Authentication and access control
This article introduces authentication and access control in SAP Databricks. For information about securing access to your data, see Data governance with Unity Catalog.
Sign in to SAP Databricks
Users sign into SAP Databricks using single sign-on (SSO) through SAP Cloud Identity Services, Identity Authentication. SSO is configured by default in your SAP Databricks account.
Sync users and groups from SAP Cloud Identity Services
You can sync users and groups automatically from SAP Cloud Identity Services to your SAP Databricks account using SCIM. For more information, see the SAP Cloud Identity Services, Identity Provisioning documentation.
Secure API authentication with OAuth
SAP Databricks OAuth supports secure credentials and access for resources and operations at the SAP Databricks workspace level and supports fine-grained permissions for authorization.
For more information on authenticating to SAP Databricks, see Authentication Using OAuth 2.0.
Access control overview
In SAP Databricks, there are different access control systems for different securable objects. The table below shows which access control system governs which type of securable object.
Securable object | Access control system |
|---|---|
Workspace-level securable objects | Access control lists |
Account-level securable objects | Account role based access control |
Data securable objects | Unity Catalog |
SAP Databricks also provides admin roles and entitlements that are assigned directly to users, service principals, and groups.
Access control lists
In SAP Databricks, you can use access control lists (ACLs) to configure permission to access workspace objects such as notebooks and SQL Warehouses. All workspace admin users can manage access control lists, as can users who have been given delegated permissions to manage access control lists. For more information on access control lists, see Access control lists.
Account role based access control
You can use account role based access control to configure permission to use account-level objects such as service principals and groups. Account roles are defined once, in your account, and apply across all workspaces. All account admin users can manage account roles, as can users who have been given delegated permissions to manage them, such as group managers and service principal managers.