Manage workspace-local groups (legacy)
This article explains how admins create and manage legacy workspace-local groups. For an overview of account groups, the primary groups in Databricks see Groups.
What are workspace-local groups?
Workspace-local groups are legacy groups. These groups are identified as having a source of Workspace. You can only use workspace-local groups in the workspace they are defined in. They cannot be assigned to additional workspaces or granted access to data in a Unity Catalog metastore. Workspace-local groups cannot be granted account-level roles or managed using account-level interfaces. To take advantage of centralized identity, Databricks recommends that you use account groups instead of workspace-local groups.
In identity federated workspaces, workspace-local groups can only be managed using the Workspace Groups API. In non-identity federated workspaces, workspace admins can also manage workspace-local groups using the workspace admin settings page.
Migrate workspace-local groups to account groups
Databricks recommends converting workspace-local groups to account groups for centralized identity administration.
Step 1: Migrate workspace-level SCIM provisioning to the account
Databricks recommends that you configure account-level SCIM provisioning to sync groups from your identity provider to Databricks. If you currently have workspace-level SCIM provisioning set up for your workspaces, you must disable the workspace-level SCIM provisioner. Otherwise, workspace-level SCIM continues to create and update workspace-local groups. To set up a new SCIM provisioning connector for your account and disable workspace-level SCIM, see Migrate workspace-level SCIM provisioning to the account level.
Step 2: Change the name of your workspace-local groups
Two groups in a workspace cannot have the same name. You must change the name of your workspace-local groups in order to add a new account group to the workspace with the same name. These steps recommend adding (workspace) to the group's name.
- As a workspace admin, log in to the Databricks workspace.
- Click your username in the top bar of the Databricks workspace and select Settings.
- Click the Groups tab and select the workspace-local group that you want to convert to an account group.
- Under Name, add
(workspace)to the end of the group's name. - Click Save.
Step 3: Grant the account groups permissions
Grant the newly provisioned account groups access to the same functionalities their workspace-local counterparts had. For each new account group:
- Grant the group access to your workspace. See Assign a group to a workspace.
- Assign workspace entitlements on the new account groups, following the instructions in Manage entitlements on groups.
- Use the UCX utilities group migration workflow to migrate the workspace-level groups' permissions to workspace-level objects to the new account groups. See Step 2. Run the group migration workflow. You can also migrate permissions manually using the Permissions API.
Step 4: Delete the workspace-local groups
Now that you have migrated your workspace-local group to the account and you can delete your workspace-local groups.
- On the Groups tab, select the workspace-local group that you converted to an account group.
- Click x Delete and click Delete to confirm.
Manage workspace-local groups using the API
Workspace admins can add and manage workspace-local groups using the workspace-level SCIM API. In identity federated workspaces, workspace-local groups can only be managed using the API. For instructions, see Workspace Groups API.
Manage workspace-local groups using the admin settings page
Workspace admins can add and manage workspace-local groups using the workspace admin settings page in non-identity federated workspaces.
Create a workspace-local group using the admin settings page
To add a workspace-local group to a workspace using the admin settings, do the following:
-
As a workspace admin, log in to the Databricks workspace.
-
Click your username in the top bar of the Databricks workspace and select Settings.
-
Click on the Identity and access tab.
-
Next to Groups, click Manage.
-
Click Create Group.
-
Enter a group name and click Create.
Group names must be unique. You cannot change a group name. If you want to change a group name, you must delete the group and recreate it with the new name.
Add members to a workspace-local group using the admin settings page
You cannot add a child group to the admins group.
-
As a workspace admin, log in to the Databricks workspace.
-
Click your username in the top bar of the Databricks workspace and select Settings.
-
Click on the Identity and access tab.
-
Next to Groups, click Manage.
-
Select the group you want to update.
-
On the Members tab, click Add users, groups, or service principals.
-
On the dialog, browse or search for the users, service principals, and groups you want to add and select them.
-
Click Confirm.
You might need to click the down arrow in the selector to hide the drop-down list and show the Confirm button.
Remove a user, group, or service principal from a workspace-local group
- As a workspace admin, log in to the Databricks workspace.
- Click your username in the top bar of the Databricks workspace and select Settings.
- Click on the Identity and access tab.
- Next to Groups, click Manage.
- Select the group you want to update.
- On the Members tab, find the user, group, or service principal you want to remove and click the X in the Actions column.
- Click Remove Member to confirm.
You can also remove a child workspace-local group from its parent workspace-local group by going to the Parents tab for the group you want to remove. Find the parent group you want to remove the child workspace-local group from and click the X in the Actions column.
View parent workspace-local groups
- As a workspace admin, log in to the Databricks workspace.
- Click your username in the top bar of the Databricks workspace and select Settings.
- Click on the Identity and access tab.
- Next to Groups, click Manage.
- Select the group you want to view.
- On the Parent groups tab, view the parent groups for your group.
Change the name of a group
- As a workspace admin, log in to the Databricks workspace.
- Click your username in the top bar of the Databricks workspace and select Settings.
- Click on the Identity and access tab.
- Next to Groups, click Manage.
- Select the group you want to view.
- Under Name, update the name.
- Click Save.