SQL warehouse access control

With SQL warehouse access control, individual permissions determine a user’s abilities. This article describes the individual permissions and how to configure SQL warehouse access control.

SQL warehouse permissions

There are four permission levels for a SQL warehouse: No Permissions, Can Use, Is Owner, and Can Manage. The table lists the abilities for each permission.

Ability

No Permissions

Can Use

Is Owner

Can Manage

View all queries for the warehouse

x

x

View details for the warehouse

x

x

x

View warehouse monitoring tab

x

x

Start the warehouse

x

x

x

Stop the warehouse

x

x

Delete the warehouse

x

x

Edit the warehouse

x

x

Modify warehouse permissions

x

x

Important: Workspace admins can transfer the ownership of a SQL warehouse to a new owner. The previous owner will be downgraded to have Can Manage permissions. This capability is useful, for instance, in scenarios when the original owner of the warehouse has left the organization. See Transfer ownership of Databricks SQL objects. If a warehouse doesn’t have a valid owner (for example, the previous owner left the company), the SQL warehouse is unusable until a workspace admin takes this action to transfer the ownership to a new owner.

Manage SQL warehouse permissions using the UI

  1. Click SQL Warehouses in the sidebar.

  2. In a warehouse row, click the Kebab menu kebab menu at the far right and select Permissions.

    The SQL warehouse permissions display. The warehouse creator and Databricks workspace admins have Can Manage permission.

    Add permission
  3. Select a user or group and a permission.

  4. Click Add.

  5. Click Save.

Manage SQL warehouse permissions using the API

To manage SQL warehouse permissions using the API, invoke methods on the /2.0/permissions/sql/warehouses/<warehouse-id> REST endpoint. For example, to set Can Manage permission for the user user@example.com, run the command:

curl -u 'token:<personal-access-token>' https://<databricks-instance>/api/2.0/permissions/sql/warehouses/<warehouse-id> -X PATCH -d '{ "access_control_list" : [ { "user_name": user@example.com", "permission_level": "CAN_MANAGE" } ] }'

where