Manage entitlements

This article describes the how to manage entitlements for users, service principals, and groups.

Note

Entitlements are available only in the Premium plan or above.

Entitlements overview

An entitlement is a property that allows a user, service principal, or group to interact with Databricks in a specified way. Entitlements are assigned to users at the workspace level. The following table lists entitlements and the workspace UI and API property names that you use to manage each one. You can use the workspace admin settings page and Workspace Users, Service Principals, and Groups APIs to manage entitlements.

Entitlement name

Entitlement API name

Default

Description

Workspace access

workspace-access

Granted by default.

When granted to a user or service principal, they can access the Data Science & Engineering and Databricks Machine Learning persona-based environments.

Can’t be removed from workspace admins.

Databricks SQL access

databricks-sql-access

Granted by default.

When granted to a user or service principal, they can access Databricks SQL.

Allow unrestricted cluster creation

allow-cluster-create

Not granted to users or service principals by default.

When granted to a user or service principal, they can create unrestricted clusters. You can restrict access to existing clusters using cluster-level permissions.

Can’t be removed from workspace admins.

Allow pool creation (not available via UI)

allow-instance-pool-create

Can’t be granted to individual users or service principals.

When granted to a group, its members can create instance pools.

Can’t be removed from workspace admins.

The users group is granted the Workspace access and Databricks SQL access entitlements by default. All workspace users and service principals are members of the users group. To assign these entitlements on a user-by-user basis, a workspace admin must remove the entitlement from the users group and assign it individually to users, service principals, and groups.

To log in and access a Databricks workspace, a user must have the Databricks SQL access or Workspace access entitlement.

You cannot grant the allow-instance-pool-create entitlement using the admin settings page. Instead, use the Workspace Users, Service Principals, or Groups API.

Manage entitlements on users

Workspace admins can add or remove an entitlement for a user using the workspace admin settings page. You can also use the Workspace Users API.

  1. As a workspace admin, log in to the Databricks workspace.

  2. Click your username in the top bar of the Databricks workspace and select Admin Settings.

  3. Click on the Identity and access tab.

  4. Next to Users, click Manage.

  5. Select the user.

  6. Click the Entitlements tab.

  7. To add an entitlement, select the toggle in the corresponding column.

To remove an entitlement, perform the same steps, but deselect the toggle instead.

If an entitlement is inherited from a group, the entitlement toggle is selected but grayed out. To remove an inherited entitlement, either remove the user from the group that has the entitlement, or remove the entitlement from the group.

Manage entitlements on service principals

Workspace admins can add or remove an entitlement for a service principal using the workspace admin settings page. You can also use the Workspace Service Principals API.

  1. As a workspace admin, log in to the Databricks workspace.

  2. Click your username in the top bar of the Databricks workspace and select Admin Settings.

  3. Click on the Identity and access tab.

  4. Next to Service principals, click Manage.

  5. Select the service principal you want to update.

  6. To add an entitlement, under Entitlements, select the corresponding checkbox.

To remove an entitlement, perform the same steps, but clear the checkbox instead.

If an entitlement is inherited from a group, the entitlement toggle is selected but grayed out. To remove an inherited entitlement, either remove the service principal from the group that has the entitlement, or remove the entitlement from the group.

Manage entitlements on groups

Workspace admins can manage group entitlements at the workspace level, regardless of whether the group was created in the account or is workspace-local.

  1. As a workspace admin, log in to the Databricks workspace.

  2. Click your username in the top bar of the Databricks workspace and select Admin Settings.

  3. Click on the Identity and access tab.

  4. Next to Groups, click Manage.

  5. Select the group you want to update. You must have the group manager role on the group to update it.

  6. On the Entitlements tab, select the entitlement you want to grant to all users in the group.

To remove an entitlement, perform the same steps, but deselect the toggle instead. Group members lose the entitlement, unless they have permission granted as an individual user or through another group membership.