SQL warehouse access control
With SQL warehouse access control, individual permissions determine a user’s abilities. This article describes the individual permissions and how to configure SQL warehouse access control.
SQL warehouse permissions
There are four permission levels for a SQL warehouse: No Permissions, Can Use, Is Owner, and Can Manage. The table lists the abilities for each permission.
Ability |
No Permissions |
Can Use |
Is Owner |
Can Manage |
|---|---|---|---|---|
View all queries for the warehouse |
x |
x |
||
View details for the warehouse |
x |
x |
x |
|
View warehouse monitoring tab |
x |
x |
||
Start the warehouse |
x |
x |
x |
|
Stop the warehouse |
x |
x |
||
Delete the warehouse |
x |
x |
||
Edit the warehouse |
x |
x |
||
Modify warehouse permissions |
x |
x |
Important: Workspace admins can transfer the ownership of a SQL warehouse to a new owner. The previous owner will be downgraded to have Can Manage permissions. This capability is useful, for instance, in scenarios when the original owner of the warehouse has left the organization. See Transfer ownership of Databricks SQL objects. If a warehouse doesn’t have a valid owner (for example, the previous owner left the company), the SQL warehouse is unusable until a workspace admin takes this action to transfer the ownership to a new owner.
Manage SQL warehouse permissions using the UI
Click SQL Warehouses in the sidebar.
In a warehouse row, click the
kebab menu at the far right and select Permissions.The SQL warehouse permissions display. The warehouse creator and Databricks workspace admins have Can Manage permission.
Select a user or group and a permission.
Click Add.
Click Save.
Manage SQL warehouse permissions using the API
To manage SQL warehouse permissions using the API, invoke methods on the /2.0/permissions/sql/warehouses/<warehouse-id> REST endpoint. For example, to set Can Manage permission for the user user@example.com, run the command:
curl -u 'token:<personal-access-token>' https://<databricks-instance>/api/2.0/permissions/sql/warehouses/<warehouse-id> -X PATCH -d '{ "access_control_list" : [ { "user_name": user@example.com", "permission_level": "CAN_MANAGE" } ] }'
where
<databricks-instance>is the workspace URL of your Databricks deployment.<personal-access-token>is a personal access token.<warehouse-id>is a warehouse ID.