Database role types and permissions
This feature is in Public Preview in the following regions: us-east-1, us-west-2, eu-west-1, ap-southeast-1, ap-southeast-2, eu-central-1, us-east-2, ap-south-1.
This page explains the Postgres roles that you can use to govern access to a Databricks Lakebase database instance, including their privileges, purpose, and configuration.
Pre-created roles
After a database instance is created, Databricks automatically creates a Postgres role for the user who created the instance.
Role | Description | Inherited privileges |
|---|---|---|
| The Databricks identity of the instance creator (for example, | Member of |
| An internal administrative role. Used to configure and manage access across the instance. This role is granted broad privileges and should not be used in automated applications. | Inherits from |
Role capabilities
Role | LOGIN | CREATEDB | CREATEROLE | BYPASSRLS | Other privileges |
|---|---|---|---|---|---|
| NOLOGIN | — | — | — |
|
| ✅ | ✅ | ✅ | ✅ |
|
System roles created by Databricks
In addition to the databricks_superuser and admin roles, Databricks creates system roles required for internal services. These roles are assigned the minimum privileges required for functionality. Modifying them can impact instance behavior.
Role | Purpose |
|---|---|
| Used by internal Databricks components for management operations |
| Used by internal metrics collection services |
| Per-database role used to create and manage synced tables |
| Per-database role used to read tables registered in Unity Catalog |
| Used for internal connections for managed data serving services |
To learn how roles, privileges, and role memberships work in Postgres, use the following resources in the Postgres documentation: