account access-control command group

Note

This information applies to Databricks CLI versions 0.205 and above. The Databricks CLI is in Public Preview.

Databricks CLI use is subject to the Databricks License and Databricks Privacy Notice, including any Usage Data provisions.

The account access-control command group within the Databricks CLI contains commands to manage access rules on resources in an account.

databricks account access-control get-assignable-roles-for-resource

Get all the roles that can be granted on an account level resource. A role is grantable if the rule set on the resource can contain an access rule of the role.

databricks account access-control get-assignable-roles-for-resource RESOURCE [flags]

Arguments

RESOURCE

    The resource name for which assignable roles will be listed, for example:

• resource=accounts/<ACCOUNT_ID> - A resource name for the account
• resource=accounts/<ACCOUNT_ID>/groups/<GROUP_ID> - A resource name for the group
• resource=accounts/<ACCOUNT_ID>/servicePrincipals/<SP_ID> - A resource name for the service principal
• resource=accounts/<ACCOUNT_ID>/tagPolicies/<TAG_POLICY_ID> - A resource name for the tag policy

Options

Global flags

Examples

The following example gets assignable roles for an account resource:

databricks account access-control get-assignable-roles-for-resource "resource=accounts/12345"

The following example gets assignable roles for a group resource:

databricks account access-control get-assignable-roles-for-resource "resource=accounts/12345/groups/67890"

databricks account access-control get-rule-set

Get a rule set by its name. A rule set is always attached to a resource and contains a list of access rules on the said resource. Currently only a default rule set for each resource is supported.

databricks account access-control get-rule-set NAME ETAG [flags]

Arguments

NAME

    The ruleset name associated with the request, for example:

• name=accounts/<ACCOUNT_ID>/ruleSets/default - A name for a rule set on the account
• name=accounts/<ACCOUNT_ID>/groups/<GROUP_ID>/ruleSets/default - A name for a rule set on the group
• name=accounts/<ACCOUNT_ID>/servicePrincipals/<SERVICE_PRINCIPAL_APPLICATION_ID>/ruleSets/default - A name for a rule set on the service principal
• name=accounts/<ACCOUNT_ID>/tagPolicies/<TAG_POLICY_ID>/ruleSets/default - A name for a rule set on the tag policy

ETAG

    Etag used for versioning. The response is at least as fresh as the eTag provided. Etag is used for optimistic concurrency control as a way to help prevent simultaneous updates of a rule set from overwriting each other. It is strongly suggested that systems make use of the etag in the read → modify → write pattern to perform rule set updates in order to avoid race conditions that is get an etag from a GET rule set request, and pass it with the PUT update request to identify the rule set version you are updating, for example:

• etag= - An empty etag can only be used in GET to indicate no freshness requirements
• etag=RENUAAABhSweA4NvVmmUYdiU717H3Tgy0UJdor3gE4a+mq/oj9NjAf8ZsQ== - An etag encoded a specific version of the rule set to get or to be updated

Options

Global flags

Examples

The following example gets a rule set for an account with no freshness requirements:

databricks account access-control get-rule-set "name=accounts/12345/ruleSets/default" ""

The following example gets a rule set with a specific etag version:

databricks account access-control get-rule-set "name=accounts/12345/ruleSets/default" "RENUAAABhSweA4NvVmmUYdiU717H3Tgy0UJdor3gE4a+mq/oj9NjAf8ZsQ=="

databricks account access-control update-rule-set

Replace the rules of a rule set. First, use get to read the current version of the rule set before modifying it. This pattern helps prevent conflicts between concurrent updates.

databricks account access-control update-rule-set [flags]

Options

--json JSON

    The inline JSON string or the @path to the JSON file with the request body

Global flags

Examples

The following example updates a rule set using JSON:

databricks account access-control update-rule-set --json '{"name": "accounts/12345/ruleSets/default", "grant_rules": [{"role": "roles/account.admin", "principals": [{"principal": "users/user@example.com"}]}], "etag": "RENUAAABhSweA4NvVmmUYdiU717H3Tgy0UJdor3gE4a+mq/oj9NjAf8ZsQ=="}'

The following example updates a rule set using a JSON file:

databricks account access-control update-rule-set --json @rule-set.json

Global flags

--debug

  Whether to enable debug logging.

-h or --help

    Display help for the Databricks CLI or the related command group or the related command.

--log-file string

    A string representing the file to write output logs to. If this flag is not specified then the default is to write output logs to stderr.

--log-format format

    The log format type, text or json. The default value is text.

--log-level string

    A string representing the log format level. If not specified then the log format level is disabled.

-o, --output type

    The command output type, text or json. The default value is text.

-p, --profile string

    The name of the profile in the ~/.databrickscfg file to use to run the command. If this flag is not specified then if it exists, the profile named DEFAULT is used.

--progress-format format

    The format to display progress logs: default, append, inplace, or json

-t, --target string

    If applicable, the bundle target to use