Authentication and access control

This article introduces authentication and workspace object access control in Databricks. For information about securing access to your data, see Data governance guide.

For more information on how to best configure user and groups in Databricks, see Identity best practices.

Not all security features are available on all pricing tiers. The following table contains an overview of the features and how they align to pricing plans.

Feature

Pricing tier

Single sign-on

Standard

Databricks automation authentication permissions

Premium

SCIM Provisioning

Premium

Databricks personal access token management

Premium

Access control lists

Premium

Single sign-on

Single sign-on enables you to authenticate your users using your organization’s identity provider. Databricks recommends configuring SSO for greater security and improved usability. Once SSO is configured, you can enable fine-grained access control, such as multi-factor authentication, via your identity provider. Unified login allows you to manage one SSO configuration in your account that is used for the account and Databricks workspaces. If your account was created before June 21, 2023, you can also manage SSO individually on your account and workspaces. See Set up SSO in your Databricks account console and Set up SSO for your workspace.

Sync users and groups from your identity provider using SCIM provisioning

You can use SCIM, or System for Cross-domain Identity Management, an open standard that allows you to automate user provisioning, to sync users and groups automatically from your identity provider to your Databricks account. SCIM streamlines onboarding a new employee or team by using your identity provider to create users and groups in Databricks and give them the proper level of access. When a user leaves your organization or no longer needs access to Databricks, admins can terminate the user in your identity provider, and that user’s account is also removed from Databricks. This ensures a consistent offboarding process and prevents unauthorized users from accessing sensitive data. For more information, see Sync users and groups from your identity provider.

Secure API authentication

Databricks personal access tokens are one of the most well-supported types of credentials for resources and operations at the Databricks workspace level. In order to secure API authentication, workspace admins can control which users, service principals, and groups can create and use Databricks personal access tokens.

Databricks users can also access REST APIs using their Databricks username and password (basic authentication). In accounts where unified login is disabled, workspace admins can use password access control to grant and revoke the ability for specific users to use basic authentication.

For more information, see Manage access to Databricks automation.

Workspace admins can also review Databricks personal access tokens, delete tokens, and set the maximum lifetime of new tokens for their workspace. See Manage personal access tokens.

For more information on authenticating to Databricks automation, see Authentication for Databricks automation - overview.

Access control

In Databricks, there are different access control systems for different securable objects. To learn more about them, see Access control overview.