Skip to main content

Manage groups

This article explains how admins create and manage SAP Databricks groups.

To manage access for groups, see Authentication and access control.

Overview of group management

Groups simplify identity management by making it easier to assign access to workspaces, data, and other securable objects. All Databricks identities can be assigned as members of groups.

Types of groups in SAP Databricks

SAP Databricks has four types of groups, categorized based on their source:

  • Account groups can be granted access to data in a Unity Catalog metastore, granted roles on service principals and groups, and permissions to workspaces.
  • External groups are groups that are created in SAP Databricks from your IdP. These groups are created using a SCIM provisioning connector and stay in sync with SAP Cloud Identity Services. By default, external group membership cannot be updated from the SAP Databricks account console or workspace admin settings page. External groups are account groups.
  • System groups are created and maintained by SAP Databricks. Each account has an account system group called account users, which includes all users. There are two workspace-level system groups in each workspace: users and admins. All members of the workspace belong to the users group, and workspace admins are also members of the admins group. System groups cannot be deleted.

Who can manage account groups?

To create account groups in SAP Databricks, you must be an account admin or a workspace admin.

To manage account groups in SAP Databricks, you must have the group manager role (Public Preview) on a group. Group managers can manage group membership and delete the group. They can also assign other users the group manager role. Account admins can manage group roles using the account console, and workspace admins can manage group roles using the workspace admin settings page. Group managers that are not workspace admins can manage group roles using the Accounts Access Control API.

Account admins have the group manager role on the account-level, which means they have the group manager role on all groups in the account. Workspace admins have the group manager role on account groups that they create.

Manage account groups using the account console

Account admins can add and manage groups in the SAP Databricks account using the account console. Workspace admins and group managers can manage groups using the workspace settings page and Databricks APIs.

Add groups to your account using the account console

To add a group to the account using the account console, do the following:

  1. As an account admin, log in to the account console.
  2. In the sidebar, click User management.
  3. On the Groups tab, click Add group.
  4. Enter a name for the group.
  5. Click Confirm.
  6. When prompted, add users, service principals, and groups to the group.

Add members to a group using the account console

To keep external groups in sync with your IdP, you cannot manage membership of external groups in the account console by default. To add users, service principals, and groups to a group using the account console, do the following:

  1. As an account admin, log in to the account console.
  2. In the sidebar, click User management.
  3. On the Groups tab, select the group you want to update.
  4. Click Add members.
  5. Search for the user, group, or service principal you want to add and select it.
  6. Click Add.

There is a delay of a few minutes between updating a group from an account and the group being updated in workspaces.

Change the name of a group

To keep external groups in sync with your IdP, you cannot update the name of an external groups in the account console by default. Account admins can update the name of account groups using the account console:

  1. As an account admin, log in to the account console.
  2. In the sidebar, click User management.
  3. On the Groups tab, select the group you want to update.
  4. Click Group information.
  5. Under Name, update the name.
  6. Click Save.

Group managers cannot change name of a group using the account console.

Assign a group to a workspace using the account console

To add groups to a workspace using the account console:

  1. As an account admin, log in to the account console.
  2. In the sidebar, click Workspaces.
  3. Click your workspace name.
  4. On the Permissions tab, click Add permissions.
  5. Search for and select the group, assign the permission level (workspace User or Admin), and then click Save.

Remove a group from a workspace using the account console

When an account group is removed from a workspace, group members can no longer access the workspace, however permissions are maintained on the group. If the group is later added back to a workspace, the group regains its previous permissions.

To remove groups to a workspace using the account console:

  1. As an account admin, log in to the account console.
  2. In the sidebar, click Workspaces.
  3. Click your workspace name.
  4. On the Permissions tab, find the group.
  5. Click the Kebab menu kebab menu at the far right of the group row and select Remove.
  6. On the confirmation dialog, click Remove.

Remove groups from your SAP Databricks account

If you remove a group using the account console, you must ensure that you also remove the group using your SAP Cloud Identity Services, Identity Provisioning. If you don't, SCIM provisioning will simply add the group and its members back the next time it syncs.

important

When you remove a group, all users in that group are deleted from the account and lose access to any workspaces they had access to (unless they are members of another group or have been directly granted access to the account or any workspaces). Databricks recommends that you refrain from deleting account-level groups unless you want them to lose access to all workspaces in the account.

To remove a group using the account console, do the following:

  1. As an account admin, log in to the account console.
  2. In the sidebar, click User management.
  3. On the Groups tab, find the group you want to remove.
  4. Click the Kebab menu kebab menu at the far right of the user row and select Delete.
  5. In the confirmation dialog box, click Confirm delete.

Assign a metastore admin

Metastore admin is a highly privileged role that you should distribute carefully. It is optional.

Account admins can assign the metastore admin role. Databricks recommends nominating a group as the metastore admin. By doing this, any member of the group is automatically a metastore admin.

To assign the metastore admin role to a group:

  1. As an account admin, log in to the account console.
  2. Click Catalog icon Catalog.
  3. Click the name of a metastore to open its properties.
  4. Under Metastore Admin, click Edit.
  5. Select a group from the drop-down. You can enter text in the field to search for options.
  6. Click Save.

Manage account groups using the workspace admin settings page

Workspace admins can create and manage account groups in identity-federated workspaces using the workspace admin settings page.

note

There is a delay of a few minutes between updating an account group from a workspace and the group being updated in the account.

Create or assign a group to a workspace using the workspace admin settings page

To assign or create an account group in a workspace using the workspace admin settings page, do the following:

  1. As a workspace admin, log in to the SAP Databricks workspace.
  2. Click your username in the top bar of the SAP Databricks workspace and select Settings.
  3. Click on the Identity and access tab.
  4. Next to Groups, click Manage.
  5. Click Add Group.
  6. Select an existing group to assign to the workspace or click Add new to create a new account group.

Add members to a group using the workspace admin settings page

You must be a workspace admin to add users, service principals, and groups to an account group using the workspace admin settings page. You can only manage members of a group that you have the group manager role on. To keep external groups in sync with SAP Cloud Identity Services, you cannot manage membership of external groups in the workspace admin settings page by default.

note

You cannot add a child group to the admins group. You cannot add system groups as members of account groups.

  1. As a workspace admin, log in to the SAP Databricks workspace.
  2. Click your username in the top bar of the SAP Databricks workspace and select Settings.
  3. Click on the Identity and access tab.
  4. Next to Groups, click Manage.
  5. Select the group you want to update. You must have the group manager role on the group to update it.
  6. On the Members tab, click Add members.
  7. On the dialog, browse or search for the users, service principals, and groups you want to add and select them.
  8. Click Confirm.

View parent groups

  1. As a workspace admin, log in to the SAP Databricks workspace.
  2. Click your username in the top bar of the SAP Databricks workspace and select Settings.
  3. Click on the Identity and access tab.
  4. Next to Groups, click Manage.
  5. Select the group you want to view.
  6. On the Parent group tab, view the parent groups for your group.

Remove a group from a workspace using the workspace admin settings page

Removing a group from a workspace does not delete the group in the account. When a group is removed from a workspace, group members can no longer access the workspace, however permissions are maintained on the group. If the group is later added back to the workspace, the group regains its previous permissions.

  1. As a workspace admin, log in to the SAP Databricks workspace.
  2. Click your username in the top bar of the SAP Databricks workspace and select Settings.
  3. Click on the Identity and access tab.
  4. Next to Groups, click Manage.
  5. Select the group and click Remove