Skip to main content

Manage users, service principals, and groups

This article introduces the SAP Databricks identity management model and provides an overview of how to manage users, groups, and service principals in SAP Databricks.

For an opinionated perspective on how to best configure identity in SAP Databricks, see _.

SAP Databricks identities

There are three types of SAP Databricks identity:

  • Users: User identities recognized by SAP Databricks and represented by email addresses.
  • Groups: A collection of identities used by admins to manage group access to workspaces, data, and other securable objects. All Databricks identities can be assigned as members of groups.
  • Service principals: Identities for use with jobs, automated tools, and systems such as scripts, apps, and CI/CD platforms.

A SAP Databricks account can have a maximum of 10,000 combined users and service principals, along with up to 5,000 groups. Each workspace also can have a maximum of 10,000 combined users and service principals as members, along with up to 5,000 groups.

Who can manage identities in SAP Databricks?

To manage identities in SAP Databricks, you must have one of the following: the account admin role, the workspace admin role, or the manager role on a service principal or group.

  • Account admins can add users, service principals, and groups to the account and assign them admin roles. Account admins can update and delete users, service principals, and groups in the account. They can also give users access to workspaces.
  • Workspace admins can add users, groups, and service principals to the SAP Databricks account. Workspace admins can grant users, service principals, and groups access to their workspaces. They cannot delete users and service principals from the account.
  • Group managers can manage group membership and delete the group. They can also assign other users the group manager role. Account admins have the group manager role on all groups in the account. Workspace admins have the group manager role on account groups that they create.
  • Service principal managers can manage roles on a service principal. Account admins have the service principal manager role on all service principals in the account. Workspace admins have the service principal manager role on service principals that they create.

Assigning admin roles

Account admins can assign other users as account admins.

Both account admins and workspace admins can assign other users as workspace admins. The workspace admin role is determined by membership in the workspace admins group, which is a default group in SAP Databricks and cannot be deleted.

Last updated on