Default workspace permissions

This article describes the workspace permissions granted by default when a new workspace is created. In a new workspace, your default permissions depend on whether you’re a workspace admin or a non-admin user. For more information about users and groups, see Manage users, service principals, and groups.

Audit logs record all changes made to user permissions. The logs show the permission changed and the user who initiated the change. Default permissions are set by Azure Databricks and are shown as initiated by System-User.

Users group

All workspace users are members of the users group. By default, the following permissions are granted to the users group. A workspace admin can modify the permissions granted to the users group.

Resource	Permission
Workspace and Databricks SQL access	Access to both Databricks SQL and the Azure Databricks workspace
Directories	CAN MANAGE on the Shared directory

Admins group

All workspace admins are members of the admins group. The admins group always retains its default permissions.

Resource	Permission
Tokens	CAN MANAGE
Clusters and pools	CAN MANAGE and create all clusters and pools
Workspace and Databricks SQL access	Manage Databricks SQL and workspace access
Jobs	CAN MANAGE on all jobs
Unity Catalog	Default permissions on many Unity Catalog objects when Unity Catalog is enabled by default. See Workspace admin privileges when workspaces are enabled for Unity Catalog automatically
Instance profiles	Use all instance profiles. Assign instance profile access to other users.
IAM Roles	Modify permissions on all IAM roles
Cluster policies	CAN USE on all IAM roles Assign permissions
Registered models	CAN MANAGE on all registered models
Directories	CAN MANAGE on the Workspace root directory

Note

All individual users and service principals assigned to the workspace before the first login will get both the cluster creation entitlement and the instance pool creation entitlement.