SAP Databricks admin best practices
This article presents considerations and best practices for admins in SAP Databricks accounts.
Data access management
Data governance is handled through Unity Catalog, which provides centralized access control, auditing, lineage, and data discovery capabilities across your SAP Databricks workspaces. For more information on Unity Catalog, see Data governance with Unity Catalog.
Default workspace catalog
Every workspace includes a workspace catalog, which, when originally provisioned, is named after your workspace. All users in your workspace can create assets in the default schema in this catalog. By default, this catalog is bound to your workspace, which means that it can only be accessed through your workspace.
SAP Databricks-specific data access considerations
- Data products shared from SAP BDC are automatically added to a catalog in SAP Databricks. By default, all users in a SAP Databricks workspace have read-only access to the shared schemas and tables.
- Admins can manage user and group permissions for a Delta Sharing share using Unity Catalog's privilege model.
- To keep SAP data within SAP-managed storage, all external locations and all storage credentials must be marked as read-only.
Workspace creation
Your SAP Databricks account allows you to create multiple workspaces within the same account. This is useful when your organization requires separate environments for different stages of development or for different teams. For example, you might create dedicated workspaces for development, testing, and production, or set up an isolated environment for a specific team.
Account admins can create new SAP Databricks workspaces from the account console. All workspaces in SAP Databricks are serverless workspaces where storage and compute is managed for you.
For instructions, see Create a new workspace.
Accounts can only deploy workspaces in a single region.
Networking configurations
SAP Databricks supports the following networking and security features:
- IP access lists to restrict access to your Databricks account and workspaces based on a user's IP address
- Enable access from Databricks to other sources on your network using a network connectivity configuration (NCC)
- Manage outbound network connectivity with serverless egress controls
For more on enabling and managing these features, see Networking and security.
Identity management
Users can be synchronized to SAP Databricks from SAP Cloud Identity Services, Identity Provisioning. Databricks recommends using Cloud Identity Services as the single source of truth across your SAP environment. Because all users sign in using single sign-on, passwords are not supported on SAP Databricks.
Databricks recommends using account-level groups to manage workspace access and access-control policies. All Databricks identities can be assigned as members of groups, and members inherit permissions that are assigned to their group. You can add your managed groups to Databricks account groups.
See Identity management and permissions.
Usage monitoring
To help monitor costs at a granular level, you can create serverless budget policies. These policies help enforce cost attribution tags on serverless compute workloads. For more information, see Attribute usage with serverless budget policies.
Your account's usage is populated in the billable usage system table. Workspace admins can access the table at system.billing.usage.
You can use the pricing table (system.billing.list_prices) to view the list prices for each SKU in CUs.
For examples of monitoring costs, see View and query the billing logs.
Metastore management
Workspace admins have catalog admin privileges on the workspace-bound catalog by default. Additionally, account admins can assign metastore admin privileges to users.
Because storage in SAP Databricks is managed by SAP, metastore admins must not:
- Disable Delta Sharing on metastores
- Remove or changing the metastore's root storage location
- Remove workspaces from metastores
- Create and deleting metastores
- Modify the Delta Sharing token lifetime