Authentication and access control

This article introduces authentication and access control in Databricks. For information about securing access to your data, see Data governance with Unity Catalog.

For more information on how to best configure user and groups in Databricks, see Identity best practices.

Single sign-on

Single sign-on enables you to authenticate your users using your organization’s identity provider. Databricks recommends configuring SSO for greater security and improved usability. Once SSO is configured, you can enable fine-grained access control, such as multi-factor authentication, via your identity provider. Unified login allows you to manage one SSO configuration in your account that is used for the account and Databricks workspaces. If your account was created after June 21, 2023, unified login is enabled on your account by default for all workspaces, new and existing, and it cannot be disabled. See Configure SSO in Databricks.

If you don’t configure single sign-on, users can login to Databricks using a selected external account, like Google, or a one-time passcode. See Sign-in with email or external accounts.

To prevent lockouts, account admins can set up emergency access for up to 20 users. These users can sign into Databricks using a password and multi-factor authentication (MFA). See Emergency access to prevent lockouts.

Sync users and groups from your identity provider using SCIM provisioning

You can use SCIM, or System for Cross-domain Identity Management, an open standard that allows you to automate user provisioning, to sync users and groups automatically from your identity provider to your Databricks account. SCIM streamlines onboarding a new employee or team by using your identity provider to create users and groups in Databricks and give them the proper level of access. When a user leaves your organization or no longer needs access to Databricks, admins can terminate the user in your identity provider, and that user’s account is also removed from Databricks. This ensures a consistent offboarding process and prevents unauthorized users from accessing sensitive data. For more information, see Sync users and groups from your identity provider.

Secure API authentication with OAuth

Databricks OAuth supports secure credentials and access for resources and operations at the Databricks workspace level and supports fine-grained permissions for authorization.

Note

Basic authentication using a Databricks username and password reached end of life on July 10, 2024. See End of life for Databricks-managed passwords.

For more information, see Manage personal access token permissions.

For more information on authenticating to Databricks automation overall, see Authenticate access to Databricks resources.

Databricks also supports personal access tokens (PATs), but recommends you use OAuth instead. For details on using PATs, see Monitor and manage access to personal access tokens.

Access control overview

In Databricks, there are different access control systems for different securable objects. The table below shows which access control system governs which type of securable object.

Securable object

Access control system

Workspace-level securable objects

Access control lists

Account-level securable objects

Account role based access control

Data securable objects

Unity Catalog

Databricks also provides admin roles and entitlements that are assigned directly to users, service principals, and groups.

For information about securing data, see Data governance with Unity Catalog.

Access control lists

In Databricks, you can use access control lists (ACLs) to configure permission to access workspace objects such as notebooks and SQL Warehouses. All workspace admin users can manage access control lists, as can users who have been given delegated permissions to manage access control lists. For more information on access control lists, see Access control lists.

Account role based access control

You can use account role based access control to configure permission to use account-level objects such as service principals and groups. Account roles are defined once, in your account, and apply across all workspaces. All account admin users can manage account roles, as can users who have been given delegated permissions to manage them, such as group managers and service principal managers.

Follow these articles for more information on account roles on specific account-level objects:

Databricks admin roles

In addition to access control on securable objects, there are built-in roles on the Databricks platform. Users, service principals, and groups can be assigned roles.

There are two main levels of admin privileges available on the Databricks platform:

  • Account admins: Manage the Databricks account, including workspace creation, user management, cloud resources, and account usage monitoring.

  • Workspace admins: Manage workspace identities, access control, settings, and features for individual workspaces in the account.

Additionally, users can be assigned these feature-specific admin roles, which have narrower sets of privileges:

  • Marketplace admins: Manage their account’s Databricks Marketplace provider profile, including creating and managing Marketplace listings.

  • Metastore admins: Manage privileges and ownership for all securable objects within a Unity Catalog metastore, such as who can create catalogs or query a table.

Users can also be assigned to be workspace users. A workspace user has the ability to log in to a workspace, where they can be granted workspace-level permissions.

For more information, see Setting up single sign-on (SSO).

Workspace entitlements

An entitlement is a property that allows a user, service principal, or group to interact with Databricks in a specified way. Workspace admins assign entitlements to users, service principals, and groups at the workspace-level. For more information, see Manage entitlements.