Manage entitlements
This page describes how to manage entitlements for users, service principals, and groups.
Entitlements overview
An entitlement is a property that allows a user, service principal, or group to interact with Databricks in a specified way. Entitlements are assigned to users at the workspace level. Entitlements are available only in the Premium plan or above.
Access entitlements
Each access entitlement grants a user access to a specific set of features in the workspace:
- Consumer: Grants access to a simplified environment for viewing dashboards and Genie spaces. See What is consumer access?.
- Databricks SQL access: Grants access to Databricks SQL features, including dashboards, queries, and SQL warehouses. See What is Databricks SQL?.
- Workspace access: Grants access to core workspace features such as notebooks, jobs, models, and pipelines in the Data Science & Engineering and Databricks Mosaic AI areas. See Data engineering with Databricks and AI and machine learning on Databricks.
The table below shows which capabilities are granted with each access entitlement:
Capability | Consumer access | Databricks SQL access | Workspace access |
|---|---|---|---|
Read/run dashboards and Genie spaces | ✓ | ✓ | ✓ |
Query SQL warehouses using BI tools | ✓ | ✓ | |
Read/write Databricks SQL objects | ✓ | ||
Read/write Data Science & Engineering objects | ✓ | ||
Read/write Databricks Mosaic AI objects | ✓ |
To access a Databricks workspace, a user must have at least one access entitlement.
Consumer access vs account users
The previous table summarizes access entitlements in a workspace. The following table compares the capabilities available to workspace users with Consumer access to account users who do not have workspace membership.
Capability | Consumer access to a workspace | Account user without workspace membership |
|---|---|---|
View dashboards using embedded credentials | ✓ | ✓ |
View dashboards and Genie spaces using viewer credentials | ✓ | |
View objects using row- and column-level security | ✓ | |
Access to limited consumer workspace UI | ✓ | |
Query SQL warehouses using BI tools | ✓ |
Compute entitlements
The Allow unrestricted cluster creation and Allow pool creation entitlements control the ability to provision compute resources in a workspace. Workspace admins receive these entitlements by default, and they cannot be removed. Non-admin users are not granted them unless explicitly assigned.
-
Allow unrestricted cluster creation grants users or service principals permission to create unrestricted clusters.
-
Allow pool creation enables instance pool creation. It can only be granted to groups.
This entitlement appears in the admin settings UI only if a group already has it. You can remove it using the UI for any group except the
adminsgroup, where it cannot be removed. To assign it to a group, use the API. See Manage entitlements using the API.
Default entitlements
Some entitlements are granted automatically to specific users and groups:
-
Workspace admins are always granted the following entitlements, and they cannot be removed:
- Workspace access
- Allow unrestricted cluster creation
- Allow pool creation
Admins are also granted Databricks SQL access by default, but it can be removed. However, because admins retain entitlement management permissions, they can reassign it to themselves at any time.
-
Workspace users are granted Workspace access and Databricks SQL access by default through their membership in the
usersgroup. All workspace users and service principals are automatically added to this group.The default entitlements on the
usersgroup affect how you assign or restrict entitlements. To provide the Consumer access experience, you must remove the default entitlements from theusersgroup (and theaccount usersgroup, if applicable) and assign entitlements individually to specific users, service principals, or groups. See Clone a workspace group to a new account group.
Manage entitlements using the workspace admin settings page
Workspace admins can manage entitlements for users, service principals, and groups using the workspace admin settings page.
- As a workspace admin, log in to the Databricks workspace.
- Click your username in the top bar and select Settings.
- Click the Identity and access tab.
- Depending on what you want to manage, click Manage next to Users, Service principals, or Groups.
- Select the user, service principal, or group you want to update.
- For users and groups, click the Entitlements tab. For service principals, entitlement checkboxes are shown directly.
- To grant an entitlement, select the toggle next to the entitlement.
To remove an entitlement, deselect the toggle.
If an entitlement is inherited from a group, the toggle appears selected but is grayed out. To remove an inherited entitlement, either:
- Remove the user or service principal from the group that has the entitlement, or
- Remove the entitlement from the group itself.
Removing a group entitlement affects all members of that group unless they are granted the entitlement individually or through another group.
Manage entitlements using the API
You can manage entitlements for users, service principals, and groups using the following APIs:
The table below lists each entitlement and its corresponding API name:
Entitlement name | Entitlement API name |
|---|---|
Workspace access |
|
Databricks SQL access |
|
Allow unrestricted cluster creation |
|
Allow pool creation |
|
For example, to assign the allow-instance-pool-create entitlement to a group using the API:
curl --netrc -X PATCH \
https://<databricks-instance>/api/2.0/preview/scim/v2/Groups/<group-id> \
--header 'Content-type: application/scim+json' \
--data @update-group.json \
| jq .
update-group.json:
{
"schemas": ["urn:ietf:params:scim:api:messages:2.0:PatchOp"],
"Operations": [
{
"op": "add",
"path": "entitlements",
"value": [
{
"value": "allow-instance-pool-create"
}
]
}
]
}