Dashboard administration guide

This article describes the administrative controls at the account and workspace levels that can be applied to AI/BI dashboards.

Dashboard sharing

Published dashboards with embedded credentials can be securely shared with users and groups in your account, even if users don’t have access to the originating workspace. Users must be registered to your Databricks account, but they do not need access to any additional resources or to be added to a workspace.

See Publish a dashboard to learn more about published dashboards and embedded credentials.

Network considerations

If IP access lists are configured, dashboards are only accessible if users access them from within the approved IP range, such as when using a VPN. This applies to all users, regardless of whether they are assigned to a workspace. For more information on configuring access, see Manage IP access lists.

User and group management for dashboard sharing

All users registered with Databricks belong to your Databricks account. Registering a user in a Databricks account establishes a verifiable identity that Databricks can use for authentication when that user views a shared dashboard. Organizing individual users into groups can make sharing easier for dashboard authors and editors. For example, an author can share with a single, named group instead of sharing with each user in the account.

Important

Dashboard account-level sharing supports email and one-time passcode authentication, and unified login with single sign-on (SSO). If a dashboard is shared when the recipient uses one-time passcode login and then the account is later configured for SSO with unified login, account admins should verify dashboard recipients are allowed to access Databricks account using their identity provider configuration. The users who aren’t allowed to login using SSO will no longer be able to access dashboards that were previously shared with them.

Dashboards are created by workspace members with the Databricks SQL access entitlement. Users and groups can have access to zero, one, or multiple workspaces. Workspace users can also be granted permission to access compute resources, allowing them to create and collaborate on dashboards, among other things.

When sharing a dashboard, authors can add users and groups to a People with access list to assign specific permissions, as they do with other workspace objects. Also, they can configure Sharing settings with one of the following options:

  • Only people with access can view

  • Anyone in my account can view

If a dashboard is published with embedded credentials and shared with a specific user, group, or all users in the account, those users can access it regardless of whether they have access to the originating workspace.

The following image shows the relationship between users and groups at the workspace and account levels.

Account level SCIM diagram with dashboard sharing

Databricks recommends that account admins use account-level SCIM provisioning to sync all users and groups automatically from your identity provider to your Databricks account. You can also manually register these users and groups as you set up identities in your Databricks account. This allows them to be included as eligible recipients before an author attempts to share a dashboard. See Enable all identity provider users to access Databricks.

Beyond account registration, no additional configuration is required. Users do not need to be assigned to a workspace or provided access to compute resources.

Manage dashboard embedding

Preview

This feature is in Public Preview.

Embedding allows dashboard users with at least CAN EDIT permissions can generate iframe embed code using the Share dialog. Workspace admins can manage which domains, if any, are approved for hosting an embedded dashboard.

Workspace admin settings are open to the Embed Dashboards heading.

To set a policy that defines the domains where dashboards can be embedded, do the following:

  1. Click your username in the top bar of the Databricks workspace and select Settings.

  2. Click Security.

  3. Scroll down to the External access section.

  4. In the Embed dashboards section, use the drop-down menu to set the policy for your workspace.

    There are three policy options:

    • Allow: Dashboards can be embedded in any domain.

    • Allow approved domains: Dashboards can only be embedded in sites that match the approved list.

    • Deny: Dashboards cannot be embedded in any domain.

If you select Allow approved domains, you can use this section to manage your list of approved domains by doing the following:

  1. Click Manage next to Embed Dashboards.

  2. Type a domain in the Approved domain dialog’s text field. Click Add domain after each entry.

  3. Click Save.

For guidance on defining a list of allowed hosts, see W3C’s Content Security Policy documentation.

Workspace admin subscription controls

Workspace admins can prevent users from distributing dashboards using subscriptions. Changing this setting prevents all users from adding email subscribers to scheduled dashboards. Dashboard editors cannot add subscribers, and dashboard viewers do not have the option to subscribe to a scheduled dashboard.

To prevent sharing email updates:

  1. Click your username in the top bar of the Databricks workspace and select Settings.

  2. In the Settings sidebar, click Notifications.

  3. Turn the Enable dashboard email subscriptions option off.

If this setting is off, existing subscriptions are paused, and no one can modify existing subscription lists. If this setting is switched back on, subscriptions resume using the existing list.

Workspace admin download controls

Workspace admins can adjust their security settings to prevent users from downloading results with the following steps:

  1. Click your username in the top bar of the Databricks workspace and select Settings.

  2. In the Settings sidebar, click Security.

  3. Turn the SQL results download option off.

Transfer ownership of a dashboard

Workspace admins can transfer ownership of a dashboard to a different user.

  1. Go to the list of dashboards. Click a dashboard name to edit.

  2. Click Share.

  3. Click the Gear icon icon at the top-right of the Sharing dialog. Share dialog with gear icon

  4. Begin typing a username to search for and select the new owner.

  5. Click Confirm.

The new owner appears in the Sharing dialog with Can manage permissions. To view dashboards listed by owner, go to the list of available dashboards by clicking Dashboards Icon Dashboards.

Monitor dashboard activity

Admins can monitor the activity on dashboards using audit logs. See Dashboards events.