Postgres roles

Important

Lakebase Provisioned is the original Lakebase offering that uses provisioned compute you scale manually. For supported regions, see Region availability. For the latest version of Lakebase, with autoscaling compute, scale-to-zero, branching, and instant restore, see Lakebase Autoscaling.

New Lakebase instances will be created as Autoscaling projects. Rollout starts March 12, 2026. For details, see Autoscaling by default.

This page explains the Postgres roles that you can use to govern access to a Azure Databricks Lakebase database instance, including their privileges, purpose, and configuration.

Pre-created roles

After a database instance is created, Azure Databricks automatically creates a Postgres role for the user who created the instance.

Role Description Inherited privileges
<instance_owner_role> The Azure Databricks identity of the instance creator (for example, myuser@databricks.com). This role can log in and administer the instance. Member of databricks_superuser
databricks_superuser An internal administrative role. Used to configure and manage access across the instance. This role is granted broad privileges and should not be used in automated applications. Inherits from pg_read_all_data, pg_write_all_data, and pg_monitor.

Role capabilities

Role LOGIN CREATEDB CREATEROLE BYPASSRLS Other privileges
databricks_superuser NOLOGIN
  • All privileges (with grant) on all databases, schemas, tables, and sequences
  • EXECUTE on pg_stat_statements_reset()
<instance_owner_role>
  • Owner of the default databricks_postgres database

System roles created by Azure Databricks

In addition to the databricks_superuser and admin roles, Azure Databricks creates system roles required for internal services. These roles are assigned the minimum privileges required for functionality. Modifying them can impact instance behavior.

Role Purpose
databricks_control_plane Used by internal Databricks components for management operations
databricks_monitor Used by internal metrics collection services
databricks_writer_<dbid> Per-database role used to create and manage synced tables
databricks_reader_<dbid> Per-database role used to read tables registered in Unity Catalog
databricks_gateway Used for internal connections for managed data serving services

To learn how roles, privileges, and role memberships work in Postgres, use the following resources in the Postgres documentation:

Create Postgres roles for Azure Databricks identities

A Postgres role for the database instance owner's Azure Databricks identity is created automatically. To allow other Azure Databricks identities to log in, create additional roles using the UI or PostgreSQL queries.

Note

Role management actions are governed by the permissions granted on the database instance. Ensure you have the appropriate level of access before attempting to manage roles.

UI

Users with CAN USE permission can view existing roles or add a role for their own identity. Users with CAN MANAGE can create roles for other Azure Databricks identities and drop any role.

  1. Click App icon. Apps in the top right corner and select Lakebase Postgres.
  2. Click Provisioned to open the Provisioned instances page.
  3. Select your database instance.
  4. Select the Roles page in the Lakebase App sidebar.
  5. Click Add role.
  6. From the Principal drop-down menu, select a user, group, or service principal.
  7. (Optional) Select System Roles to grant databricks_superuser (read and write access to all data).
  8. (Optional) Select System Attributes to grant CREATEDB, CREATEROLE, or BYPASSRLS.
  9. Click Add.

PostgreSQL

Requirements:

  • You must have CREATE and CREATE ROLE permissions on the database.
  • You must authenticate as a Azure Databricks identity. Native Postgres authenticated sessions cannot create Azure Databricks roles.
  • Your authentication token must be valid.

Use the databricks_create_role function from the databricks_auth extension:

CREATE EXTENSION IF NOT EXISTS databricks_auth;

-- Databricks user
SELECT databricks_create_role('myuser@databricks.com', 'USER');

-- Service principal (use application ID)
SELECT databricks_create_role('8c01cfb1-62c9-4a09-88a8-e195f4b01b08', 'SERVICE_PRINCIPAL');

-- Group
SELECT databricks_create_role('My Group 123', 'GROUP');

New roles only have privileges granted to PUBLIC. Use standard Postgres GRANT and REVOKE commands to add permissions.

View Azure Databricks identity roles

UI

You can see which users, groups, and service principals have a corresponding Postgres role on the Roles page.

  1. Click App icon. Apps in the top right corner and select Lakebase Postgres.
  2. Click Provisioned to open the Provisioned instances page.
  3. Select your database instance.
  4. Select the Roles page in the Lakebase App sidebar.

PostgreSQL

Use the databricks_list_roles function from the databricks_auth extension to list all Azure Databricks identity roles — users, service principals, and groups added to authenticate as Postgres roles.

CREATE EXTENSION IF NOT EXISTS databricks_auth;

SELECT * from databricks_list_roles;

Drop a Postgres role

UI

  1. Click App icon. Apps in the top right corner and select Lakebase Postgres.
  2. Click Provisioned to open the Provisioned instances page.
  3. Select your database instance.
  4. Select the Roles page in the Lakebase App sidebar.
  5. For the role you want to drop, click Kebab menu icon. and click Drop.
  6. (Optional) Turn on Reassign owned objects to reassign owned objects before dropping.
  7. Click Confirm.

PostgreSQL

Drop a Azure Databricks identity-based role the same as any Postgres role. See the PostgreSQL documentation on dropping roles.

  • Last updated on