Skip to main content

Identity management and permissions

After your SAP Databricks account is provisioned, users are provisioned to SAP Databricks using SAP Cloud Identity Services, Identity Provisioning. Databricks recommends continuing to use SAP Cloud Identity Services as the single source of truth for all users across your SAP Databricks account. Additionally, account admins can directly add users who weren't synced through SCIM.

Databricks recommends organizing users into account-level groups and then assigning workspace and access-control policies to groups rather than individual users. You can also add your SCIM synchronized groups into Databricks account groups.

SAP Databricks identities

There are three types of SAP Databricks identity:

  • Users: User identities recognized by SAP Databricks and represented by email addresses.
  • Service principals: Identities for use with automated tools and systems such as scripts and CI/CD platforms.
  • Groups: A collection of identities used by admins to manage group access to workspaces, data, and other securable objects. All Databricks identities can be assigned as members of groups.

A SAP Databricks account can have a maximum of 10,000 combined users and service principals, along with up to 5,000 groups. Each workspace also can have a maximum of 10,000 combined users and service principals as members, along with up to 5,000 groups.

Workspace object access control

In Databricks, you can use access control lists (ACLs) to configure permission to access workspace-level objects like notebooks and queries. Workspace admins have the CAN MANAGE permission on all objects in their workspace, which gives them the ability to manage permissions on all objects in their workspaces. Users automatically have the CAN MANAGE permission for objects that they create.

For information on ACLs in Databricks, see Access control lists.

Data access control

In Databricks, access to data is governed by Unity Catalog, which provides centralized access control, auditing, lineage, and data discovery capabilities across your Databricks workspaces.

Each securable object in Unity Catalog has an owner who, along with admins, can manage the object's permissions. For more information, see Database objects in SAP Databricks.

Last updated on