Database roles, access, and privileges
This feature is in Public Preview in the following regions: us-east-1
, , us-east-2
, us-west-21
, eu-west-2
, ap-southeast-1
, ap-southeast-2
, eu-central-1
, ap-south-1
.
This page describes when and how to grant Databricks users and identities privileges to a database instance.
To allow other users to use PostgreSQL to access the database instance, the databricks_superuser
must create corresponding Postgres roles for them. For details on how to create Postgres roles, see Create and manage Postgres roles for Databricks identities.
When and how permissions are checked
When you use Postgres syntax or connect through a PostgreSQL interface, Lakebase enforces PostgreSQL-specific access controls by using the following:
- Postgres roles
- Role memberships
- Postgres-granted permissions
In all other scenarios, Lakebase enforces Databricks-specific access controls:
- Databricks identities (users, groups and service principals)
- Databricks group memberships
- Workspace access control lists (ACLs)
- Unity Catalog privileges
There is no automatic sync between Databricks identities and memberships, and Postgres roles and memberships.
Use case / Permission or identity | Manage database instances | Create synced tables | Manage synced table pipeline | Query Postgres tables from a SQL warehouse | Query online features in feature and model serving | Query Postgres tables in PostgreSQL |
---|---|---|---|---|---|---|
Databricks identities | x | x | x | x | x | Requires a corresponding Postgres role |
Databricks group memberships | x | x | x | x | x | Only checked on login when logging in as a group |
Instance ACLs | x | x | ||||
Pipeline ACLs | x | x | ||||
UC permissions | x | x | x | |||
Postgres roles | x | |||||
Postgres role memberships | x | |||||
Postgres permissions | x |
Grant instance privileges to Databricks identities
A user must have specific permissions on the database instance to manage the instance and perform table operations. Workspace admins and the instance creator can assign additional permissions to any desired users, groups, or service principals in the Database instances overview page.
- Click Compute in the workspace sidebar.
- Click OLTP Database.
- Click the Permissions tab.
- Click Manage instance permissions in the upper-right.
- Enter a user, group, or service principal to grant additional privileges to.
- Select the permission you want to grant to the identity. See Database instance ACLs.
- Click + Add.
- Any workspace user can view or list database instances. Database catalog and synced table permissions are further governed by Unity Catalog metastore, catalog, schema, and table permissions. For more details, see Manage privileges in Unity Catalog.
- Click Save.