This feature is in Public Preview.
Databricks supports SCIM, or System for Cross-domain Identity Management, an open standard that allows you to automate user provisioning using a REST API and JSON. The Databricks SCIM API follows version 2.0 of the SCIM protocol.
- Your Databricks account must have the Premium plan (or, for customers who subscribed to Databricks before March 3, 2020, the Operational Security package).
- To provision and manage service principals, your Databricks workspace must be on the E2 version of the Databricks platform. For information about creating E2 workspaces, see Create and manage workspaces using the account console. All new Databricks accounts and most existing accounts are now E2. If you are not sure which account type you have, contact your Databricks representative.
A Databricks workspace administrator can invoke all SCIM API endpoints:
For workspace SCIM APIs workspaces, for the examples, replace
<databricks-instance> with the workspace URL of your Databricks deployment.
See Authentication using Databricks personal access tokens to learn how to generate tokens using the UI and Token API 2.0 to learn how to generate tokens using the API.
Important! The Databricks admin user who generates this token should not be managed by your identity provider (IdP). A Databricks admin user who is managed by the IdP can be deprovisioned using the IdP, which would cause your SCIM provisioning integration to be disabled.
Instead of an
|Content-Type (required for write operations)||
|Accept (required for read operations)||
The SCIM API 2.0 (Account admins) is available only to account admins.
You call the account-level SCIM API on the
accounts.cloud.databricks.com domain, not your workspace domain. For example:
Use your account owner or account admin username and password with HTTP Basic authentication.
Use filters to return a subset of users or groups. For all users, the user
userName and group
displayName fields are supported. Admin users can filter users on the
|eq||equals||Attribute and operator values must be identical.|
|ne||not equal to||Attribute and operator values are not identical.|
|co||contains||Operator value must be a substring of attribute value.|
|sw||starts with||Attribute must start with and contain operator value.|
|and||logical AND||Match when all expressions evaluate to true.|
|or||logical OR||Match when any expression evaluates to true.|
Sort results using the
sortOrder query parameters. The default is to sort by ID.