Authentication and access control
This article introduces authentication and workspace object access control in Databricks. For information about securing access to your data, see Data governance guide.
For more information on how to best configure user and groups in Databricks, see Identity best practices.
Not all security features are available on all pricing tiers. The following table contains an overview of the features and how they align to pricing plans.
Feature |
Pricing tier |
|---|---|
Single sign-on |
Standard |
Databricks automation authentication permissions |
Premium |
SCIM Provisioning |
Premium |
Databricks personal access token management |
Premium |
Access control lists |
Premium |
Single sign-on
Single sign-on enables you to authenticate your users using your organization’s identity provider. Databricks recommends configuring SSO for greater security and improved usability. Once SSO is configured, you can enable multi-factor authentication via your identity provider. Unified login allows you to manage one SSO configuration in your account that is used for the account and Databricks workspaces. If your account was created before June 21, 2023, you can also manage SSO individually on your account and workspaces. See Set up SSO in your Databricks account console and Set up SSO for your workspace.
Sync users and groups from your identity provider using SCIM provisioning
You can use SCIM provisioning to sync users and groups automatically from your identity provider to your Databricks account. SCIM streamlines onboarding a new employee or team by using your identity provider to create users and groups in Databricks and give them the proper level of access. When a user leaves your organization or no longer needs access to Databricks, admins can terminate the user in your identity provider and that user’s account is also removed from Databricks. This ensures a consistent offboarding process and prevents unauthorized users from accessing sensitive data. For more information, see Sync users and groups from your identity provider.
Secure API authentication
Databricks personal access tokens are one of the most well-supported types of credentials for resources and operations at the Databricks workspace level. In order to secure API authentication, workspace admins can control which users, service principals, and groups can create and use Databricks personal access tokens.
Databricks users can also access REST APIs using their Databricks username and password (native authentication). In accounts where unified login is disabled, workspace admins can use password access control to grant and revoke the ability for specific users to use native authentication.
For more information, see Manage access to Databricks automation.
Workspace admins can also review Databricks personal access tokens, delete tokens, and set the maximum lifetime of new tokens for their workspace. See Manage personal access tokens.
For more information on authenticating to Databricks automation, see Authentication for Databricks automation.
Access control lists
In Databricks, you can use access control lists (ACLs) to configure permission to access objects, such as: notebooks, experiments, models, clusters, jobs, dashboards, queries, and SQL warehouses. All workspace admin users can manage access control lists, as can users who have been given delegated permissions to manage access control lists. See Access control.