Manage access to Databricks automation

This article describes the how to configure permissions for Databricks credentials. To learn how to use credentials to authenticate to Databricks, see Authentication for Databricks automation - overview.

Note

Databricks automation authentication permissions are available only in the Premium plan or above.

Personal access token permissions

Workspace admins can set permissions on personal access tokens to control which users, service principals, and groups can create and use tokens. Before you can use token access control, a Databricks workspace admin must enable personal access tokens for the workspace. See Enable or disable personal access token authentication for the workspace.

A workspace user can have one of the following token permissions:

  • NO PERMISSIONS: User cannot create or use personal access tokens to authenticate to the Databricks workspace.

  • CAN USE: User can create a personal access token and use it to authenticate to the workspace.

  • CAN MANAGE (workspace admins only):** User can manage all workspace users’ personal access tokens and permission to use them. Users in the workspace admins group have this permission by default and you cannot revoke it. No other users, service principals, or groups can be granted this permission.

This table lists the permissions required for each token-related task:

Task

NO PERMISSIONS

CAN USE

CAN MANAGE

Create a token

x

x

Use a token for authentication

x

x

Revoke your own token

x

x

Revoke any user’s or service principal’s token

x

List all tokens

x

Modify token permissions

x

Manage token permissions using the admin settings page

This section describes how to manage permissions using the workspace UI. You can also use the Permissions API or Databricks Terraform provider.

  1. Go to the settings page.

  2. Click the Advanced tab.

  3. Next to Personal Access Tokens, click the Permissions button to open the token permissions editor.

    Manage token permissions

  4. Search for and select the user, service principal, or group and choose the permission to assign.

    If the users group has the CAN USE permission and you want to apply more fine-grained access for non-admin users, remove the CAN USE permission from the users group by clicking the X next to the permission drop-down menu in the users row.

  5. Click + Add.

  6. Click Save.

    Warning

    After you save your changes, any users who previously had either the CAN USE or CAN MANAGE permission and no longer have either permission are denied access to personal access token authentication and their active tokens are immediately deleted (revoked). Deleted tokens cannot be retrieved.

Password permissions

When unified login is disabled, by default all workspace admin users can sign in to Databricks using either workspace-level SSO or their username and password, and all API users can authenticate to the Databricks REST APIs using their username and password.

As a workspace admin, when workspace-level SSO is enabled you can configure password access control to limit workspace admin users’ and API users’ ability to authenticate with their username and password.

Note

Password access control can only be configured when unified login is disabled. Unified login is enabled for all accounts created after June 21, 2023. If unified login is enabled on your account and you require password access control, contact your Databricks account team.

For more information on the sign-in process when unified login is enabled, see Workspace sign-in process.

There are two permission levels for passwords: NO PERMISSIONS and CAN USE. CAN USE grants more abilities to workspace admins than to non-admin users. This table lists the abilities for each permission.

Task

NO PERMISSIONS

CAN USE

Can authenticate to the API using password

x

Can authenticate to the Databricks UI using password

x (Workspace admins only)

If a non-admin user with no permissions attempts to make a REST API call using a password, authentication will fail. Databricks recommends personal access token REST authentication instead of username and password.

Workspace admin users with CAN USE permission see the Admin Log In tab on the sign-in page. They can choose to use that tab to log in to Databricks with username and password.

SSO admin login tab

Workspace admins with no permissions do not see this page and must log in using SSO. When workspace-level SSO is enabled, all non-admin users do not see this page and must log in using SSO.

Configure password permissions

This section describes how to manage permissions using the workspace admin settings page.

  1. As a workspace admin, log in to the Databricks workspace.

  2. Click your username in the top bar of the Databricks workspace and select Settings.

  3. Click the Advanced tab.

  4. Next to Password Usage, click Permission Settings.

  5. In the Permissions Settings dialog, assign password permission to users and groups using the drop-down menu next to the user or group. You can also configure permissions for the Admins group.

  6. Click Save.

You can also configure password permissions using the Permissions API.