Skip to main content

Authentication and access control

This article introduces authentication and access control in SAP Databricks. For information about securing access to your data, see Data governance with Unity Catalog.

Sign in to SAP Databricks

Users sign into SAP Databricks using single sign-on (SSO) through SAP Cloud Identity Services, Identity Authentication. SSO is configured by default in your SAP Databricks account.

Sync users and groups from SAP Cloud Identity Services

You can sync users and groups automatically from SAP Cloud Identity Services to your SAP Databricks account using SCIM. For more information, see the SAP Cloud Identity Services, Identity Provisioning documentation.

Secure API authentication with OAuth

SAP Databricks OAuth supports secure credentials and access for resources and operations at the SAP Databricks workspace level and supports fine-grained permissions for authorization.

For more information on authenticating to SAP Databricks, see Authentication Using OAuth 2.0.

Access control overview

In SAP Databricks, there are different access control systems for different securable objects. The table below shows which access control system governs which type of securable object.

Securable object

Access control system

Workspace-level securable objects

Access control lists

Account-level securable objects

Account role based access control

Data securable objects

Unity Catalog

SAP Databricks also provides admin roles and entitlements that are assigned directly to users, service principals, and groups.

Access control lists

In SAP Databricks, you can use access control lists (ACLs) to configure permission to access workspace objects such as notebooks and SQL Warehouses. All workspace admin users can manage access control lists, as can users who have been given delegated permissions to manage access control lists. For more information on access control lists, see Access control lists.

Account role based access control

You can use account role based access control to configure permission to use account-level objects such as service principals and groups. Account roles are defined once, in your account, and apply across all workspaces. All account admin users can manage account roles, as can users who have been given delegated permissions to manage them, such as group managers and service principal managers.