Manage users

This article explains how to add, update, and remove Azure Databricks users.

For an overview of the Azure Databricks identity model, see Azure Databricks identities and roles.

To learn how to manage groups and service principals, see Manage groups and Manage service principals.

Overview of user management

To manage users in Azure Databricks, you must be either an account admin or a workspace admin.

  • Account admins can add users to the account and assign them admin roles. They can also assign users to workspaces and configure data access for them across workspaces, as long as those workspaces use identity federation.

  • Workspace admins can add users to a Azure Databricks workspace, assign them the workspace admin role, and manage access to objects and functionality in the workspace, such as the ability to create clusters or access specified persona-based environments. If a workspace does not use identity federation, account admins cannot assign users to that workspace using account-level interfaces like the account console. Workspace admins must perform this task.

    Workspace admins are members of the admins group in the workspace, which is a reserved group that cannot be deleted.

    Users with the Contributor or Owner role on the workspace resource in Azure are automatically added as workspace administrators. For more information, see Manage your subscription.

Account admins can manage all users using the following interfaces:

Workspace admins can manage users in their workspace using the following interfaces:

Add users to your Azure Databricks account

Account admins can add users to your Azure Databricks account using the account console, a provisioning connector for your IdP, or the SCIM (Account) API.

Note

A user cannot belong to more than 50 Azure Databricks accounts.

Add users to your account using the account console

  1. As an account admin, log in to the account console.
  2. Click Account Console user management icon User management.
  3. On the Users tab, click Add User.
  4. Enter a name and email address for the user.
  5. Click Send invite.

To give users access to a workspace, you must add them to the workspace. See Add users to a workspace.

Sync users to your Azure Databricks account from your Azure Active Directory (Azure AD) tenant

Account admins can sync users from your Azure Active Directory (Azure AD) tenant to your Azure Databricks account using a SCIM provisioning connector.

Important

If you already have SCIM connectors that sync identities directly to your workspaces and those workspaces are enabled for identity federation, you should disable those SCIM connectors when the account-level SCIM connector is enabled. If you have workspaces that are not using identity federation, you should continue to use any SCIM connectors you have configured for those workspaces, running in parallel with the account-level SCIM connector.

For instructions, see Provision identities to your Azure Databricks account using Azure Active Directory (Azure AD).

Add users to your account using the SCIM APIs

Account admins can add and manage users in the Azure Databricks account using the SCIM API for Accounts.

Workspace admins can also manage users using this API, but they must invoke the API using a different endpoint URL:

  • Account admins use accounts.azuredatabricks.net/api/2.0/accounts/{account_id}/scim/v2/.
  • Workspace admins use {workspace-domain}/api/2.0/account/scim/v2/.

To add a user using the SCIM APIs:

  1. Use the SCIM API 2.0 (Accounts) to determine whether the user already exists.
  2. If the user does not exist, create the user using the same API.
  3. Assign the user to a workspace using the Workspace Assignment API.

Assign account admin rights to a user

  1. As an account admin, log in to the account console.
  2. Click Account Console user management icon User management.
  3. Find and click the username.
  4. On the Roles tab, turn on Account admin.

You can also assign the account admin role using the SCIM API 2.0 (Accounts).

Remove users from your Azure Databricks account

Account admins can delete users from a Azure Databricks account. Workspace admins cannot. When you delete a user from the account, that user is also removed from their workspaces.

Important

When you remove a user from the account, that user is also removed from their workspaces, regardless of whether or not identity federation as been enabled. You should refrain from deleting account-level users unless you want them to lose access to all workspaces in the account. Be aware of the following consequences of deleting users:

  • Applications or scripts that use the tokens generated by the user will no longer be able to access the Databricks API
  • Jobs owned by the user will fail
  • Clusters owned by the user will stop
  • Queries or dashboards created by the user and shared using the Run as Owner credential will have to be assigned to a new owner to prevent sharing from failing

To remove a user using the account console, do the following:

  1. As an account admin, log in to the account console.
  2. Click Account Console user management icon User management.
  3. Find and click the username.
  4. On the User Information tab, click the Kebab menu kebab menu at the far upper right and select Delete.
  5. On the confirmation dialog, click Confirm delete.

If you remove a user using the account console, you must ensure that you also remove the user using any SCIM provisioning connectors or SCIM API applications that have been set up for the account. If you don’t, SCIM provisioning will simply add the user back the next time it syncs. See Sync users and groups from Azure Active Directory.

To remove a user from a Azure Databricks account using SCIM APIs, you must be an account admin. See Provision identities to your Azure Databricks account and SCIM API 2.0 (Accounts).

