Workspace object access control

Note

Access control is available only in the Premium plan (or, for customers who subscribed to Databricks before March 3, 2020, the Operational Security package).

By default, all users can create and modify workspace objects—including folders, notebooks, experiments, and models—unless an administrator enables workspace access control. With workspace object access control, individual permissions determine a user’s abilities. This article describes the individual permissions and how to configure workspace object access control.

Before you can use workspace object access access control, a Databricks admin must enable it for the workspace. See Enable workspace object access control.

Folder permissions

You can assign five permission levels to folders: No Permissions, Read, Run, Edit, and Manage. The table lists the abilities for each permission.

Ability No Permissions Read Run Edit Manage
List items in folder x x x x x
View items in folder   x x x x
Clone and export items   x x x x
Create, import, and delete items         x
Move and rename items         x
Change permissions         x

Notebooks and experiments in a folder inherit all permissions settings of that folder. For example, a user that has Run permission on a folder has Run permission on the notebooks in that folder.

Default folder permissions

  • Independent of workspace object access control, the following permissions exist:
    • All users have Manage permission for items in the Workspace > Shared Icon Shared folder. You can grant Manage permission to notebooks and folders by moving them to the Shared Icon Shared folder.
    • All users have Manage permission for objects the user creates.
  • With workspace object access control disabled, the following permissions exist:
    • All users have Edit permission for items in the Workspace folder.
  • With workspace object access control enabled, the following permissions exist:
    • Workspace folder
      • Only administrators can create new items in the Workspace folder.
      • Existing items in the Workspace folder - Manage. For example, if the Workspace folder contained the Folder Documents and Folder Temp folders, all users continue to have the Manage permission for these folders.
      • New items in the Workspace folder - No Permissions.
    • A user has the same permission for all items in a folder, including items created or moved into the folder after you set the permissions, as the permission the user has on the folder.
    • User home directory - The user has Manage permission. All other users have No Permissions permission.

Notebook permissions

You can assign five permission levels to notebooks: No Permissions, Read, Run, Edit, and Manage. The table lists the abilities for each permission.

Ability No Permissions Read Run Edit Manage
View cells   x x x x
Comment   x x x x
Run via %run or notebook workflows   x x x x
Attach and detach notebooks     x x x
Run commands     x x x
Edit cells       x x
Change permissions         x

Configure notebook and folder permissions

  1. Open the permissions dialog:

    • Notebook - click Permissions in the notebook context bar.
    • Folder - select Permissions in the folder’s drop-down menu:
    Permissions Drop Down
  2. To grant permissions to a user or group, select from the Add Users and Groups drop-down, select the permission, and click Add:

    Add Users

    To change the permissions of a user or group, select the new permission from the permission drop-down:

    Change Permissions
  3. Click Save Changes to save your changes or click Cancel to discard your changes.

MLflow Experiment permissions

You can assign four permission levels to MLflow Experiments: No Permissions, Read, Edit, and Manage. The table lists the abilities for each permission.

Ability No Permissions Read Edit Manage
View run info, search, compare runs   x x x
Create runs     x x
Log run params, metrics, tags     x x
Edit experiment tags     x x
Modify artifact_location     x x
Purge runs and experiments       x
Grant permissions       x

Note

  • Delete and restore experiment requires Edit or Manage access to the folder containing the experiment.
  • You can specify the Run permission for experiments. It is enforced the same way as Edit.

Configure MLflow experiment permissions

  1. Open the permissions dialog. Click Permissions in the notebook context bar.

    Permissions Drop Down
  2. Grant permissions. All users in your account belong to the group all users. Administrators belong to the group admins, which has Manage permissions on all items.

    To grant permissions to a user or group, select from the Add Users and Groups drop-down, select the permission, and click Add:

    Add Users

    To change the permissions of a user or group, select the new permission from the permission drop-down:

    Change Permissions
  3. Click Save Changes to save your changes or click Cancel to discard your changes.

MLflow Model permissions

You can assign four permission levels to MLflow Models registered in the MLflow Model Registry: No Permissions, Read, Edit, and Manage. The table lists the abilities for each permission.

Note

A model version inherits permissions from its parent model; you cannot set permissions model versions.

Ability No Permissions Read Edit Manage
Create a model x x x x
View model and model version details   x x x
View model details, its versions, stage transition requests, activities, and artifact download URIs   x x x
Request a model version stage transition   x x x
Add a version to a model     x x
Update model and version description     x x
Rename model       x
Transition model version between stages       x
Approve, reject, or cancel a model version stage transition request       x
Modify permissions       x
Delete model and model versions       x

Note

The creator of a transition request can also cancel the request.

Default MLflow Model permissions

  • Independent of workspace object access control, the following permissions exist:
    • All users have permission to create a new registered model.
    • All administrators have Manage permission for all models.
  • With workspace object access control disabled, the following permissions exist:
    • All users have Manage permission for all models.
  • With workspace object access control enabled, the following default permissions exist:
    • All users have Manage permission for models the user creates.
    • Non-administrator users have No Permissions on models they did not create.

Configure MLflow Model permissions

All users in your account belong to the group all users. Administrators belong to the group admins, which has Manage permissions on all objects. This section describes how to configure MLflow Model permissions using the UI.

Preview

The ability to give a user or group permission to manage models using an API is in Private Preview. Contact Databricks for more information.

  1. Click the Models Icon icon in the sidebar.

  2. Click a model name.

  3. Click Button Down at the right of the model name and select Permissions.

    Permissions Drop Down
  4. Click the Select User or Group drop-down and delect a user or group.

    Add Users
  5. Select a permission. To change the permissions of a user or group, select the new permission from the permission drop-down:

    Change Permissions
  6. Click Add.

  7. Click Save to save your changes or Cancel to discard your changes.

Library and jobs access control

Library All users can view libraries. To control who can attach libraries to clusters, see Cluster access control.

Jobs To control who can run jobs and see the results of job runs, see Jobs access control.