Manage entitlements
This page describes the how to manage entitlements for users, service principals, and groups.
Entitlements overview
An entitlement is a property that allows a user, service principal, or group to interact with Databricks in a specified way. Entitlements are assigned to users at the workspace level. Entitlements are available only in the Premium plan.
Access entitlements
Capability | Consumer access | Databricks SQL access | Workspace access |
|---|---|---|---|
Read/run dashboards and Genie spaces | ✓ | ✓ | ✓ |
Query SQL warehouses using BI tools | ✓ | ✓ | |
Read/write Databricks SQL objects | ✓ | ||
Read/write Data Science & Engineering objects | ✓ | ||
Read/write Databricks Mosaic AI objects | ✓ |
The users group is granted the Workspace access and Databricks SQL access entitlements by default. All workspace users and service principals are members of this group. To provide the Consumer access experience, the users group must have only the Consumer access entitlement, or no entitlements. This requires removing the Workspace access and Databricks SQL access entitlements from the users group (and the account users group, if applicable) and assigning them individually to specific users, service principals, or groups.
To access a Databricks workspace, a user must have at least one access entitlement.
Consumer access vs account users
The previous table summarizes access entitlements in a workspace. The following table compares the capabilities available to workspace users with Consumer access to account users who do not have workspace membership.
Capability | Consumer access to a workspace | Account user without workspace membership |
|---|---|---|
View dashboards using embedded credentials | ✓ | ✓ |
View dashboards and Genie spaces using viewer credentials | ✓ | |
View objects using row- and column-level security | ✓ | |
Access to limited consumer workspace UI | ✓ | |
Query SQL warehouses using BI tools | ✓ |
Compute entitlements
The Allow unrestricted cluster creation and Allow pool creation entitlements control the ability to provision compute resources in a workspace.
-
Allow unrestricted cluster creation grants users or service principals permission to create unrestricted clusters.
-
Allow pool creation allows members of a group to create instance pools.
These entitlements are not granted by default and cannot be removed from workspace admins. You cannot grant the allow-instance-pool-create entitlement using the admin settings page. Instead, use the Workspace Users, Service Principals, or Groups API
Manage entitlements on users
Workspace admins can add or remove an entitlement for a user using the workspace admin settings page. You can also use the Workspace Users API.
- As a workspace admin, log in to the Databricks workspace.
- Click your username in the top bar of the Databricks workspace and select Settings.
- Click on the Identity and access tab.
- Next to Users, click Manage.
- Select the user.
- Click the Entitlements tab.
- To add an entitlement, select the toggle in the corresponding column.
The users group is granted the Workspace access and Databricks SQL access entitlements by default, and all workspace users and service principals are members of this group. Because the Consumer access entitlement is more restrictive, granting it on its own requires removing the Workspace access and Databricks SQL access entitlements from the users group. You must then assign entitlements individually to users, service principals, or groups.
To remove an entitlement, perform the same steps, but deselect the toggle instead.
If an entitlement is inherited from a group, the entitlement toggle is selected but grayed out. To remove an inherited entitlement, either remove the user from the group that has the entitlement, or remove the entitlement from the group.
Manage entitlements on service principals
Workspace admins can add or remove an entitlement for a service principal using the workspace admin settings page. You can also use the Workspace Service Principals API.
- As a workspace admin, log in to the Databricks workspace.
- Click your username in the top bar of the Databricks workspace and select Settings.
- Click on the Identity and access tab.
- Next to Service principals, click Manage.
- Select the service principal you want to update.
- To add an entitlement, under Entitlements, select the corresponding checkbox.
To remove an entitlement, perform the same steps, but clear the checkbox instead.
If an entitlement is inherited from a group, the entitlement toggle is selected but grayed out. To remove an inherited entitlement, either remove the service principal from the group that has the entitlement, or remove the entitlement from the group.
Manage entitlements on groups
Workspace admins can manage group entitlements at the workspace level, regardless of whether the group was created in the account or is workspace-local.
- As a workspace admin, log in to the Databricks workspace.
- Click your username in the top bar of the Databricks workspace and select Settings.
- Click on the Identity and access tab.
- Next to Groups, click Manage.
- Select the group you want to update. You must have the group manager role on the group to update it.
- On the Entitlements tab, select the entitlement you want to grant to all users in the group.
To remove an entitlement, perform the same steps, but deselect the toggle instead. Group members lose the entitlement, unless they have permission granted as an individual user or through another group membership.