Skip to main content

Database roles, access, and privileges

Preview

This feature is in Public Preview in the following regions: us-east-1, , us-east-2, us-west-21, eu-west-2, ap-southeast-1, ap-southeast-2, eu-central-1, ap-south-1.

This page describes when and how to grant Databricks users and identities privileges to a database instance.

To allow other users to use PostgreSQL to access the database instance, the databricks_superuser must create corresponding Postgres roles for them. For details on how to create Postgres roles, see Create and manage Postgres roles for Databricks identities.

When and how permissions are checked

When you use Postgres syntax or connect through a PostgreSQL interface, Lakebase enforces PostgreSQL-specific access controls by using the following:

  • Postgres roles
  • Role memberships
  • Postgres-granted permissions

In all other scenarios, Lakebase enforces Databricks-specific access controls:

  • Databricks identities (users, groups and service principals)
  • Databricks group memberships
  • Workspace access control lists (ACLs)
  • Unity Catalog privileges
note

There is no automatic sync between Databricks identities and memberships, and Postgres roles and memberships.

Use case / Permission or identity

Manage database instances

Create synced tables

Manage synced table pipeline

Query Postgres tables from a SQL warehouse

Query online features in feature and model serving

Query Postgres tables in PostgreSQL

Databricks identities

x

x

x

x

x

Requires a corresponding Postgres role

Databricks group memberships

x

x

x

x

x

Only checked on login when logging in as a group

Instance ACLs

x

x

Pipeline ACLs

x

x

UC permissions

x

x

x

Postgres roles

x

Postgres role memberships

x

Postgres permissions

x

Grant instance privileges to Databricks identities

A user must have specific permissions on the database instance to manage the instance and perform table operations. Workspace admins and the instance creator can assign additional permissions to any desired users, groups, or service principals in the Database instances overview page.

  1. Click Compute in the workspace sidebar.
  2. Click OLTP Database.
  3. Click the Permissions tab.
  4. Click Manage instance permissions in the upper-right.
  5. Enter a user, group, or service principal to grant additional privileges to.
  6. Select the permission you want to grant to the identity. See Database instance ACLs.
  7. Click + Add.
  8. Any workspace user can view or list database instances. Database catalog and synced table permissions are further governed by Unity Catalog metastore, catalog, schema, and table permissions. For more details, see Manage privileges in Unity Catalog.
  9. Click Save.