Share via

query regarding azure databrick

Azuretech 90 Reputation points
2023-03-29T14:38:58.1833333+00:00

I am new to databrick. I have few queries ,if we have multiple subscriptions in a tenant ? we are allowed to create only one Metstore per region.

and then we assign workspaces to this metastore.

1 - How can we make this secure, if multiple workspaces from different subscriptions are going to be assigned in same metastore?

2 -if a person is having account admin access in metastore , Can user update/view others workspaces ? this is kind of scary so wanted to know what best security we can take as Metastore Admin.

3- Once we assign workspaces to the metastore , can the workspace user (admin of databrick but not account admin) do the operations ? In what case , account admin access is required , once metastore is assigned to a workspace.

4- what level of minimum access/permission, we need to give to the user , who want their workspace to be assigned to metastore. like in storage account or in databrick ?

Azure Databricks
Azure Databricks
An Apache Spark-based analytics platform optimized for Azure.
2,147 questions
Azure Data Catalog
Azure Data Catalog
An Azure service that serves as a system of registration and system of discovery for enterprise data assets.
102 questions

1 answer

Sort by: Most helpful
Most helpful Newest Oldest
  1. PRADEEPCHEEKATLA-MSFT 88,301 Reputation points Microsoft Employee
    2023-03-30T08:19:27.81+00:00


    Azuretech     - Thanks for the question and using MS Q&A platform.

    1. To make it secure, you can use Azure role-based access control (Azure RBAC) to control access to the metastore and workspaces. You can assign roles to users, groups, or service principals in your managing tenant. You can also use Azure AD security groups to manage access to workspaces. This approach has the following benefits: team or project leaders can manage user access to workspace as security group owners, without needing Owner role on the workspace resource directly. You can organize, manage and revoke users' permissions on workspace and other resources as a group, without having to manage permissions on a user-by-user basis.
    2. If a person has account admin access in metastore, they can view and update all workspaces assigned to that metastore. To ensure security, you can limit the number of people who have account admin access to the metastore. You can also use Azure RBAC to assign roles to users, groups, or service principals in your managing tenant. You can assign roles such as Azure Databricks Contributor, Reader, or Owner to users, groups, or service principals to control access to workspaces.
    3. Once workspaces are assigned to the metastore, workspace users who are not account admins can perform operations on their workspaces. Account admin access is required only for managing the metastore itself, such as creating or deleting it.
    4. The minimum access/permission required for a user who wants their workspace to be assigned to the metastore is Contributor role in the workspace. This role allows the user to create and manage resources in the workspace, including assigning the workspace to a metastore.

    Hope this helps. Do let us know if you any further queries.

    If this answers your query, do click Accept Answer and Yes for was this answer helpful. And, if you have any further query do let us know.

Your answer

Answers can be marked as Accepted Answers by the question author, which helps users to know the answer solved the author's problem.