To grant project permissions to other users, groups, or service principals:
- Navigate to your project in the Lakebase App.
- Click Settings in the left sidebar.
- Scroll to the Project permissions section.
- Click Grant permission.
- Select the identity, group, or service principal you want to grant access to.
- Choose the permission level: CAN CREATE or CAN MANAGE.
- Click Grant.
Only users with CAN MANAGE permission on the project can grant or modify permissions.
About permission enforcement:
Project permissions are enforced through the API. If you attempt to perform an action you don't have permission for (such as creating a branch without CAN MANAGE), the operation will fail.
Currently, the Lakebase UI does not yet hide features or disable buttons based on your permission level. You may see options for actions you cannot perform. When you attempt these actions, you'll receive a permission error.
Modify or revoke permissions
To modify or revoke permissions:
- Navigate to your project's Settings in the Lakebase App.
- In the Project permissions section, find the user, group, or service principal.
- To modify permissions: Click
the edit icon next to the identity and select a different permission level. - To revoke access: Click the delete icon next to the identity and confirm the deletion.
You cannot modify or remove permissions for workspace admins or the project owner. These permissions are set by default and cannot be changed.
Project permission capabilities
Each permission level (CAN CREATE, CAN MANAGE) allows different actions on project resources including projects, branches, snapshots, compute endpoints, and operations.
For a complete list of what actions each permission level allows, see Lakebase project ACLs.
Understanding permission levels
Lakebase Postgres uses two layers of permissions:
Project permissions
Project permissions control platform-level actions, such as creating branches, managing computes, and managing project settings.
Managed through: Lakebase App UI (Project Settings > Project permissions)
Grant to: Databricks identities, groups, and service principals
Database permissions
Postgres role permissions control who can access data within the database itself.
Managed through: Postgres SQL commands (GRANT, REVOKE)
Grant to: Postgres roles
These systems have no automatic synchronization.
You can grant these permissions independently or together, depending on your organization's requirements:
- Grant both layers to users who need platform access and database access.
- Grant only project permissions to users who manage infrastructure but don't need to query data.
- Grant only database access to users who need to query data but don't need to manage Lakebase resources (they can connect using tools like
psqlwith connection details).
To set up database access for users, see Manage Postgres roles and Manage permissions. For a complete tutorial, see Tutorial: Grant project and database access to a new user.
Next steps
After granting project permissions, you can set up database access and connect to your project: