Dashboard administration guide

This article describes the administrative controls at the account and workspace levels that can be applied to AI/BI dashboards.

Dashboard sharing

Published dashboards with embedded credentials can be securely shared with users and groups in your organization, even if users don’t have access to the originating workspace. Users must be registered to your Databricks account, but they do not need access to any additional resources or to be added to a workspace.

See Publish a dashboard to learn more about published dashboards and embedded credentials.

Network considerations

If IP access lists are configured, dashboards are only accessible if users access them from within the approved IP range, such as when using a VPN. This applies to all users, regardless of whether they are assigned to a workspace. For more information on configuring access, see Manage IP access lists.

User and group management for dashboard sharing

All users registered with Databricks belong to your Databricks account. Registering a user in a Databricks account establishes a verifiable identity that Databricks can use for authentication when that user views a shared dashboard. Organizing individual users into groups can make sharing easier for dashboard authors and editors. For example, an author can share with a single, named group instead of sharing with each user in the account.

Dashboards are created by workspace members with the Databricks SQL access entitlement. Users and groups can have access to zero, one, or multiple workspaces. Workspace users can also be granted permission to access compute resources, allowing them to create and collaborate on dashboards, among other things.

When sharing a dashboard, authors can add users and groups to a People with access list to assign specific permissions, as they do with other workspace objects. Also, they can configure Sharing settings with one of the following options:

  • Only people with access can view

  • Anyone in my organization can view

If a dashboard is published with embedded credentials and shared with a specific user, group, or all users in the organization, those users can access it regardless of whether they have access to the originating workspace.

The following image shows the relationship between users and groups at the workspace and account levels.

Account level SCIM diagram with dashboard sharing

Databricks recommends that account admins use account-level SCIM provisioning to sync users and groups automatically from your identity provider to your Databricks account. You can also manually register these users and groups as you set up identities in your Databricks account. This allows them to be included as eligible recipients before an author attempts to share a dashboard. See Sync users and groups from your identity provider.

Beyond account registration, no additional configuration is required. Users do not need to be assigned to a workspace or provided access to compute resources.

Important

Dashboard account-level sharing supports email and password authentication and unified login with single sign-on (SSO). If a dashboard is shared when the recipient uses password-based login and then the account is later configured for SSO with unified login, account admins should verify dashboard recipients are allowed to access Databricks account via their identity provider configuration. The users who aren’t allowed to login via SSO will no longer be able to access dashboards that were previously shared with them.

Workspace admin subscription controls

Workspace admins can prevent users from distributing dashboards using subscriptions. Changing this setting prevents all users from adding email subscribers to scheduled dashboards. Dashboard editors cannot add subscribers, and dashboard viewers do not have the option to subscribe to a scheduled dashboard.

To prevent sharing email updates:

  1. Click your username in the top bar of the Databricks workspace and select Settings.

  2. In the Settings sidebar, click Notifications.

  3. Turn the Enable dashboard email subscriptions option off.

If this setting is off, existing subscriptions are paused, and no one can modify existing subscription lists. If this setting is switched back on, subscriptions resume using the existing list.

Workspace admin download controls

Workspace admins can adjust their security settings to prevent users from downloading results with the following steps:

  1. Click your username in the top bar of the Databricks workspace and select Settings.

  2. In the Settings sidebar, click Security.

  3. Turn the SQL results download option off.

Transfer ownership of a dashboard

Workspace admins can transfer ownership of a dashboard to a different user.

  1. Go to the list of dashboards. Click a dashboard name to edit.

  2. Click Share.

  3. Click the Gear icon icon at the top-right of the Sharing dialog. Share dialog with gear icon

  4. Begin typing a username to search for and select the new owner.

  5. Click Confirm.

The new owner appears in the Sharing dialog with Can manage permissions. To view dashboards listed by owner, go to the list of available dashboards by clicking Dashboards Icon Dashboards.

Monitor Lakeview activity

Admins can monitor the activity on dashboards using audit logs. See Dashboards events.