Manage personal access token permissions

This article describes the how to configure permissions for Azure Databricks personal access tokens. To learn how to use credentials to authenticate to Azure Databricks, see Authenticate access to Azure Databricks resources. To monitor and revoke personal access tokens, see Monitor and revoke personal access tokens.

Personal access token permissions

Workspace admins can set permissions on personal access tokens to control which users, service principals, and groups can create and use tokens. Before you can use token access control, an Azure Databricks workspace admin must enable personal access tokens for the workspace. See Enable or disable personal access token authentication for the workspace.

A workspace user can have one of the following token permissions:

  • NO PERMISSIONS: User cannot create or use personal access tokens to authenticate to the Azure Databricks workspace.
  • CAN USE: User can create a personal access token and use it to authenticate to the workspace.
  • CAN MANAGE (workspace admins only):** User can manage all workspace users’ personal access tokens and permission to use them. Users in the workspace admins group have this permission by default and you cannot revoke it. No other users, service principals, or groups can be granted this permission.

Azure Databricks personal access token permissions are available only in the Premium plan.

This table lists the permissions required for each token-related task:

Task NO PERMISSIONS CAN USE CAN MANAGE
Create a token x x
Use a token for authentication x x
Revoke your own token x x
Revoke any user’s or service principal’s token x
List all tokens x
Modify token permissions x

Manage token permissions using the admin settings page

This section describes how to manage permissions using the workspace UI. You can also use the Permissions API or Databricks Terraform provider.

  1. Go to the settings page.

  2. Click the Advanced tab.

  3. Next to Personal Access Tokens, click the Permissions button to open the token permissions editor.

    Manage token permissions

  4. Search for and select the user, service principal, or group and choose the permission to assign.

    If the users group has the CAN USE permission and you want to apply more fine-grained access for non-admin users, remove the CAN USE permission from the users group by clicking the X next to the permission drop-down menu in the users row.

  5. Click + Add.

  6. Click Save.

    Warning

    After you save your changes, any users who previously had either the CAN USE or CAN MANAGE permission and no longer have either permission are denied access to personal access token authentication and their active tokens are immediately deleted (revoked). Deleted tokens cannot be retrieved.