Authentication and access control

This article introduces authentication and workspace object access control in Databricks. For information about securing access to your data, see Data governance guide.

For more information on how to best configure user and groups in Databricks, see Identity best practices.

Not all security features are available on all pricing tiers. The following table contains an overview of the features and how they align to pricing plans.


Pricing tier

Single sign-on


Databricks personal access token management


Access control lists


Single sign-on

Single sign-on enables you to authenticate your users using your organization’s identity provider. Databricks recommends configuring SSO for greater security and improved usability. Once SSO is configured, you can enable multi-factor authentication via your identity provider. You must configure SSO on the account and on individual workspaces. See Set up SSO for your workspace and Set up SSO for your Databricks account console.

Secure API access

For REST API authentication, you can use built-in revocable Databricks personal access tokens. You can create personal access tokens using the web application user interface or the Tokens API.

Workspace admins can use the Token Management API to review current Databricks personal access tokens, delete tokens, and set the maximum lifetime of new tokens for their workspace. You can use the related Permissions API to control which users can create and use tokens to access workspace REST APIs.


While Databricks strongly recommends using tokens, Databricks users on AWS can also access REST APIs using their Databricks username and password (native authentication). You grant and revoke the ability for specific users to use native authentication using password access control.

Access control lists

In Databricks, you can use access control lists (ACLs) to configure permission to access objects, such as: notebooks, experiments, models, clusters, jobs, dashboards, queries, and SQL warehouses. All admin users can manage access control lists, as can users who have been given delegated permissions to manage access control lists. See Access control.