Add users to a workspace

Account admins can add users to identity-federated workspaces using the following:

  • The account console
  • The Workspace Assignment API

Workspace admins can manage users in their workspace using the following:

  • The workspace admin console
  • The Workspace Assignment API (if the workspace is enabled for identity federation)
  • Provisioning connectors for identity providers (IdPs)
  • The workspace-level SCIM APIs

Assign a user to a workspace using the account console

To add users to a workspace using the account console, the workspace must be enabled for identity federation.

  1. As an account admin, log in to the account console.
  2. Click Workspace Icon Workspaces.
  3. On the Permissions tab, click Add permissions.
  4. Search for and select the user, assign the permission level (workspace User or Admin), and click Save.

Add a user to a workspace using the workspace admin console

Workspace admins can add and manage users using the workspace admin console.

To add a user to a workspace using the workspace admin console, do the following:

Note

If your workspace is not enabled for identity federation, you cannot assign existing account users to your workspace.

  1. As a workspace admin, log in to the Azure Databricks workspace.

  2. Click your username in the top bar of the Azure Databricks workspace and select Admin Console.

  3. On the Users tab, click Add User.

  4. Enter the user email ID. You can add any user who belongs to the Azure Active Directory tenant of your Azure Databricks workspace.

    Add user

  5. Click OK.

Assign a user to a workspace using REST APIs

The REST APIs that you can use to assign users to workspaces depend on whether the workspace is enabled for identity federation as follows:

  • Workspace enabled for identity federation: An account admin can use the account-level Workspace Assignment API to assign users and other identities to workspaces. Either an account admin or workspace admin can use the workspace-level Workspace Assignment API to perform this task. See the Workspace Assignment (Account) API and Workspace Assignment (Workspace) API reference
  • Workspace not enabled for identity federation: A workspace admin can use the workspace-level SCIM APIs to assign users and other identities to their workspaces. See SCIM API 2.0.

Remove a user from a workspace

Account admins can remove users from identity-federated workspaces using the following:

  • The account console
  • The Workspace Assignment API

Workspace admins can remove users from their workspace using the following:

  • The workspace admin console
  • The Workspace Assignment API (if the workspace is enabled for identity federation)
  • Provisioning connectors for identity providers (IdPs)
  • The workspace-level SCIM APIs

Remove a user from a workspace using the account console

To remove users from a workspace using the account console, the workspace must be enabled for identity federation.

  1. As an account admin or a workspace admin for the workspace, log in to the account console.
  2. Click Workspace Icon Workspaces.
  3. On the Permissions tab, find the user.
  4. Click the Kebab menu kebab menu at the far right of the user row and select Remove.
  5. On the confirmation dialog, click Remove.

Remove a user from a workspace using the admin console

  1. As a workspace admin, log in to the Azure Databricks workspace.
  2. Click your username in the top bar of the Azure Databricks workspace and select Admin Console.
  3. On the Users tab, find the user and click the Remove User Icon at the far right of the user row.
  4. Click Delete to confirm.

Remove a user from a workspace using REST APIs

The REST APIs that you can use to remove users from workspaces depend on whether the workspace is enabled for identity federation:

  • Workspace enabled for identity federation: An account admin can use the account-level Workspace Assignment API to remove users from workspaces. Either an account admin or workspace admin can use the workspace-level Workspace Assignment API to perform this task. See the Workspace Assignment (Account) API and Workspace Assignment (Workspace) API reference
  • Workspace not enabled for identity federation: A workspace admin can use the workspace-level SCIM APIs to remove users from their workspaces. See SCIM API 2.0.

Assign the workspace admin role to a user

You can assign the workspace admin role using the account console, workspace admin console, REST APIs, or provisioning connector from your IdP.

Assign the workspace admin role to a user using the account console

To the workspace admin role using the account console, the workspace must be enabled for identity federation.

  1. As an account admin, log in to the account console.
  2. Click Workspace Icon Workspaces.
  3. On the Permissions tab, find the user.
  4. Click the Kebab menu kebab menu at the far right of the user row and select Edit.
  5. Under Role, choose Admin.
  6. Click Save.

To remove the admin role from a workspace user, perform the same steps, but choose User under Role.

Assign the workspace admin role to a user using the workspace admin console

To assign the workspace admin role using the workspace admin console, do the following:

  1. As a workspace admin, log in to the Azure Databricks workspace.
  2. Click your username in the top bar of the Azure Databricks workspace and select Admin Console.
  3. On the Users tab, find the user and select the Admin checkbox.

