Identity management and permissions
This page introduces the SAP Databricks identity management model and provides an overview of how to manage users, groups, and service principals in SAP Databricks.
After your SAP Databricks account is provisioned, you can provision users to SAP Databricks using SAP Cloud Identity Services, Identity Provisioning. Databricks recommends continuing to use SAP Cloud Identity Services as the single source of truth for all users across your SAP Databricks account. Additionally, account admins can directly add users who weren't synced through SCIM.
Databricks recommends organizing users into account-level groups and then assigning workspace and access-control policies to groups rather than individual users. You can also add your SCIM synchronized groups into account groups.
SAP Databricks identities
There are three types of SAP Databricks identity:
- Users: User identities recognized by SAP Databricks and represented by email addresses.
- Groups: A collection of identities used by admins to manage group access to workspaces, data, and other securable objects. All Databricks identities can be assigned as members of groups.
- Service principals: Identities for use with jobs, automated tools, and systems such as scripts, apps, and CI/CD platforms.
A SAP Databricks account can have a maximum of 10,000 combined users and service principals, along with up to 5,000 groups.
Who can manage identities in SAP Databricks?
To manage identities in SAP Databricks, you must have one of the following: the account admin role, the workspace admin role, or the manager role on a service principal or group.
- Account admins can add users, service principals, and groups to the account and assign them admin roles. Account admins can update and delete users, service principals, and groups in the account. They can also give users access to workspaces.
- Workspace admins can add users, groups, and service principals to the SAP Databricks account. Workspace admins can grant users, service principals, and groups access to their workspaces. They cannot delete users and service principals from the account.
- Group managers can manage group membership and delete the group. They can also assign other users the group manager role. Account admins have the group manager role on all groups in the account. Workspace admins have the group manager role on account groups that they create.
- Service principal managers can manage roles on a service principal. Account admins have the service principal manager role on all service principals in the account. Workspace admins have the service principal manager role on service principals that they create.
Assigning admin roles
Account admins can assign other users as account admins.
Both account admins and workspace admins can assign other users as workspace admins. The workspace admin role is determined by membership in the workspace admins group, which is a default group in SAP Databricks and cannot be deleted.
Workspace object access control
In Databricks, you can use access control lists (ACLs) to configure permission to access workspace-level objects like notebooks and queries. Workspace admins have the CAN MANAGE permission on all objects in their workspace, which gives them the ability to manage permissions on all objects in their workspaces. Users automatically have the CAN MANAGE permission for objects that they create.
For information on ACLs in Databricks, see Access control lists.
Data access control
In Databricks, access to data is governed by Unity Catalog, which provides centralized access control, auditing, lineage, and data discovery capabilities across your Databricks workspaces.
Each securable object in Unity Catalog has an owner who, along with admins, can manage the object's permissions. For more information, see Database objects in SAP Databricks.