Enable cluster access control for your workspace
By default, all users can create and modify clusters unless an administrator enables cluster access control. With cluster access control, permissions determine a user’s abilities. This article describes how to enable cluster access control, configure cluster creation permission, and prevent users from seeing clusters they don’t have access to.
For information about assigning permissions and configuring cluster access control, see Cluster access control.
Requirements
This feature requires the Premium Plan.
Enable cluster access control
- Go to the Admin Console.
- Click the Workspace Settings tab.
- Click the Cluster Access Control toggle.
- Click Confirm.
Prevent users from seeing clusters they do not have access to
Note
Cluster visibility control is enabled by default for workspaces created after the release of Azure Databricks platform version 3.34 (released in December 2020). If your workspace was created earlier, an admin must enable the feature.
Cluster access control by itself does not prevent users from seeing clusters displayed in the Azure Databricks UI even when the users have no permissions on those clusters. To prevent these clusters from being visible to a user:
- Go to the admin console.
- Click the Workspace Settings tab.
- Click the Cluster Visibility Control toggle.
- Click Confirm.
Configure cluster creation entitlement
You can assign the Allow cluster creation entitlement to individual users or to groups.
To assign to an individual user:
Go to the Admin Console.
Go to the Users tab.
Select the Allow unrestricted cluster creation checkbox in the user’s row.
Click Confirm to confirm the change.
To assign to a group:
- Go to the Admin Console.
- Go to the Groups tab.
- Select the group you want to update.
- On the Entitlements tab, select Allow unrestricted cluster creation.
Example: using cluster-level permissions to enforce cluster configurations
One benefit of cluster access control is the ability to enforce cluster configurations so that users cannot change them.
For example, configurations that admins might want to enforce include:
- Tags to charge back costs
- Azure AD credential passthrough to Azure Data Lake Storage to control access to data
- Standard libraries
Azure Databricks recommends the following workflow for organizations that need to lock down cluster configurations:
Disable Allow unrestricted cluster creation for all users.
After you create all of the cluster configurations that you want your users to use, give the users who need access to a given cluster Can Restart permission. This allows a user to freely start and stop the cluster without having to set up all of the configurations manually.
Terraform integration
You can manage permissions in a fully automated setup using Databricks Terraform provider and databricks_permissions:
resource "databricks_group" "auto" {
display_name = "Automation"
}
resource "databricks_group" "eng" {
display_name = "Engineering"
}
resource "databricks_group" "ds" {
display_name = "Data Science"
}
data "databricks_spark_version" "latest" {}
data "databricks_node_type" "smallest" {
local_disk = true
}
resource "databricks_cluster" "shared_autoscaling" {
cluster_name = "Shared Autoscaling"
spark_version = data.databricks_spark_version.latest.id
node_type_id = data.databricks_node_type.smallest.id
autotermination_minutes = 60
autoscale {
min_workers = 1
max_workers = 10
}
}
resource "databricks_permissions" "cluster_usage" {
cluster_id = databricks_cluster.shared_autoscaling.cluster_id
access_control {
group_name = databricks_group.auto.display_name
permission_level = "CAN_ATTACH_TO"
}
access_control {
group_name = databricks_group.eng.display_name
permission_level = "CAN_RESTART"
}
access_control {
group_name = databricks_group.ds.display_name
permission_level = "CAN_MANAGE"
}
}
Feedback
Submit and view feedback for