To remove the admin role from a workspace user, perform the same steps, but clear the Admin checkbox.

Assign the workspace admin role to a user using the REST APIs

The REST APIs that you can use to assign the workspace admin role depend on whether the workspace is enabled for identity federation as follows:

  • Workspace enabled for identity federation: An account admin can use the account-level Workspace Assignment API to assign or remove the workspace admin role. Either an account admin or workspace admin can use the workspace-level Workspace Assignment API to perform this task. See the Workspace Assignment API reference
  • Workspace not enabled for identity federation: A workspace admin can use the workspace-level SCIM (Groups) REST API to assign a user to the admin group or remove them from the group.

Assign the workspace admin role to a user using a SCIM provisioning connector

Because workspace admins are members of the Azure Databricks admins group, you can manage the workspace admin role the same way you manage any group provisioning using a SCIM provisioning connector from Azure Active Directory. All group members in the Azure Active Directory group that syncs to the Azure Databricks admins group will be provisioned to Azure Databricks as workspace admins.

See Sync users and groups from Azure Active Directory.

Assign entitlements to a workspace user

An entitlement is a property that allows a user, service principal, or group to interact with Azure Databricks in a specified way. Entitlements are assigned to users at the workspace level. The following table lists entitlements and the workspace UI and API property name that you use to manage each one. You can use the workspace admin console and workspace-level SCIM REST APIs to manage entitlements.

Entitlement name (UI) Entitlement name (API) Default Description
Workspace access workspace-access Granted by default. When granted to a user or service principal, they can access the Data Science & Engineering and Databricks Machine Learning persona-based environments.

Can’t be removed from workspace admins.
Databricks SQL access databricks-sql-access Granted by default. When granted to a user or service principal, they can access Databricks SQL.
Allow unrestricted cluster creation allow-cluster-create Not granted to users or service principals by default. When granted to a user or service principal, they can create clusters. You can restrict access to existing clusters using cluster-level permissions.

Can’t be removed from workspace admins.
Allow pool creation (not available via UI) allow-instance-pool-create Can’t be granted to individual users or service principals. When granted to a group, its members can create instance pools.

Can’t be removed from workspace admins.

New users have the Workspace access and Databricks SQL access entitlements by default.

Important

To log in and access Azure Databricks, a user must have either the Databricks SQL access or Workspace access entitlement (or both).

The Workspace access entitlement gives the user access to the Data Science & Engineering workspace and to Databricks Machine Learning. The user inherits this entitlement as a member of the users group, which has the entitlement. To assign this entitlement on a user-by-user basis, a workspace admin must remove the entitlement from the users group and assign it individually to users on the Users tab.

For information about the Databricks SQL access entitlement, see Grant users access to Databricks SQL.

If cluster access control is enabled, and you don’t select the Allow unrestricted cluster creation checkbox, the user is added without the cluster creation entitlement.

If you reactivate a user who previously existed in the workspace, the user’s previous entitlements are restored.

Add or remove an entitlement for a user using the workspace admin console

As a workspace admin, do the following:

  1. Click your username in the top bar of the Azure Databricks workspace and select Admin Console.
  2. Go to the row for the user.
  3. To add an entitlement, select the checkbox in the corresponding column.
  4. To remove an entitlement, deselect the checkbox in the corresponding column.

Note

Admin is not an entitlement. The Admin checkbox is a convenient way to add the user to the admins group.

To add an entitlement explicitly, you can select its corresponding checkbox. If an entitlement is inherited from a group, the entitlement checkbox is selected but greyed out. To remove an inherited entitlement, either remove the user from the group that has the entitlement, or remove the entitlement from the group.

The allow-instance-pool-create entitlement can’t be granted directly to a user. Instead, you can grant the entitlement to a group and add the user to that group.

You can also add or remove an entitlement for a group.

Add or remove an entitlement for a user using the SCIM REST APIs

You can add entitlements when you when you create or update (via PATCH or PUT) a user using the workspace-level SCIM (Users) REST API. For example, this API call adds the allow-cluster-create entitlement to the specified user.

curl --netrc -X PATCH \
https://<databricks-instance>/api/2.0/preview/scim/v2/Users/<user-id> \
--header 'Content-type: application/scim+json' \
--data @update-user.json \
| jq .

update-user.json:

{
  "schemas": [ "urn:ietf:params:scim:api:messages:2.0:PatchOp" ],
  "Operations": [
    {
      "op": "add",
      "path": "entitlements",
      "value": [
        {
          "value": "allow-cluster-create"
        }
      ]
    }
  ]
}

For details, see the workspace-level SCIM (Users) REST API reference.